|
1 <?php |
|
2 |
|
3 require_once(dirname(__FILE__).'/const.php'); |
|
4 require_once(dirname(__FILE__).'/l10n.php'); |
|
5 |
|
6 // ----------------------------------------------------------------------------- |
|
7 // the ExecPhp_Ajax class handles the AJAX communication incoming from the |
|
8 // AdminUi for requesting which users are allowed to execute PHP in widgets |
|
9 // and articles |
|
10 // ----------------------------------------------------------------------------- |
|
11 |
|
12 if (!class_exists('ExecPhp_Ajax')) : |
|
13 class ExecPhp_Ajax |
|
14 { |
|
15 var $m_cache = NULL; |
|
16 |
|
17 // --------------------------------------------------------------------------- |
|
18 // init |
|
19 // --------------------------------------------------------------------------- |
|
20 |
|
21 function ExecPhp_Ajax(&$cache) |
|
22 { |
|
23 $this->m_cache =& $cache; |
|
24 |
|
25 global $wp_version; |
|
26 if (version_compare($wp_version, '2.5.dev') >= 0 && !defined('DOING_AJAX')) |
|
27 return; |
|
28 |
|
29 add_action('wp_ajax_'. ExecPhp_ACTION_REQUEST_USERS, |
|
30 array(&$this, 'action_ajax_request_user')); |
|
31 } |
|
32 |
|
33 // --------------------------------------------------------------------------- |
|
34 // hooks |
|
35 // --------------------------------------------------------------------------- |
|
36 |
|
37 function action_ajax_request_user() |
|
38 { |
|
39 global $wpdb; |
|
40 |
|
41 if (!current_user_can(ExecPhp_CAPABILITY_EDIT_PLUGINS) |
|
42 && !current_user_can(ExecPhp_CAPABILITY_EDIT_USERS)) |
|
43 die('-1'); |
|
44 |
|
45 $feature = explode(',', $_POST['feature']); |
|
46 $wants_edit_others_php = in_array(ExecPhp_REQUEST_FEATURE_SECURITY_HOLE, $feature); |
|
47 $wants_switch_themes = in_array(ExecPhp_REQUEST_FEATURE_WIDGETS, $feature); |
|
48 $wants_exec_php = in_array(ExecPhp_REQUEST_FEATURE_EXECUTE_ARTICLES, $feature); |
|
49 |
|
50 $query = "SELECT ID AS user_id FROM {$wpdb->users} ORDER BY display_name"; |
|
51 $wpdb->query($query); |
|
52 $s = $wpdb->get_results($query); |
|
53 if (!is_array($s)) |
|
54 $s = array(); |
|
55 |
|
56 $option =& $this->m_cache->get_option(); |
|
57 $widget_support = $option->get_widget_support(); |
|
58 |
|
59 $output_edit_others_php = ''; |
|
60 $output_switch_themes = ''; |
|
61 $output_exec_php = ''; |
|
62 foreach ($s as $i) |
|
63 { |
|
64 $user =& new WP_User($i->user_id); |
|
65 $has_switch_themes = $user->has_cap(ExecPhp_CAPABILITY_EXECUTE_WIDGETS); |
|
66 $has_exec_php = $user->has_cap(ExecPhp_CAPABILITY_EXECUTE_ARTICLES); |
|
67 $has_edit_others_posts = $user->has_cap(ExecPhp_CAPABILITY_EDIT_OTHERS_POSTS); |
|
68 $has_edit_others_pages = $user->has_cap(ExecPhp_CAPABILITY_EDIT_OTHERS_PAGES); |
|
69 $has_edit_others_php = $user->has_cap(ExecPhp_CAPABILITY_EDIT_OTHERS_PHP); |
|
70 |
|
71 if (($has_edit_others_posts || $has_edit_others_pages) |
|
72 && $has_edit_others_php && !$has_exec_php && $wants_edit_others_php) |
|
73 $output_edit_others_php .= "<li>{$user->data->display_name}</li>"; |
|
74 if ($has_switch_themes && $widget_support && $wants_switch_themes) |
|
75 $output_switch_themes .= "<li>{$user->data->display_name}</li>"; |
|
76 if ($has_exec_php && $wants_exec_php) |
|
77 $output_exec_php .= "<li>{$user->data->display_name}</li>"; |
|
78 } |
|
79 $output_edit_others_php = $this->adjust_reply('edit_others_php', $output_edit_others_php); |
|
80 $output_switch_themes = $this->adjust_reply('switch_themes', $output_switch_themes); |
|
81 $output_exec_php = $this->adjust_reply('exec_php', $output_exec_php); |
|
82 die($output_edit_others_php. $output_switch_themes. $output_exec_php); |
|
83 } |
|
84 |
|
85 // --------------------------------------------------------------------------- |
|
86 // tools |
|
87 // --------------------------------------------------------------------------- |
|
88 |
|
89 function adjust_reply($js_var, $output) |
|
90 { |
|
91 if (!empty($output)) |
|
92 $output = "$js_var = \"<ul>". escape_dquote($output). "</ul>\"; "; |
|
93 return $output; |
|
94 } |
|
95 } |
|
96 endif; |
|
97 |
|
98 ?> |