<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><style type="text/css"><!--
#msg dl { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre, #msg p { overflow: auto; background: #ffc; border: 1px #fc0 solid; padding: 6px; }
#msg ul { overflow: auto; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<title>[11761] trunk: Add some CYA cap checks.</title>
</head>
<body>
<div id="msg">
<dl>
<dt>Revision</dt> <dd><a href="http://trac.wordpress.org/changeset/11761">11761</a></dd>
<dt>Author</dt> <dd>ryan</dd>
<dt>Date</dt> <dd>2009-08-01 21:12:17 +0000 (Sat, 01 Aug 2009)</dd>
</dl>
<h3>Log Message</h3>
<pre>Add some CYA cap checks.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkwpadminoptionsdiscussionphp">trunk/wp-admin/options-discussion.php</a></li>
<li><a href="#trunkwpadminoptionsgeneralphp">trunk/wp-admin/options-general.php</a></li>
<li><a href="#trunkwpadminoptionsmediaphp">trunk/wp-admin/options-media.php</a></li>
<li><a href="#trunkwpadminoptionsmiscphp">trunk/wp-admin/options-misc.php</a></li>
<li><a href="#trunkwpadminoptionspermalinkphp">trunk/wp-admin/options-permalink.php</a></li>
<li><a href="#trunkwpadminoptionsprivacyphp">trunk/wp-admin/options-privacy.php</a></li>
<li><a href="#trunkwpadminoptionsreadingphp">trunk/wp-admin/options-reading.php</a></li>
<li><a href="#trunkwpadminoptionswritingphp">trunk/wp-admin/options-writing.php</a></li>
<li><a href="#trunkwpadminpluginsphp">trunk/wp-admin/plugins.php</a></li>
<li><a href="#trunkwpadminthemesphp">trunk/wp-admin/themes.php</a></li>
<li><a href="#trunkwpincludesvarsphp">trunk/wp-includes/vars.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkwpadminoptionsdiscussionphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/options-discussion.php (11760 => 11761)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/options-discussion.php        2009-07-31 22:22:54 UTC (rev 11760)
+++ trunk/wp-admin/options-discussion.php        2009-08-01 21:12:17 UTC (rev 11761)
</span><span class="lines">@@ -9,6 +9,9 @@
</span><span class="cx"> /** WordPress Administration Bootstrap */
</span><span class="cx"> require_once('admin.php');
</span><span class="cx">
</span><ins>+if ( ! current_user_can('manage_options') )
+        wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
</ins><span class="cx"> $title = __('Discussion Settings');
</span><span class="cx"> $parent_file = 'options-general.php';
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminoptionsgeneralphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/options-general.php (11760 => 11761)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/options-general.php        2009-07-31 22:22:54 UTC (rev 11760)
+++ trunk/wp-admin/options-general.php        2009-08-01 21:12:17 UTC (rev 11761)
</span><span class="lines">@@ -9,6 +9,9 @@
</span><span class="cx"> /** WordPress Administration Bootstrap */
</span><span class="cx"> require_once('./admin.php');
</span><span class="cx">
</span><ins>+if ( ! current_user_can('manage_options') )
+        wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
</ins><span class="cx"> $title = __('General Settings');
</span><span class="cx"> $parent_file = 'options-general.php';
</span><span class="cx"> /* translators: date and time format for exact current time, mainly about timezones, see http://php.net/date */
</span></span></pre></div>
<a id="trunkwpadminoptionsmediaphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/options-media.php (11760 => 11761)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/options-media.php        2009-07-31 22:22:54 UTC (rev 11760)
+++ trunk/wp-admin/options-media.php        2009-08-01 21:12:17 UTC (rev 11761)
</span><span class="lines">@@ -9,6 +9,9 @@
</span><span class="cx"> /** WordPress Administration Bootstrap */
</span><span class="cx"> require_once('admin.php');
</span><span class="cx">
</span><ins>+if ( ! current_user_can('manage_options') )
+        wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
</ins><span class="cx"> $title = __('Media Settings');
</span><span class="cx"> $parent_file = 'options-general.php';
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminoptionsmiscphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/options-misc.php (11760 => 11761)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/options-misc.php        2009-07-31 22:22:54 UTC (rev 11760)
+++ trunk/wp-admin/options-misc.php        2009-08-01 21:12:17 UTC (rev 11761)
</span><span class="lines">@@ -9,6 +9,9 @@
</span><span class="cx"> /** WordPress Administration Bootstrap */
</span><span class="cx"> require_once('admin.php');
</span><span class="cx">
</span><ins>+if ( ! current_user_can('manage_options') )
