root/branches/2.0/wp-admin/admin-functions.php

Revision 5737, 58.7 kB (checked in by markjaquith, 1 year ago)

Prevent editing of protected meta keys for 2.0.x

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
Line 
1 <?php
2
3 // Creates a new post from the "Write Post" form using $_POST information.
4 function write_post() {
5     global $user_ID;
6
7     if (!current_user_can('edit_posts'))
8         die(__('You are not allowed to create posts or drafts on this blog.'));
9
10     // Rename.
11     $_POST['post_content'] = $_POST['content'];
12     $_POST['post_excerpt'] = $_POST['excerpt'];
13     $_POST['post_parent'] = $_POST['parent_id'];
14     $_POST['to_ping'] = $_POST['trackback_url'];
15
16     if (!empty ($_POST['post_author_override'])) {
17         $_POST['post_author'] = (int) $_POST['post_author_override'];
18     } else
19         if (!empty ($_POST['post_author'])) {
20             $_POST['post_author'] = (int) $_POST['post_author'];
21         } else {
22             $_POST['post_author'] = (int) $_POST['user_ID'];
23         }
24
25     if (($_POST['post_author'] != $_POST['user_ID']) && !current_user_can('edit_others_posts'))
26         die(__('You cannot post as this user.'));
27
28     // What to do based on which button they pressed
29     if ('' != $_POST['saveasdraft'])
30         $_POST['post_status'] = 'draft';
31     if ('' != $_POST['saveasprivate'])
32         $_POST['post_status'] = 'private';
33     if ('' != $_POST['publish'])
34         $_POST['post_status'] = 'publish';
35     if ('' != $_POST['advanced'])
36         $_POST['post_status'] = 'draft';
37     if ('' != $_POST['savepage'])
38         $_POST['post_status'] = 'static';
39
40     if ('publish' == $_POST['post_status'] && !current_user_can('publish_posts'))
41         $_POST['post_status'] = 'draft';
42
43     if ('static' == $_POST['post_status'] && !current_user_can('edit_pages'))
44         die(__('This user cannot edit pages.'));
45
46     if (!isset ($_POST['comment_status']))
47         $_POST['comment_status'] = 'closed';
48
49     if (!isset ($_POST['ping_status']))
50         $_POST['ping_status'] = 'closed';
51
52     if (!empty ($_POST['edit_date'])) {
53         $aa = $_POST['aa'];
54         $mm = $_POST['mm'];
55         $jj = $_POST['jj'];
56         $hh = $_POST['hh'];
57         $mn = $_POST['mn'];
58         $ss = $_POST['ss'];
59         $jj = ($jj > 31) ? 31 : $jj;
60         $hh = ($hh > 23) ? $hh -24 : $hh;
61         $mn = ($mn > 59) ? $mn -60 : $mn;
62         $ss = ($ss > 59) ? $ss -60 : $ss;
63         $_POST['post_date'] = "$aa-$mm-$jj $hh:$mn:$ss";
64         $_POST['post_date_gmt'] = get_gmt_from_date("$aa-$mm-$jj $hh:$mn:$ss");
65     }
66
67     // Create the post.
68     $post_ID = wp_insert_post($_POST);
69     add_meta($post_ID);
70
71     // Reunite any orphaned attachments with their parent
72     if ( $_POST['temp_ID'] )
73         relocate_children($_POST['temp_ID'], $post_ID);
74
75     // Now that we have an ID we can fix any attachment anchor hrefs
76     fix_attachment_links($post_ID);
77
78     return $post_ID;
79 }
80
81 // Move child posts to a new parent
82 function relocate_children($old_ID, $new_ID) {
83     global $wpdb;
84     $old_ID = (int) $old_ID;
85     $new_ID = (int) $new_ID;
86     return $wpdb->query("UPDATE $wpdb->posts SET post_parent = $new_ID WHERE post_parent = $old_ID");
87 }
88
89 // Replace hrefs of attachment anchors with up-to-date permalinks.
90 function fix_attachment_links($post_ID) {
91     global $wp_rewrite;
92
93     $post = & get_post($post_ID, ARRAY_A);
94
95     $search = "#<a[^>]+rel=('|\")[^'\"]*attachment[^>]*>#ie";
96
97     // See if we have any rel="attachment" links
98     if ( 0 == preg_match_all($search, $post['post_content'], $anchor_matches, PREG_PATTERN_ORDER) )
99         return;
100
101     $i = 0;
102     $search = "# id=(\"|')p(\d+)\\1#i";
103     foreach ( $anchor_matches[0] as $anchor ) {
104         if ( 0 == preg_match($search, $anchor, $id_matches) )
105             continue;
106
107         $id = $id_matches[2];
108
109         // While we have the attachment ID, let's adopt any orphans.
