From cc08068dba2dffd75a8ce8fda70dd5b552dfcf27 Mon Sep 17 00:00:00 2001
From: nacin <nacin@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Thu, 16 Dec 2010 08:43:22 +0000
Subject: [PATCH] Remove check_permissions() calls outside of AJAX context.
 Also only check for switch_themes in check_permissions() for the themes
 table. see #15326.

git-svn-id: http://svn.automattic.com/wordpress/trunk@16990 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/edit-comments.php                          | 1 -
 wp-admin/edit-tags.php                              | 1 -
 wp-admin/edit.php                                   | 1 -
 wp-admin/includes/class-wp-ms-themes-list-table.php | 8 +++-----
 wp-admin/includes/class-wp-plugins-list-table.php   | 6 ++----
 wp-admin/includes/class-wp-themes-list-table.php    | 3 ++-
 wp-admin/includes/class-wp-users-list-table.php     | 8 ++++----
 wp-admin/link-manager.php                           | 1 -
 wp-admin/network/site-themes.php                    | 9 +++------
 wp-admin/network/site-users.php                     | 1 -
 wp-admin/network/sites.php                          | 4 +++-
 wp-admin/network/themes.php                         | 7 ++-----
 wp-admin/network/users.php                          | 4 +++-
 wp-admin/plugin-install.php                         | 2 +-
 wp-admin/plugins.php                                | 8 +++++++-
 wp-admin/theme-install.php                          | 2 +-
 wp-admin/themes.php                                 | 2 +-
 wp-admin/upload.php                                 | 4 +++-
 wp-admin/users.php                                  | 4 +++-
 19 files changed, 38 insertions(+), 38 deletions(-)

diff --git a/wp-admin/edit-comments.php b/wp-admin/edit-comments.php
index c1fc1d364..112a21aae 100644
--- a/wp-admin/edit-comments.php
+++ b/wp-admin/edit-comments.php
@@ -12,7 +12,6 @@ if ( !current_user_can('edit_posts') )
 	wp_die(__('Cheatin&#8217; uh?'));
 
 $wp_list_table = get_list_table('WP_Comments_List_Table');
-$wp_list_table->check_permissions();
 $pagenum = $wp_list_table->get_pagenum();
 
 $doaction = $wp_list_table->current_action();
diff --git a/wp-admin/edit-tags.php b/wp-admin/edit-tags.php
index 9f7477cc8..c32c42e08 100644
--- a/wp-admin/edit-tags.php
+++ b/wp-admin/edit-tags.php
@@ -13,7 +13,6 @@ if ( !current_user_can( $tax->cap->manage_terms ) )
 	wp_die( __( 'Cheatin&#8217; uh?' ) );
 
 $wp_list_table = get_list_table('WP_Terms_List_Table');
-$wp_list_table->check_permissions();
 
 $title = $tax->labels->name;
 
diff --git a/wp-admin/edit.php b/wp-admin/edit.php
index 6db7b358d..fc796c51d 100644
--- a/wp-admin/edit.php
+++ b/wp-admin/edit.php
@@ -24,7 +24,6 @@ if ( !current_user_can($post_type_object->cap->edit_posts) )
 	wp_die(__('Cheatin&#8217; uh?'));
 
 $wp_list_table = get_list_table('WP_Posts_List_Table');
-$wp_list_table->check_permissions();
 $pagenum = $wp_list_table->get_pagenum();
 
 // Back-compat for viewing comments of an entry
diff --git a/wp-admin/includes/class-wp-ms-themes-list-table.php b/wp-admin/includes/class-wp-ms-themes-list-table.php
index df8f88c19..ffa91c789 100644
--- a/wp-admin/includes/class-wp-ms-themes-list-table.php
+++ b/wp-admin/includes/class-wp-ms-themes-list-table.php
@@ -39,14 +39,12 @@ class WP_MS_Themes_List_Table extends WP_List_Table {
 	function check_permissions() {
 		$menu_perms = get_site_option( 'menu_items', array() );
 
