[wp-hackers] Removing admin-ajax.php hacks

Dion Hulse (dd32) wordpress at dd32.id.au
Thu Jul 1 12:45:01 UTC 2010


By the sound of it, He wants to remove the hacks, and replace it with a  
plugin-based solution, to allow for seemless upgrades to newer versions  
without re-hacking core.

Unfortunately at this stage, I dont think it's possible to make a pure  
comment moderator roll without hacking -something-. I know there are many  
people who want to unbundle the comment moderation from post editing..

The only thing i can think of is to look at the IS_AJAX constants (Ok, I  
pulled that from thin air, there is a AJAX-set constant though) and filter  
the cap checks.. BUT, given theres no context to such checks, i can that  
opening security holes.. so only do that if you are aware of the  
repercussions.


On Thu, 01 Jul 2010 21:58:09 +1000, mccormicky <mccormicky at gmail.com>  
wrote:

> I'm guessing you don't want to override ALL the hacks in admin-ajax.php
> which is why you don't just upload a fresh copy???
>
>
>
>
>
> On Thu, Jul 1, 2010 at 7:53 AM, Nicolas Kuttler <
> wp-hackers at nicolaskuttler.de> wrote:
>
>> Am I missing something? Why don't you simply download wordpress and take
>> the current ajax handler?
>>
>> Modifying the handler itelf is kind of pointless as you can check user
>> capabilities inside your ajax action...
>>
>> Nicolas
>>
>> On Wed, Jun 30, 2010 at 05:27:17PM -0500, Shelby, Harper wrote:
>> > I've been asked to remove some hacks to an exisiting WPMU  
>> installation,
>> and the one that's causing me the most grief are the edits to
>> admin-ajax.php. The previous maintainer altered the security checks on
>> several activities, changing
>> >
>> >     if ( !current_user_can( 'edit_post', $pid ) )
>> >
>> > to
>> >
>> >     if ( !current_user_can( 'edit_post', $pid ) && !current_user_can(
>> 'moderate_comments' ) )
>> >
>> > I have been digging quite a bit, but can't seem to find a way to alter
>> the admin-ajax.php scripts in the correct manner. The goal of the
>> customization was to allow a "Comment Moderator" role that could  
>> moderate
>> comments, but not edit blog posts (somewhat obvious, but I thought I'd  
>> spell
>> it out). The role was created using Capability Manager, but these hacks  
>> were
>> added to the ajax to allow the role to work as intended.
>> >
>> > Any guidance on the right way to remove this customization would be
>> greatly appreciated.
>> >
>> >
>> > Thanks,
>> >
>> > Harper Shelby
>> > Pariveda Solutions
>> >  4203 Montrose | Suite 100 | Houston, Texas 77006
>> >  (F) 713.520.4290 | (M) 281.520.2817
>> > The Business of IT(r)
>> > www.parivedasolutions.com<http://www.parivedasolutions.com/>
>> >
>> >
>> > ________________________________
>> > The information transmitted is intended only for the person or entity  
>> to
>> which it is addressed and may contain confidential and/or privileged
>> material. Any review, retransmission, dissemination or other use of, or
>> taking of any action in reliance upon, this information by persons or
>> entities other than the intended recipient is prohibited. If you  
>> received
>> this in error, please contact the sender and delete the material from  
>> any
>> computer.
>> > _______________________________________________
>> > wp-hackers mailing list
>> > wp-hackers at lists.automattic.com
>> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>> >
>>
>>
>> --
>> Nicolas Kuttler
>> wp at nkuttler.de
>>
>> http://www.nkuttler.de
>> http://www.nicolaskuttler.de (deutsch)
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


-- 
Dion Hulse / dd32
Contact:
  e: contact at dd32.id.au
  Web: http://dd32.id.au/


More information about the wp-hackers mailing list