From 4e7aacfc21a4bdaed47e4d32d6f013a6cb2fcb42 Mon Sep 17 00:00:00 2001 From: ryan Date: Wed, 26 Jul 2006 22:18:36 +0000 Subject: [PATCH] Menu and plugin tweakage. git-svn-id: http://svn.automattic.com/wordpress/trunk@4049 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/admin-functions.php | 7 ++++++- wp-admin/admin.php | 12 +++++++++--- wp-content/plugins/wp-db-backup.php | 7 +++++-- xmlrpc.php | 4 +++- 4 files changed, 23 insertions(+), 7 deletions(-) diff --git a/wp-admin/admin-functions.php b/wp-admin/admin-functions.php index 5e7a54c50..17a4bde58 100644 --- a/wp-admin/admin-functions.php +++ b/wp-admin/admin-functions.php @@ -379,6 +379,7 @@ function add_user() { if ( func_num_args() ) { // The hackiest hack that ever did hack global $current_user, $wp_roles; $user_id = func_get_arg(0); + if (isset ($_POST['role'])) { if($user_id != $current_user->id || $wp_roles->role_objects[$_POST['role']]->has_cap('edit_users')) { $user = new WP_User($user_id); @@ -412,7 +413,7 @@ function edit_user($user_id = 0) { if (isset ($_POST['pass2'])) $pass2 = $_POST['pass2']; - if (isset ($_POST['role'])) { + if (isset ($_POST['role']) && current_user_can('edit_users')) { if($user_id != $current_user->id || $wp_roles->role_objects[$_POST['role']]->has_cap('edit_users')) $user->role = $_POST['role']; } @@ -1330,12 +1331,16 @@ function user_can_access_admin_page() { global $menu; global $submenu; global $menu_nopriv; + global $plugin_page; $parent = get_admin_page_parent(); if ( isset($menu_nopriv[$pagenow]) ) return false; + if ( isset($plugin_page) && isset($menu_nopriv[$plugin_page]) ) + return false; + if ( empty($parent) ) return true; diff --git a/wp-admin/admin.php b/wp-admin/admin.php index 9b6de5813..0d7694d79 100644 --- a/wp-admin/admin.php +++ b/wp-admin/admin.php @@ -30,12 +30,15 @@ wp_enqueue_script( 'fat' ); $editing = false; -require(ABSPATH . '/wp-admin/menu.php'); - -// Handle plugin admin pages. if (isset($_GET['page'])) { $plugin_page = stripslashes($_GET['page']); $plugin_page = plugin_basename($plugin_page); +} + +require(ABSPATH . '/wp-admin/menu.php'); + +// Handle plugin admin pages. +if (isset($plugin_page)) { $page_hook = get_plugin_page_hook($plugin_page, $pagenow); if ( $page_hook ) { @@ -64,6 +67,9 @@ if (isset($_GET['page'])) { $importer = $_GET['import']; + if ( ! current_user_can('import') ) + wp_die(__('You are not allowed to import.')); + if ( validate_file($importer) ) { wp_die(__('Invalid importer.')); } diff --git a/wp-content/plugins/wp-db-backup.php b/wp-content/plugins/wp-db-backup.php index eb8e7b3bf..9ba640672 100644 --- a/wp-content/plugins/wp-db-backup.php +++ b/wp-content/plugins/wp-db-backup.php @@ -322,11 +322,11 @@ class wpdbBackup { /////////////////////////////// function admin_menu() { - add_management_page(__('Backup'), __('Backup'), 9, basename(__FILE__), array(&$this, 'backup_menu')); + add_management_page(__('Backup'), __('Backup'), 'import', basename(__FILE__), array(&$this, 'backup_menu')); } function fragment_menu() { - add_management_page(__('Backup'), __('Backup'), 9, basename(__FILE__), array(&$this, 'build_backup_script')); + add_management_page(__('Backup'), __('Backup'), 'import', basename(__FILE__), array(&$this, 'build_backup_script')); } ///////////////////////////////////////////////////////// @@ -884,6 +884,9 @@ class wpdbBackup { function wpdbBackup_init() { global $mywpdbbackup; + + if ( !current_user_can('import') ) return; + $mywpdbbackup = new wpdbBackup(); } diff --git a/xmlrpc.php b/xmlrpc.php index 0b7e1a4e7..85c432f5d 100644 --- a/xmlrpc.php +++ b/xmlrpc.php @@ -1228,10 +1228,12 @@ class wp_xmlrpc_server extends IXR_Server { $pagelinkedfrom = $wpdb->escape( $pagelinkedfrom ); $original_title = $title; - $comment_post_ID = $post_ID; + $comment_post_ID = (int) $post_ID; $comment_author = $title; + $this->escape($comment_author); $comment_author_url = $pagelinkedfrom; $comment_content = $context; + $this->escape($comment_content); $comment_type = 'pingback'; $commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_url', 'comment_content', 'comment_type');