-		if ( empty( $menu_perms['themes'] ) ) {
-			if ( !is_super_admin() )
-				wp_die( __( 'Cheatin&#8217; uh?' ) );
-		}
+		if ( empty( $menu_perms['themes'] ) && ! is_super_admin() )
+			wp_die( __( 'Cheatin&#8217; uh?' ) );
 
 		if ( $this->is_site_themes && !current_user_can('manage_sites') )
 			wp_die( __( 'You do not have sufficient permissions to manage themes for this site.' ) );
-		else if ( !$this->is_site_themes && !current_user_can('manage_network_themes') )
+		elseif ( !$this->is_site_themes && !current_user_can('manage_network_themes') )
 			wp_die( __( 'You do not have sufficient permissions to manage network themes.' ) );
 	}
 
diff --git a/wp-admin/includes/class-wp-plugins-list-table.php b/wp-admin/includes/class-wp-plugins-list-table.php
index d279e495a..669ea9875 100644
--- a/wp-admin/includes/class-wp-plugins-list-table.php
+++ b/wp-admin/includes/class-wp-plugins-list-table.php
@@ -31,10 +31,8 @@ class WP_Plugins_List_Table extends WP_List_Table {
 		if ( is_multisite() ) {
 			$menu_perms = get_site_option( 'menu_items', array() );
 
-			if ( empty( $menu_perms['plugins'] ) ) {
-				if ( !is_super_admin() )
-					wp_die( __( 'Cheatin&#8217; uh?' ) );
-			}
+			if ( empty( $menu_perms['plugins'] ) && ! is_super_admin() )
+				wp_die( __( 'Cheatin&#8217; uh?' ) );
 		}
 
 		if ( !current_user_can('activate_plugins') )
diff --git a/wp-admin/includes/class-wp-themes-list-table.php b/wp-admin/includes/class-wp-themes-list-table.php
index 389c8b940..586a29a03 100644
--- a/wp-admin/includes/class-wp-themes-list-table.php
+++ b/wp-admin/includes/class-wp-themes-list-table.php
@@ -12,7 +12,8 @@ class WP_Themes_List_Table extends WP_List_Table {
 	var $features = array();
 
 	function check_permissions() {
-		if ( !current_user_can('switch_themes') && !current_user_can('edit_theme_options') )
+		// Do not check edit_theme_options here. AJAX calls for available themes require switch_themes.
+		if ( !current_user_can('switch_themes') )
 			wp_die( __( 'Cheatin&#8217; uh?' ) );
 	}
 
diff --git a/wp-admin/includes/class-wp-users-list-table.php b/wp-admin/includes/class-wp-users-list-table.php
index a78329946..3a03cecaf 100644
--- a/wp-admin/includes/class-wp-users-list-table.php
+++ b/wp-admin/includes/class-wp-users-list-table.php
@@ -25,11 +25,11 @@ class WP_Users_List_Table extends WP_List_Table {
 	}
 
 	function check_permissions() {
-		if ( !current_user_can('list_users') )
-			wp_die(__('Cheatin&#8217; uh?'));
+		if ( ! $this->is_site_users && ! current_user_can( 'list_users' ) )
+			wp_die( __( 'Cheatin&#8217; uh?' ) );
 
-		if ( $this->is_site_users && !current_user_can('manage_sites') )
-			wp_die(__('You do not have sufficient permissions to edit this site.'));
+		if ( $this->is_site_users && ! current_user_can( 'manage_sites' ) )
+			wp_die(__( 'You do not have sufficient permissions to edit this site.' ) );
 	}
 
 	function prepare_items() {
diff --git a/wp-admin/link-manager.php b/wp-admin/link-manager.php
index 702989bdb..4b1829a4c 100644
--- a/wp-admin/link-manager.php
+++ b/wp-admin/link-manager.php
@@ -12,7 +12,6 @@ if ( ! current_user_can( 'manage_links' ) )
 	wp_die( __( 'You do not have sufficient permissions to edit the links for this site.' ) );
 
 $wp_list_table = get_list_table('WP_Links_List_Table');
-$wp_list_table->check_permissions();
 
 // Handle bulk deletes
 $doaction = $wp_list_table->current_action();
diff --git a/wp-admin/network/site-themes.php b/wp-admin/network/site-themes.php
index 961017433..bcdbf0b48 100644
--- a/wp-admin/network/site-themes.php
+++ b/wp-admin/network/site-themes.php
@@ -15,12 +15,10 @@ if ( ! is_multisite() )
 
 $menu_perms = get_site_option( 'menu_items', array() );
 