110         $attachment = & get_post($id, ARRAY_A);
111         if ( ! empty($attachment) && ! is_object(get_post($attachment['post_parent'])) ) {
112             $attachment['post_parent'] = $post_ID;
113             // Escape data pulled from DB.
114             $attachment = add_magic_quotes($attachment);
115             wp_update_post($attachment);
116         }
117
118         $post_search[$i] = $anchor;
119         $post_replace[$i] = preg_replace("#href=(\"|')[^'\"]*\\1#e", "stripslashes('href=\\1').get_attachment_link($id).stripslashes('\\1')", $anchor);
120         ++$i;
121     }
122
123     $post['post_content'] = str_replace($post_search, $post_replace, $post['post_content']);
124
125     // Escape data pulled from DB.
126     $post = add_magic_quotes($post);
127
128     return wp_update_post($post);
129 }
130
131 // Update an existing post with values provided in $_POST.
132 function edit_post() {
133     global $user_ID;
134
135     $post_ID = (int) $_POST['post_ID'];
136
137     if (!current_user_can('edit_post', $post_ID))
138         die(__('You are not allowed to edit this post.'));
139
140     // Rename.
141     $_POST['ID'] = (int) $_POST['post_ID'];
142     $_POST['post_content'] = $_POST['content'];
143     $_POST['post_excerpt'] = $_POST['excerpt'];
144     $_POST['post_parent'] = $_POST['parent_id'];
145     $_POST['to_ping'] = $_POST['trackback_url'];
146
147     if (!empty ($_POST['post_author_override'])) {
148         $_POST['post_author'] = (int) $_POST['post_author_override'];
149     } else
150         if (!empty ($_POST['post_author'])) {
151             $_POST['post_author'] = (int) $_POST['post_author'];
152         } else {
153             $_POST['post_author'] = (int) $_POST['user_ID'];
154         }
155
156     if (($_POST['post_author'] != $_POST['user_ID']) && !current_user_can('edit_others_posts'))
157         die(__('You cannot post as this user.'));
158
159     // What to do based on which button they pressed
160     if ('' != $_POST['saveasdraft'])
161         $_POST['post_status'] = 'draft';
162     if ('' != $_POST['saveasprivate'])
163         $_POST['post_status'] = 'private';
164     if ('' != $_POST['publish'])
165         $_POST['post_status'] = 'publish';
166     if ('' != $_POST['advanced'])
167         $_POST['post_status'] = 'draft';
168     if ('' != $_POST['savepage'])
169         $_POST['post_status'] = 'static';
170
171     if ('publish' == $_POST['post_status'] && !current_user_can('publish_posts'))
172         $_POST['post_status'] = 'draft';
173
174     if ('static' == $_POST['post_status'] && !current_user_can('edit_pages'))
175         die(__('This user cannot edit pages.'));
176
177     if (!isset ($_POST['comment_status']))
178         $_POST['comment_status'] = 'closed';
179
180     if (!isset ($_POST['ping_status']))
181         $_POST['ping_status'] = 'closed';
182
183     if (!empty ($_POST['edit_date'])) {
184         $aa = $_POST['aa'];
185         $mm = $_POST['mm'];
186         $jj = $_POST['jj'];
187         $hh = $_POST['hh'];
188         $mn = $_POST['mn'];
189         $ss = $_POST['ss'];
190         $jj = ($jj > 31) ? 31 : $jj;
191         $hh = ($hh > 23) ? $hh -24 : $hh;
192         $mn = ($mn > 59) ? $mn -60 : $mn;
193         $ss = ($ss > 59) ? $ss -60 : $ss;
194         $_POST['post_date'] = "$aa-$mm-$jj $hh:$mn:$ss";
195         $_POST['post_date_gmt'] = get_gmt_from_date("$aa-$mm-$jj $hh:$mn:$ss");
196     }
197
198     // Meta Stuff
199     if ($_POST['meta']) {
200         foreach ($_POST['meta'] as $key => $value)
201             update_meta($key, $value['key'], $value['value']);
202     }
203     
204     if ($_POST['deletemeta']) {
205         foreach ($_POST['deletemeta'] as $key => $value)
206             delete_meta($key);
207     }
208
209     add_meta($post_ID);
210
211     wp_update_post($_POST);
212
213     // Now that we have an ID we can fix any attachment anchor hrefs
214     fix_attachment_links($post_ID);
215
216     return $post_ID;
217 }
218
219 function edit_comment() {
220     global $user_ID;
221
222     $comment_ID = (int) $_POST['comment_ID'];
223     $comment_post_ID = (int) $_POST['comment_post_ID'];
224
225     if (!current_user_can('edit_post', $comment_post_ID))
