diff -r c7c34916027a -r 177826044cd9 wp/wp-admin/post.php --- a/wp/wp-admin/post.php Mon Oct 14 18:06:33 2019 +0200 +++ b/wp/wp-admin/post.php Mon Oct 14 18:28:13 2019 +0200 @@ -11,17 +11,20 @@ /** WordPress Administration Bootstrap */ require_once( dirname( __FILE__ ) . '/admin.php' ); -$parent_file = 'edit.php'; +$parent_file = 'edit.php'; $submenu_file = 'edit.php'; wp_reset_vars( array( 'action' ) ); -if ( isset( $_GET['post'] ) ) - $post_id = $post_ID = (int) $_GET['post']; -elseif ( isset( $_POST['post_ID'] ) ) - $post_id = $post_ID = (int) $_POST['post_ID']; -else - $post_id = $post_ID = 0; +if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] ) { + wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 ); +} elseif ( isset( $_GET['post'] ) ) { + $post_id = $post_ID = (int) $_GET['post']; +} elseif ( isset( $_POST['post_ID'] ) ) { + $post_id = $post_ID = (int) $_POST['post_ID']; +} else { + $post_id = $post_ID = 0; +} /** * @global string $post_type @@ -30,23 +33,29 @@ */ global $post_type, $post_type_object, $post; -if ( $post_id ) +if ( $post_id ) { $post = get_post( $post_id ); +} if ( $post ) { - $post_type = $post->post_type; + $post_type = $post->post_type; $post_type_object = get_post_type_object( $post_type ); } -if ( isset( $_POST['deletepost'] ) ) +if ( isset( $_POST['post_type'] ) && $post && $post_type !== $_POST['post_type'] ) { + wp_die( __( 'A post type mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 ); +} + +if ( isset( $_POST['deletepost'] ) ) { $action = 'delete'; -elseif ( isset($_POST['wp-preview']) && 'dopreview' == $_POST['wp-preview'] ) +} elseif ( isset( $_POST['wp-preview'] ) && 'dopreview' == $_POST['wp-preview'] ) { $action = 'preview'; +} $sendback = wp_get_referer(); if ( ! $sendback || - strpos( $sendback, 'post.php' ) !== false || - strpos( $sendback, 'post-new.php' ) !== false ) { + strpos( $sendback, 'post.php' ) !== false || + strpos( $sendback, 'post-new.php' ) !== false ) { if ( 'attachment' == $post_type ) { $sendback = admin_url( 'upload.php' ); } else { @@ -56,238 +65,286 @@ } } } else { - $sendback = remove_query_arg( array('trashed', 'untrashed', 'deleted', 'ids'), $sendback ); + $sendback = remove_query_arg( array( 'trashed', 'untrashed', 'deleted', 'ids' ), $sendback ); } -switch($action) { -case 'post-quickdraft-save': - // Check nonce and capabilities - $nonce = $_REQUEST['_wpnonce']; - $error_msg = false; +switch ( $action ) { + case 'post-quickdraft-save': + // Check nonce and capabilities + $nonce = $_REQUEST['_wpnonce']; + $error_msg = false; - // For output of the quickdraft dashboard widget - require_once ABSPATH . 'wp-admin/includes/dashboard.php'; + // For output of the quickdraft dashboard widget + require_once ABSPATH . 'wp-admin/includes/dashboard.php'; - if ( ! wp_verify_nonce( $nonce, 'add-post' ) ) - $error_msg = __( 'Unable to submit this form, please refresh and try again.' ); + if ( ! wp_verify_nonce( $nonce, 'add-post' ) ) { + $error_msg = __( 'Unable to submit this form, please refresh and try again.' ); + } - if ( ! current_user_can( get_post_type_object( 'post' )->cap->create_posts ) ) { - exit; - } + if ( ! current_user_can( get_post_type_object( 'post' )->cap->create_posts ) ) { + exit; + } + + if ( $error_msg ) { + return wp_dashboard_quick_press( $error_msg ); + } - if ( $error_msg ) - return wp_dashboard_quick_press( $error_msg ); + $post = get_post( $_REQUEST['post_ID'] ); + check_admin_referer( 'add-' . $post->post_type ); - $post = get_post( $_REQUEST['post_ID'] ); - check_admin_referer( 'add-' . $post->post_type ); + $_POST['comment_status'] = get_default_comment_status( $post->post_type ); + $_POST['ping_status'] = get_default_comment_status( $post->post_type, 'pingback' ); - $_POST['comment_status'] = get_default_comment_status( $post->post_type ); - $_POST['ping_status'] = get_default_comment_status( $post->post_type, 'pingback' ); + edit_post(); + wp_dashboard_quick_press(); + exit; - edit_post(); - wp_dashboard_quick_press(); - exit; + case 'postajaxpost': + case 'post': + check_admin_referer( 'add-' . $post_type ); + $post_id = 'postajaxpost' == $action ? edit_post() : write_post(); + redirect_post( $post_id ); + exit(); -case 'postajaxpost': -case 'post': - check_admin_referer( 'add-' . $post_type ); - $post_id = 'postajaxpost' == $action ? edit_post() : write_post(); - redirect_post( $post_id ); - exit(); + case 'edit': + $editing = true; -case 'edit': - $editing = true; + if ( empty( $post_id ) ) { + wp_redirect( admin_url( 'post.php' ) ); + exit(); + } - if ( empty( $post_id ) ) { - wp_redirect( admin_url('post.php') ); - exit(); - } + if ( ! $post ) { + wp_die( __( 'You attempted to edit an item that doesn’t exist. Perhaps it was deleted?' ) ); + } - if ( ! $post ) - wp_die( __( 'You attempted to edit an item that doesn’t exist. Perhaps it was deleted?' ) ); + if ( ! $post_type_object ) { + wp_die( __( 'Invalid post type.' ) ); + } - if ( ! $post_type_object ) - wp_die( __( 'Invalid post type.' ) ); + if ( ! in_array( $typenow, get_post_types( array( 'show_ui' => true ) ) ) ) { + wp_die( __( 'Sorry, you are not allowed to edit posts in this post type.' ) ); + } - if ( ! in_array( $typenow, get_post_types( array( 'show_ui' => true ) ) ) ) { - wp_die( __( 'Sorry, you are not allowed to edit posts in this post type.' ) ); - } + if ( ! current_user_can( 'edit_post', $post_id ) ) { + wp_die( __( 'Sorry, you are not allowed to edit this item.' ) ); + } - if ( ! current_user_can( 'edit_post', $post_id ) ) - wp_die( __( 'Sorry, you are not allowed to edit this item.' ) ); + if ( 'trash' == $post->post_status ) { + wp_die( __( 'You can’t edit this item because it is in the Trash. Please restore it and try again.' ) ); + } - if ( 'trash' == $post->post_status ) - wp_die( __( 'You can’t edit this item because it is in the Trash. Please restore it and try again.' ) ); - - if ( ! empty( $_GET['get-post-lock'] ) ) { - check_admin_referer( 'lock-post_' . $post_id ); - wp_set_post_lock( $post_id ); - wp_redirect( get_edit_post_link( $post_id, 'url' ) ); - exit(); - } + if ( ! empty( $_GET['get-post-lock'] ) ) { + check_admin_referer( 'lock-post_' . $post_id ); + wp_set_post_lock( $post_id ); + wp_redirect( get_edit_post_link( $post_id, 'url' ) ); + exit(); + } - $post_type = $post->post_type; - if ( 'post' == $post_type ) { - $parent_file = "edit.php"; - $submenu_file = "edit.php"; - $post_new_file = "post-new.php"; - } elseif ( 'attachment' == $post_type ) { - $parent_file = 'upload.php'; - $submenu_file = 'upload.php'; - $post_new_file = 'media-new.php'; - } else { - if ( isset( $post_type_object ) && $post_type_object->show_in_menu && $post_type_object->show_in_menu !== true ) - $parent_file = $post_type_object->show_in_menu; - else - $parent_file = "edit.php?post_type=$post_type"; - $submenu_file = "edit.php?post_type=$post_type"; - $post_new_file = "post-new.php?post_type=$post_type"; - } + $post_type = $post->post_type; + if ( 'post' == $post_type ) { + $parent_file = 'edit.php'; + $submenu_file = 'edit.php'; + $post_new_file = 'post-new.php'; + } elseif ( 'attachment' == $post_type ) { + $parent_file = 'upload.php'; + $submenu_file = 'upload.php'; + $post_new_file = 'media-new.php'; + } else { + if ( isset( $post_type_object ) && $post_type_object->show_in_menu && $post_type_object->show_in_menu !== true ) { + $parent_file = $post_type_object->show_in_menu; + } else { + $parent_file = "edit.php?post_type=$post_type"; + } + $submenu_file = "edit.php?post_type=$post_type"; + $post_new_file = "post-new.php?post_type=$post_type"; + } + + $title = $post_type_object->labels->edit_item; - /** - * Allows replacement of the editor. - * - * @since 4.9.0 - * - * @param boolean Whether to replace the editor. Default false. - * @param object $post Post object. - */ - if ( apply_filters( 'replace_editor', false, $post ) === true ) { - break; - } + /** + * Allows replacement of the editor. + * + * @since 4.9.0 + * + * @param boolean Whether to replace the editor. Default false. + * @param object $post Post object. + */ + if ( apply_filters( 'replace_editor', false, $post ) === true ) { + break; + } + + if ( use_block_editor_for_post( $post ) ) { + include( ABSPATH . 