-if ( empty( $menu_perms['themes'] ) ) {
-	if ( !is_super_admin() )
-		wp_die( __( 'Cheatin&#8217; uh?' ) );
-}
+if ( empty( $menu_perms['themes'] ) && ! is_super_admin() )
+	wp_die( __( 'Cheatin&#8217; uh?' ) );
 
-if ( !current_user_can('manage_sites') )
+if ( ! current_user_can( 'manage_sites' ) )
 	wp_die( __( 'You do not have sufficient permissions to manage themes for this site.' ) );
 
 add_contextual_help($current_screen,
@@ -34,7 +32,6 @@ add_contextual_help($current_screen,
 );
 
 $wp_list_table = get_list_table('WP_MS_Themes_List_Table');
-$wp_list_table->check_permissions();
 
 $action = $wp_list_table->current_action();
 
diff --git a/wp-admin/network/site-users.php b/wp-admin/network/site-users.php
index b9e4726ae..41381e93c 100644
--- a/wp-admin/network/site-users.php
+++ b/wp-admin/network/site-users.php
@@ -17,7 +17,6 @@ if ( ! current_user_can('manage_sites') )
 	wp_die(__('You do not have sufficient permissions to edit this site.'));
 
 $wp_list_table = get_list_table('WP_Users_List_Table');
-$wp_list_table->check_permissions();
 $wp_list_table->prepare_items();
 
 $action = $wp_list_table->current_action();
diff --git a/wp-admin/network/sites.php b/wp-admin/network/sites.php
index e7745207c..0229c3963 100644
--- a/wp-admin/network/sites.php
+++ b/wp-admin/network/sites.php
@@ -13,8 +13,10 @@ require_once( './admin.php' );
 if ( ! is_multisite() )
 	wp_die( __( 'Multisite support is not enabled.' ) );
 
+if ( ! current_user_can( 'manage_sites' ) )
+	wp_die( __( 'You do not have permission to access this page.' ) );
+
 $wp_list_table = get_list_table('WP_MS_Sites_List_Table');
-$wp_list_table->check_permissions();
 
 $title = __( 'Sites' );
 $parent_file = 'sites.php';
diff --git a/wp-admin/network/themes.php b/wp-admin/network/themes.php
index 0cac5fdac..b0e10e1c2 100644
--- a/wp-admin/network/themes.php
+++ b/wp-admin/network/themes.php
@@ -15,16 +15,13 @@ if ( ! is_multisite() )
 
 $menu_perms = get_site_option( 'menu_items', array() );
 
-if ( empty( $menu_perms['themes'] ) ) {
-	if ( !is_super_admin() )
-		wp_die( __( 'Cheatin&#8217; uh?' ) );
-}
+if ( empty( $menu_perms['themes'] ) && ! is_super_admin() )
+	wp_die( __( 'Cheatin&#8217; uh?' ) );
 
 if ( !current_user_can('manage_network_themes') )
 	wp_die( __( 'You do not have sufficient permissions to manage network themes.' ) );
 
 $wp_list_table = get_list_table('WP_MS_Themes_List_Table');
-$wp_list_table->check_permissions();
 
 $action = $wp_list_table->current_action();
 
diff --git a/wp-admin/network/users.php b/wp-admin/network/users.php
index daa3a39bf..9bfab42b2 100644
--- a/wp-admin/network/users.php
+++ b/wp-admin/network/users.php
@@ -13,8 +13,10 @@ require_once( './admin.php' );
 if ( ! is_multisite() )
 	wp_die( __( 'Multisite support is not enabled.' ) );
 
+if ( ! current_user_can( 'manage_network_users' ) )
+	wp_die( __( 'You do not have permission to access this page.' ) );
+
 $wp_list_table = get_list_table('WP_MS_Users_List_Table');
-$wp_list_table->check_permissions();
 $wp_list_table->prepare_items();
 
 $title = __( 'Users' );
diff --git a/wp-admin/plugin-install.php b/wp-admin/plugin-install.php
index 38719b741..62746d32f 100644
--- a/wp-admin/plugin-install.php
+++ b/wp-admin/plugin-install.php
@@ -11,6 +11,7 @@ if ( !defined( 'IFRAME_REQUEST' ) && isset( $_GET['tab'] ) && ( 'plugin-informat
 