226         die(__('You are not allowed to edit comments on this post, so you cannot edit this comment.'));
227
228     $_POST['comment_author'] = $_POST['newcomment_author'];
229     $_POST['comment_author_email'] = $_POST['newcomment_author_email'];
230     $_POST['comment_author_url'] = $_POST['newcomment_author_url'];
231     $_POST['comment_approved'] = $_POST['comment_status'];
232     $_POST['comment_content'] = $_POST['content'];
233     $_POST['comment_ID'] = (int) $_POST['comment_ID'];
234
235     if (!empty ($_POST['edit_date'])) {
236         $aa = $_POST['aa'];
237         $mm = $_POST['mm'];
238         $jj = $_POST['jj'];
239         $hh = $_POST['hh'];
240         $mn = $_POST['mn'];
241         $ss = $_POST['ss'];
242         $jj = ($jj > 31) ? 31 : $jj;
243         $hh = ($hh > 23) ? $hh -24 : $hh;
244         $mn = ($mn > 59) ? $mn -60 : $mn;
245         $ss = ($ss > 59) ? $ss -60 : $ss;
246         $_POST['comment_date'] = "$aa-$mm-$jj $hh:$mn:$ss";
247     }
248
249     wp_update_comment($_POST);
250 }
251
252 // Get an existing post and format it for editing.
253 function get_post_to_edit($id) {
254     global $richedit;
255     $richedit = ( 'true' == get_user_option('rich_editing') ) ? true : false;
256
257     $post = get_post($id);
258
259     $post->post_content = format_to_edit($post->post_content, $richedit);
260     $post->post_content = apply_filters('content_edit_pre', $post->post_content);
261
262     $post->post_excerpt = format_to_edit($post->post_excerpt);
263     $post->post_excerpt = apply_filters('excerpt_edit_pre', $post->post_excerpt);
264
265     $post->post_title = format_to_edit($post->post_title);
266     $post->post_title = apply_filters('title_edit_pre', $post->post_title);
267
268     $post->post_password = format_to_edit($post->post_password);
269
270     if ($post->post_status == 'static')
271         $post->page_template = get_post_meta($id, '_wp_page_template', true);
272
273     return $post;
274 }
275
276 // Default post information to use when populating the "Write Post" form.
277 function get_default_post_to_edit() {
278     if ( !empty($_REQUEST['post_title']) )
279         $post_title = wp_specialchars(stripslashes($_REQUEST['post_title']));
280     else if ( !empty($_REQUEST['popuptitle']) ) {
281         $post_title = wp_specialchars(stripslashes($_REQUEST['popuptitle']));
282         $post_title = funky_javascript_fix($post_title);
283     } else {
284         $post_title = '';
285     }
286
287     if ( !empty($_REQUEST['content']) )
288         $post_content = wp_specialchars(stripslashes($_REQUEST['content']));
289     else if ( !empty($post_title) ) {
290         $text       = wp_specialchars(stripslashes(urldecode($_REQUEST['text'])));
291         $text       = funky_javascript_fix($text);
292         $popupurl   = clean_url(stripslashes($_REQUEST['popupurl']));
293         $post_content = '<a href="'.$popupurl.'">'.$post_title.'</a>'."\n$text";
294     }
295
296     if ( !empty($_REQUEST['excerpt']) )
297         $post_excerpt = wp_specialchars(stripslashes($_REQUEST['excerpt']));
298     else
299         $post_excerpt = '';
300
301     $post->post_status = 'draft';
302     $post->comment_status = get_settings('default_comment_status');
303     $post->ping_status = get_settings('default_ping_status');
304     $post->post_pingback = get_settings('default_pingback_flag');
305     $post->post_category = get_settings('default_category');
306     $post->post_content = apply_filters('default_content', $post_content);
307     $post->post_title = apply_filters('default_title', $post_title);
308     $post->post_excerpt = apply_filters('default_excerpt', $post_excerpt);
309     $post->page_template = 'default';
310     $post->post_parent = 0;
311     $post->menu_order = 0;
312
313     return $post;
314 }
315
316 function get_comment_to_edit($id) {
317     global $richedit;
318     $richedit = ( 'true' == get_user_option('rich_editing') ) ? true : false;
319
320     $comment = get_comment($id);
321
322     $comment->comment_ID = (int) $comment->comment_ID;
323     $comment->comment_post_ID = (int) $comment->comment_post_ID;
324
325     $comment->comment_content = format_to_edit($comment->comment_content);