'wp-admin/edit-form-blocks.php' ); + break; + } + + if ( ! wp_check_post_lock( $post->ID ) ) { + $active_post_lock = wp_set_post_lock( $post->ID ); - if ( ! wp_check_post_lock( $post->ID ) ) { - $active_post_lock = wp_set_post_lock( $post->ID ); + if ( 'attachment' !== $post_type ) { + wp_enqueue_script( 'autosave' ); + } + } - if ( 'attachment' !== $post_type ) - wp_enqueue_script('autosave'); - } + $post = get_post( $post_id, OBJECT, 'edit' ); - $title = $post_type_object->labels->edit_item; - $post = get_post($post_id, OBJECT, 'edit'); + if ( post_type_supports( $post_type, 'comments' ) ) { + wp_enqueue_script( 'admin-comments' ); + enqueue_comment_hotkeys_js(); + } + + include( ABSPATH . 'wp-admin/edit-form-advanced.php' ); - if ( post_type_supports($post_type, 'comments') ) { - wp_enqueue_script('admin-comments'); - enqueue_comment_hotkeys_js(); - } + break; - include( ABSPATH . 'wp-admin/edit-form-advanced.php' ); + case 'editattachment': + check_admin_referer( 'update-post_' . $post_id ); + + // Don't let these be changed + unset( $_POST['guid'] ); + $_POST['post_type'] = 'attachment'; - break; + // Update the thumbnail filename + $newmeta = wp_get_attachment_metadata( $post_id, true ); + $newmeta['thumb'] = wp_basename( $_POST['thumb'] ); -case 'editattachment': - check_admin_referer('update-post_' . $post_id); + wp_update_attachment_metadata( $post_id, $newmeta ); - // Don't let these be changed - unset($_POST['guid']); - $_POST['post_type'] = 'attachment'; + // Intentional fall-through to trigger the edit_post() call. + case 'editpost': + check_admin_referer( 'update-post_' . $post_id ); - // Update the thumbnail filename - $newmeta = wp_get_attachment_metadata( $post_id, true ); - $newmeta['thumb'] = $_POST['thumb']; + $post_id = edit_post(); - wp_update_attachment_metadata( $post_id, $newmeta ); + // Session cookie flag that the post was saved + if ( isset( $_COOKIE['wp-saving-post'] ) && $_COOKIE['wp-saving-post'] === $post_id . '-check' ) { + setcookie( 'wp-saving-post', $post_id . '-saved', time() + DAY_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, is_ssl() ); + } -case 'editpost': - check_admin_referer('update-post_' . $post_id); + redirect_post( $post_id ); // Send user on their way while we keep working - $post_id = edit_post(); + exit(); - // Session cookie flag that the post was saved - if ( isset( $_COOKIE['wp-saving-post'] ) && $_COOKIE['wp-saving-post'] === $post_id . '-check' ) { - setcookie( 'wp-saving-post', $post_id . '-saved', time() + DAY_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, is_ssl() ); - } + case 'trash': + check_admin_referer( 'trash-post_' . $post_id ); - redirect_post($post_id); // Send user on their way while we keep working + if ( ! $post ) { + wp_die( __( 'The item you are trying to move to the Trash no longer exists.' ) ); + } - exit(); + if ( ! $post_type_object ) { + wp_die( __( 'Invalid post type.' ) ); + } -case 'trash': - check_admin_referer('trash-post_' . $post_id); - - if ( ! $post ) - wp_die( __( 'The item you are trying to move to the Trash no longer exists.' ) ); + if ( ! current_user_can( 'delete_post', $post_id ) ) { + wp_die( __( 'Sorry, you are not allowed to move this item to the Trash.' ) ); + } - if ( ! $post_type_object ) - wp_die( __( 'Invalid post type.' ) ); + if ( $user_id = wp_check_post_lock( $post_id ) ) { + $user = get_userdata( $user_id ); + wp_die( sprintf( __( 'You cannot move this item to the Trash. %s is currently editing.' ), $user->display_name ) ); + } - if ( ! current_user_can( 'delete_post', $post_id ) ) - wp_die( __( 'Sorry, you are not allowed to move this item to the Trash.' ) ); + if ( ! wp_trash_post( $post_id ) ) { + wp_die( __( 'Error in moving to Trash.' ) ); + } - if ( $user_id = wp_check_post_lock( $post_id ) ) { - $user = get_userdata( $user_id ); - wp_die( sprintf( __( 'You cannot move this item to the Trash. %s is currently editing.' ), $user->display_name ) ); - } - - if ( ! wp_trash_post( $post_id ) ) - wp_die( __( 'Error in moving to