 /** WordPress Administration Bootstrap */
 require_once('./admin.php');
+
 if ( ! current_user_can('install_plugins') )
 	wp_die(__('You do not have sufficient permissions to install plugins on this site.'));
 
@@ -20,7 +21,6 @@ if ( is_multisite() && ! is_network_admin() ) {
 }
 
 $wp_list_table = get_list_table('WP_Plugin_Install_List_Table');
-$wp_list_table->check_permissions();
 $wp_list_table->prepare_items();
 
 $title = __('Install Plugins');
diff --git a/wp-admin/plugins.php b/wp-admin/plugins.php
index 4c36be5f4..bedb2015f 100644
--- a/wp-admin/plugins.php
+++ b/wp-admin/plugins.php
@@ -9,11 +9,17 @@
 /** WordPress Administration Bootstrap */
 require_once('./admin.php');
 
+if ( is_multisite() ) {
+	$menu_perms = get_site_option( 'menu_items', array() );
+
+	if ( empty( $menu_perms['plugins'] ) && ! is_super_admin() )
+		wp_die( __( 'Cheatin&#8217; uh?' ) );
+}
+
 if ( !current_user_can('activate_plugins') )
 	wp_die( __( 'You do not have sufficient permissions to manage plugins for this site.' ) );
 
 $wp_list_table = get_list_table('WP_Plugins_List_Table');
-$wp_list_table->check_permissions();
 
 $action = $wp_list_table->current_action();
 
diff --git a/wp-admin/theme-install.php b/wp-admin/theme-install.php
index 0fe29145e..839fd2db2 100644
--- a/wp-admin/theme-install.php
+++ b/wp-admin/theme-install.php
@@ -11,6 +11,7 @@ if ( !defined( 'IFRAME_REQUEST' ) && isset( $_GET['tab'] ) && ( 'theme-informati
 
 /** WordPress Administration Bootstrap */
 require_once('./admin.php');
+
 if ( ! current_user_can('install_themes') )
 	wp_die( __( 'You do not have sufficient permissions to install themes on this site.' ) );
 
@@ -20,7 +21,6 @@ if ( is_multisite() && ! is_network_admin() ) {
 }
 
 $wp_list_table = get_list_table('WP_Theme_Install_List_Table');
-$wp_list_table->check_permissions();
 $wp_list_table->prepare_items();
 
 $title = __('Install Themes');
diff --git a/wp-admin/themes.php b/wp-admin/themes.php
index dcb075ace..67efc6595 100644
--- a/wp-admin/themes.php
+++ b/wp-admin/themes.php
@@ -8,11 +8,11 @@
 
 /** WordPress Administration Bootstrap */
 require_once('./admin.php');
+
 if ( !current_user_can('switch_themes') && !current_user_can('edit_theme_options') )
 	wp_die( __( 'Cheatin&#8217; uh?' ) );
 
 $wp_list_table = get_list_table('WP_Themes_List_Table');
-$wp_list_table->check_permissions();
 
 if ( current_user_can( 'switch_themes' ) && isset($_GET['action'] ) ) {
 	if ( 'activate' == $_GET['action'] ) {
diff --git a/wp-admin/upload.php b/wp-admin/upload.php
index 216c11b13..db0c8e2d3 100644
--- a/wp-admin/upload.php
+++ b/wp-admin/upload.php
@@ -9,8 +9,10 @@
 /** WordPress Administration Bootstrap */
 require_once( './admin.php' );
 
+if ( !current_user_can('upload_files') )
+	wp_die( __( 'You do not have permission to upload files.' ) );
+
 $wp_list_table = get_list_table('WP_Media_List_Table');
-$wp_list_table->check_permissions();
 
 // Handle bulk actions
 $doaction = $wp_list_table->current_action();
diff --git a/wp-admin/users.php b/wp-admin/users.php
index 72b6738f7..61ba94217 100644
--- a/wp-admin/users.php
+++ b/wp-admin/users.php
@@ -9,8 +9,10 @@
 /** WordPress Administration Bootstrap */
 require_once( './admin.php' );
 
+if ( ! current_user_can( 'list_users' ) )
+	wp_die( __( 'Cheatin&#8217; uh?' ) );
+
 $wp_list_table = get_list_table('WP_Users_List_Table');
-$wp_list_table->check_permissions();
 
 $title = __('Users');
 $parent_file = 'users.php';