326     $comment->comment_content = apply_filters('comment_edit_pre', $comment->comment_content);
327
328     $comment->comment_author = format_to_edit($comment->comment_author);
329     $comment->comment_author_email = format_to_edit($comment->comment_author_email);
330     $comment->comment_author_url = clean_url($comment->comment_author_url);
331     $comment->comment_author_url = format_to_edit($comment->comment_author_url);
332
333     return $comment;
334 }
335
336 function get_category_to_edit($id) {
337     $category = get_category($id);
338
339     return $category;
340 }
341
342 function get_user_to_edit($user_id) {
343     $user = new WP_User($user_id);
344     $user->user_login   = attribute_escape($user->user_login);
345     $user->user_email   = attribute_escape($user->user_email);
346     $user->user_url     = clean_url($user->user_url);
347     $user->first_name   = attribute_escape($user->first_name);
348     $user->last_name    = attribute_escape($user->last_name);
349     $user->display_name = attribute_escape($user->display_name);
350     $user->nickname     = attribute_escape($user->nickname);
351     $user->aim          = attribute_escape($user->aim);
352     $user->yim          = attribute_escape($user->yim);
353     $user->jabber       = attribute_escape($user->jabber);
354     $user->description  wp_specialchars($user->description);
355
356     return $user;
357 }
358
359 // Creates a new user from the "Users" form using $_POST information.
360
361 function add_user() {
362     return edit_user();
363 }
364
365 function edit_user($user_id = 0) {
366     global $current_user, $wp_roles, $wpdb;
367
368     if ($user_id != 0) {
369         $update = true;
370         $user->ID = (int) $user_id;
371         $userdata = get_userdata($user_id);
372         $user->user_login = $wpdb->escape($userdata->user_login);
373     } else {
374         $update = false;
375         $user = '';
376     }
377
378     if (isset ($_POST['user_login']))
379         $user->user_login = wp_specialchars(trim($_POST['user_login']));
380
381     $pass1 = $pass2 = '';
382     if (isset ($_POST['pass1']))
383         $pass1 = $_POST['pass1'];
384     if (isset ($_POST['pass2']))
385         $pass2 = $_POST['pass2'];
386
387     if (isset ($_POST['role']) && current_user_can('edit_users')) {
388         if($user_id != $current_user->id || $wp_roles->role_objects[$_POST['role']]->has_cap('edit_users'))
389             $user->role = $_POST['role'];
390     }
391
392     if (isset ($_POST['email']))
393         $user->user_email = wp_specialchars(trim($_POST['email']));
394     if (isset ($_POST['url'])) {
395         $user->user_url = clean_url(trim($_POST['url']));
396         $user->user_url = preg_match('/^(https?|ftps?|mailto|news|gopher):/is', $user->user_url) ? $user->user_url : 'http://'.$user->user_url;
397     }
398     if (isset ($_POST['first_name']))
399         $user->first_name = wp_specialchars(trim($_POST['first_name']));
400     if (isset ($_POST['last_name']))
401         $user->last_name = wp_specialchars(trim($_POST['last_name']));
402     if (isset ($_POST['nickname']))
403         $user->nickname = wp_specialchars(trim($_POST['nickname']));
404     if (isset ($_POST['display_name']))
405         $user->display_name = wp_specialchars(trim($_POST['display_name']));
406     if (isset ($_POST['description']))
407         $user->description = trim($_POST['description']);
408     if (isset ($_POST['jabber']))
409         $user->jabber = wp_specialchars(trim($_POST['jabber']));
410     if (isset ($_POST['aim']))
411         $user->aim = wp_specialchars(trim($_POST['aim']));
412     if (isset ($_POST['yim']))
413         $user->yim = wp_specialchars(trim($_POST['yim']));
414
415     $errors = array ();
416
417     /* checking that username has been typed */
418     if ($user->user_login == '')
419         $errors['user_login'] = __('<strong>ERROR</strong>: Please enter a username.');
420
421     /* checking the password has been typed twice */
422     do_action('check_passwords', array ($user->user_login, & $pass1, & $pass2));
423
424     if (!$update) {
425         if ($pass1 == '' || $pass2 == '')
426             $errors['pass'] = __('<st