+        wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
</ins><span class="cx"> $title = __('Miscellaneous Settings');
</span><span class="cx"> $parent_file = 'options-general.php';
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminoptionspermalinkphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/options-permalink.php (11760 => 11761)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/options-permalink.php        2009-07-31 22:22:54 UTC (rev 11760)
+++ trunk/wp-admin/options-permalink.php        2009-08-01 21:12:17 UTC (rev 11761)
</span><span class="lines">@@ -9,6 +9,9 @@
</span><span class="cx"> /** WordPress Administration Bootstrap */
</span><span class="cx"> require_once('admin.php');
</span><span class="cx">
</span><ins>+if ( ! current_user_can('manage_options') )
+        wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
</ins><span class="cx"> $title = __('Permalink Settings');
</span><span class="cx"> $parent_file = 'options-general.php';
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminoptionsprivacyphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/options-privacy.php (11760 => 11761)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/options-privacy.php        2009-07-31 22:22:54 UTC (rev 11760)
+++ trunk/wp-admin/options-privacy.php        2009-08-01 21:12:17 UTC (rev 11761)
</span><span class="lines">@@ -9,6 +9,9 @@
</span><span class="cx"> /** Load WordPress Administration Bootstrap */
</span><span class="cx"> require_once('./admin.php');
</span><span class="cx">
</span><ins>+if ( ! current_user_can('manage_options') )
+        wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
</ins><span class="cx"> $title = __('Privacy Settings');
</span><span class="cx"> $parent_file = 'options-general.php';
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminoptionsreadingphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/options-reading.php (11760 => 11761)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/options-reading.php        2009-07-31 22:22:54 UTC (rev 11760)
+++ trunk/wp-admin/options-reading.php        2009-08-01 21:12:17 UTC (rev 11761)
</span><span class="lines">@@ -9,6 +9,9 @@
</span><span class="cx"> /** WordPress Administration Bootstrap */
</span><span class="cx"> require_once('admin.php');
</span><span class="cx">
</span><ins>+if ( ! current_user_can('manage_options') )
+        wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
</ins><span class="cx"> $title = __('Reading Settings');
</span><span class="cx"> $parent_file = 'options-general.php';
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminoptionswritingphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/options-writing.php (11760 => 11761)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/options-writing.php        2009-07-31 22:22:54 UTC (rev 11760)
+++ trunk/wp-admin/options-writing.php        2009-08-01 21:12:17 UTC (rev 11761)
</span><span class="lines">@@ -9,6 +9,9 @@
</span><span class="cx"> /** WordPress Administration Bootstrap */
</span><span class="cx"> require_once('admin.php');
</span><span class="cx">
</span><ins>+if ( ! current_user_can('manage_options') )
+        wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
</ins><span class="cx"> $title = __('Writing Settings');
</span><span class="cx"> $parent_file = 'options-general.php';
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminpluginsphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/plugins.php (11760 => 11761)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/plugins.php        2009-07-31 22:22:54 UTC (rev 11760)
+++ trunk/wp-admin/plugins.php        2009-08-01 21:12:17 UTC (rev 11761)
</span><span class="lines">@@ -9,6 +9,9 @@
</span><span class="cx"> /** WordPress Administration Bootstrap */
</span><span class="cx"> require_once('admin.php');
</span><span class="cx">
</span><ins>+if ( ! current_user_can('activate_plugins') )
+        wp_die(__('You do not have sufficient permissions to manage plugins for this blog.'));
+
</ins><span class="cx"> if ( isset($_POST['clear-recent-list']) )
</span><span class="cx">         $action = 'clear-recent-list';
</span><span class="cx"> elseif ( !empty($_REQUEST['action']) )
</span><span class="lines">@@ -37,6 +40,9 @@
</span><span class="cx"> if ( !empty($action) ) {
</span><span class="cx">         switch ( $action ) {
</span><span class="cx">                 case 'activate':
</span><ins>+                        if ( ! current_user_can('activate_plugins') )
+                                wp_die(__('You do not have sufficient permissions to activate plugins for this blog.'));
+
