Skip to content

Commit 1da0e49

Browse files
ryanborenryanboren
committed
Add some CYA cap checks.
git-svn-id: https://develop.svn.wordpress.org/branches/2.8@11762 602fd350-edb4-49c9-b593-d223f7449a82
1 parent 5a15fb6 commit 1da0e49

11 files changed

Lines changed: 46 additions & 0 deletions

wp-admin/options-discussion.php

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@
99
/** WordPress Administration Bootstrap */
1010
require_once('admin.php');
1111

12+
if ( ! current_user_can('manage_options') )
13+
wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
14+
1215
$title = __('Discussion Settings');
1316
$parent_file = 'options-general.php';
1417

wp-admin/options-general.php

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@
99
/** WordPress Administration Bootstrap */
1010
require_once('./admin.php');
1111

12+
if ( ! current_user_can('manage_options') )
13+
wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
14+
1215
$title = __('General Settings');
1316
$parent_file = 'options-general.php';
1417
/* translators: date and time format for exact current time, mainly about timezones, see http://php.net/date */

wp-admin/options-media.php

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@
99
/** WordPress Administration Bootstrap */
1010
require_once('admin.php');
1111

12+
if ( ! current_user_can('manage_options') )
13+
wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
14+
1215
$title = __('Media Settings');
1316
$parent_file = 'options-general.php';
1417

wp-admin/options-misc.php

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@
99
/** WordPress Administration Bootstrap */
1010
require_once('admin.php');
1111

12+
if ( ! current_user_can('manage_options') )
13+
wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
14+
1215
$title = __('Miscellaneous Settings');
1316
$parent_file = 'options-general.php';
1417

wp-admin/options-permalink.php

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@
99
/** WordPress Administration Bootstrap */
1010
require_once('admin.php');
1111

12+
if ( ! current_user_can('manage_options') )
13+
wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
14+
1215
$title = __('Permalink Settings');
1316
$parent_file = 'options-general.php';
1417

wp-admin/options-privacy.php

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@
99
/** Load WordPress Administration Bootstrap */
1010
require_once('./admin.php');
1111

12+
if ( ! current_user_can('manage_options') )
13+
wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
14+
1215
$title = __('Privacy Settings');
1316
$parent_file = 'options-general.php';
1417

wp-admin/options-reading.php

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@
99
/** WordPress Administration Bootstrap */
1010
require_once('admin.php');
1111

12+
if ( ! current_user_can('manage_options') )
13+
wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
14+
1215
$title = __('Reading Settings');
1316
$parent_file = 'options-general.php';
1417

wp-admin/options-writing.php

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@
99
/** WordPress Administration Bootstrap */
1010
require_once('admin.php');
1111

12+
if ( ! current_user_can('manage_options') )
13+
wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
14+
1215
$title = __('Writing Settings');
1316
$parent_file = 'options-general.php';
1417

wp-admin/plugins.php

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@
99
/** WordPress Administration Bootstrap */
1010
require_once('admin.php');
1111

12+
if ( ! current_user_can('activate_plugins') )
13+
wp_die(__('You do not have sufficient permissions to manage plugins for this blog.'));
14+
1215
if ( isset($_POST['clear-recent-list']) )
1316
$action = 'clear-recent-list';
1417
elseif ( !empty($_REQUEST['action']) )
@@ -37,6 +40,9 @@
3740
if ( !empty($action) ) {
3841
switch ( $action ) {
3942
case 'activate':
43+
if ( ! current_user_can('activate_plugins') )
44+
wp_die(__('You do not have sufficient permissions to activate plugins for this blog.'));
45+
4046
check_admin_referer('activate-plugin_' . $plugin);
4147

4248
$result = activate_plugin($plugin, 'plugins.php?error=true&plugin=' . $plugin);
@@ -53,6 +59,9 @@
5359
exit;
5460
break;
5561
case 'activate-selected':
62+
if ( ! current_user_can('activate_plugins') )
63+
wp_die(__('You do not have sufficient permissions to activate plugins for this blog.'));
64+
5665
check_admin_referer('bulk-manage-plugins');
5766

5867
$plugins = (array) $_POST['checked'];
@@ -75,6 +84,9 @@
7584
exit;
7685
break;
7786
case 'error_scrape':
87+
if ( ! current_user_can('activate_plugins') )
88+
wp_die(__('You do not have sufficient permissions to activate plugins for this blog.'));
89+
7890
check_admin_referer('plugin-activation-error_' . $plugin);
7991

8092
$valid = validate_plugin($plugin);
@@ -88,13 +100,19 @@
88100
exit;
89101
break;
90102
case 'deactivate':
103+
if ( ! current_user_can('activate_plugins') )
104+
wp_die(__('You do not have sufficient permissions to deactivate plugins for this blog.'));
105+
91106
check_admin_referer('deactivate-plugin_' . $plugin);
92107
deactivate_plugins($plugin);
93108
update_option('recently_activated', array($plugin => time()) + (array)get_option('recently_activated'));
94109
wp_redirect("plugins.php?deactivate=true&plugin_status=$status&paged=$page");
95110
exit;
96111
break;
97112
case 'deactivate-selected':
113+
if ( ! current_user_can('activate_plugins') )
114+
wp_die(__('You do not have sufficient permissions to deactivate plugins for this blog.'));
115+
98116
check_admin_referer('bulk-manage-plugins');
99117

100118
$plugins = (array) $_POST['checked'];

wp-admin/themes.php

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@
99
/** WordPress Administration Bootstrap */
1010
require_once('admin.php');
1111

12+
if ( !current_user_can('switch_themes') )
13+
wp_die( __( 'Cheatin’ uh?' ) );
14+
1215
if ( isset($_GET['action']) ) {
1316
if ( 'activate' == $_GET['action'] ) {
1417
check_admin_referer('switch-theme_' . $_GET['template']);

0 commit comments

Comments
 (0)