Trash.' ) ); + wp_redirect( + add_query_arg( + array( + 'trashed' => 1, + 'ids' => $post_id, + ), + $sendback + ) + ); + exit(); - wp_redirect( add_query_arg( array('trashed' => 1, 'ids' => $post_id), $sendback ) ); - exit(); + case 'untrash': + check_admin_referer( 'untrash-post_' . $post_id ); + + if ( ! $post ) { + wp_die( __( 'The item you are trying to restore from the Trash no longer exists.' ) ); + } -case 'untrash': - check_admin_referer('untrash-post_' . $post_id); + if ( ! $post_type_object ) { + wp_die( __( 'Invalid post type.' ) ); + } - if ( ! $post ) - wp_die( __( 'The item you are trying to restore from the Trash no longer exists.' ) ); + if ( ! current_user_can( 'delete_post', $post_id ) ) { + wp_die( __( 'Sorry, you are not allowed to restore this item from the Trash.' ) ); + } - if ( ! $post_type_object ) - wp_die( __( 'Invalid post type.' ) ); + if ( ! wp_untrash_post( $post_id ) ) { + wp_die( __( 'Error in restoring from Trash.' ) ); + } - if ( ! current_user_can( 'delete_post', $post_id ) ) - wp_die( __( 'Sorry, you are not allowed to restore this item from the Trash.' ) ); + wp_redirect( add_query_arg( 'untrashed', 1, $sendback ) ); + exit(); - if ( ! wp_untrash_post( $post_id ) ) - wp_die( __( 'Error in restoring from Trash.' ) ); + case 'delete': + check_admin_referer( 'delete-post_' . $post_id ); - wp_redirect( add_query_arg('untrashed', 1, $sendback) ); - exit(); + if ( ! $post ) { + wp_die( __( 'This item has already been deleted.' ) ); + } -case 'delete': - check_admin_referer('delete-post_' . $post_id); + if ( ! $post_type_object ) { + wp_die( __( 'Invalid post type.' ) ); + } - if ( ! $post ) - wp_die( __( 'This item has already been deleted.' ) ); + if ( ! current_user_can( 'delete_post', $post_id ) ) { + wp_die( __( 'Sorry, you are not allowed to delete this item.' ) ); + } - if ( ! $post_type_object ) - wp_die( __( 'Invalid post type.' ) ); - - if ( ! current_user_can( 'delete_post', $post_id ) ) - wp_die( __( 'Sorry, you are not allowed to delete this item.' ) ); + if ( $post->post_type == 'attachment' ) { + $force = ( ! MEDIA_TRASH ); + if ( ! wp_delete_attachment( $post_id, $force ) ) { + wp_die( __( 'Error in deleting.' ) ); + } + } else { + if ( ! wp_delete_post( $post_id, true ) ) { + wp_die( __( 'Error in deleting.' ) ); + } + } - if ( $post->post_type == 'attachment' ) { - $force = ( ! MEDIA_TRASH ); - if ( ! wp_delete_attachment( $post_id, $force ) ) - wp_die( __( 'Error in deleting.' ) ); - } else { - if ( ! wp_delete_post( $post_id, true ) ) - wp_die( __( 'Error in deleting.' ) ); - } + wp_redirect( add_query_arg( 'deleted', 1, $sendback ) ); + exit(); + + case 'preview': + check_admin_referer( 'update-post_' . $post_id ); - wp_redirect( add_query_arg('deleted', 1, $sendback) ); - exit(); + $url = post_preview(); -case 'preview': - check_admin_referer( 'update-post_' . $post_id ); + wp_redirect( $url ); + exit(); - $url = post_preview(); + case 'toggle-custom-fields': + check_admin_referer( 'toggle-custom-fields' ); - wp_redirect($url); - exit(); + $current_user_id = get_current_user_id(); + if ( $current_user_id ) { + $enable_custom_fields = (bool) get_user_meta( $current_user_id, 'enable_custom_fields', true ); + update_user_meta( $current_user_id, 'enable_custom_fields', ! $enable_custom_fields ); + } + + wp_safe_redirect( wp_get_referer() ); + exit(); -default: - /** - * Fires for a given custom post action request. - * - * The dynamic portion of the hook name, `$action`, refers to the custom post action. - * - * @since 4.6.0 - * - * @param int $post_id Post ID sent with the request. - */ - do_action( "post_action_{$action}", $post_id ); + default: + /** + * Fires for a given custom post action request. + * + * The dynamic portion of the hook name, `$action`, refers to the custom post action. + * + * @since 4.6.0 + * + * @param int $post_id Post ID sent with the request. + */ + do_action( "post_action_{$action}", $post_id ); - wp_redirect( admin_url('edit.php') ); - exit(); + wp_redirect( admin_url( 'edit.php' ) ); + exit(); } // end switch include( ABSPATH . 'wp-admin/admin-footer.php' );