</ins><span class="cx">                         check_admin_referer('activate-plugin_' . $plugin);
</span><span class="cx">
</span><span class="cx">                         $result = activate_plugin($plugin, 'plugins.php?error=true&plugin=' . $plugin);
</span><span class="lines">@@ -53,6 +59,9 @@
</span><span class="cx">                         exit;
</span><span class="cx">                         break;
</span><span class="cx">                 case 'activate-selected':
</span><ins>+                        if ( ! current_user_can('activate_plugins') )
+                                wp_die(__('You do not have sufficient permissions to activate plugins for this blog.'));
+                        
</ins><span class="cx">                         check_admin_referer('bulk-manage-plugins');
</span><span class="cx">
</span><span class="cx">                         $plugins = (array) $_POST['checked'];
</span><span class="lines">@@ -75,6 +84,9 @@
</span><span class="cx">                         exit;
</span><span class="cx">                         break;
</span><span class="cx">                 case 'error_scrape':
</span><ins>+                        if ( ! current_user_can('activate_plugins') )
+                                wp_die(__('You do not have sufficient permissions to activate plugins for this blog.'));
+
</ins><span class="cx">                         check_admin_referer('plugin-activation-error_' . $plugin);
</span><span class="cx">
</span><span class="cx">                         $valid = validate_plugin($plugin);
</span><span class="lines">@@ -88,6 +100,9 @@
</span><span class="cx">                         exit;
</span><span class="cx">                         break;
</span><span class="cx">                 case 'deactivate':
</span><ins>+                        if ( ! current_user_can('activate_plugins') )
+                                wp_die(__('You do not have sufficient permissions to deactivate plugins for this blog.'));
+
</ins><span class="cx">                         check_admin_referer('deactivate-plugin_' . $plugin);
</span><span class="cx">                         deactivate_plugins($plugin);
</span><span class="cx">                         update_option('recently_activated', array($plugin => time()) + (array)get_option('recently_activated'));
</span><span class="lines">@@ -95,6 +110,9 @@
</span><span class="cx">                         exit;
</span><span class="cx">                         break;
</span><span class="cx">                 case 'deactivate-selected':
</span><ins>+                        if ( ! current_user_can('activate_plugins') )
+                                wp_die(__('You do not have sufficient permissions to deactivate plugins for this blog.'));
+
</ins><span class="cx">                         check_admin_referer('bulk-manage-plugins');
</span><span class="cx">
</span><span class="cx">                         $plugins = (array) $_POST['checked'];
</span></span></pre></div>
<a id="trunkwpadminthemesphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/themes.php (11760 => 11761)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/themes.php        2009-07-31 22:22:54 UTC (rev 11760)
+++ trunk/wp-admin/themes.php        2009-08-01 21:12:17 UTC (rev 11761)
</span><span class="lines">@@ -9,6 +9,9 @@
</span><span class="cx"> /** WordPress Administration Bootstrap */
</span><span class="cx"> require_once('admin.php');
</span><span class="cx">
</span><ins>+if ( !current_user_can('switch_themes') )
+        wp_die( __( 'Cheatin&#8217; uh?' ) );
+
</ins><span class="cx"> if ( isset($_GET['action']) ) {
</span><span class="cx">         if ( 'activate' == $_GET['action'] ) {
</span><span class="cx">                 check_admin_referer('switch-theme_' . $_GET['template']);
</span></span></pre></div>
<a id="trunkwpincludesvarsphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/vars.php (11760 => 11761)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/vars.php        2009-07-31 22:22:54 UTC (rev 11760)
+++ trunk/wp-includes/vars.php        2009-08-01 21:12:17 UTC (rev 11761)
</span><span class="lines">@@ -17,6 +17,7 @@
</span><span class="cx">         // wp-admin pages are checked more carefully
</span><span class="cx">         preg_match('#/wp-admin/?(.*?)$#i', $PHP_SELF, $self_matches);
</span><span class="cx">         $pagenow = $self_matches[1];
</span><ins>+        $pagenow = trim($pagenow, '/');
</ins><span class="cx">         $pagenow = preg_replace('#\?.*?$#', '', $pagenow);
</span><span class="cx">         if ( '' === $pagenow || 'index' === $pagenow || 'index.php' === $pagenow ) {
</span><span class="cx">                 $pagenow = 'index.php';
</span></span></pre>
</div>
</div>
</body>
</html>