root/branches/2.1/wp-admin/admin-functions.php

Revision 5120, 72.0 kB (checked in by ryan, 2 years ago)

More clean_url and int casts for 2.1.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
Line 
1 <?php
2
3 function write_post() {
4     $result = wp_write_post();
5     if( is_wp_error( $result ) )
6         wp_die( $result->get_error_message() );
7     else
8         return $result;
9 }
10
11 // Creates a new post from the "Write Post" form using $_POST information.
12 function wp_write_post() {
13     global $user_ID;
14
15     if ( 'page' == $_POST['post_type'] ) {
16         if ( !current_user_can( 'edit_pages' ) )
17             return new WP_Error( 'edit_pages', __( 'You are not allowed to create pages on this blog.' ) );
18     } else {
19         if ( !current_user_can( 'edit_posts' ) )
20             return new WP_Error( 'edit_posts', __( 'You are not allowed to create posts or drafts on this blog.' ) );
21     }
22
23
24     // Check for autosave collisions
25     if ( isset($_POST['temp_ID']) ) {
26         $temp_id = (int) $_POST['temp_ID'];
27         if ( !$draft_ids = get_user_option( 'autosave_draft_ids' ) )
28             $draft_ids = array();
29         foreach ( $draft_ids as $temp => $real )
30             if ( time() + $temp > 86400 ) // 1 day: $temp is equal to -1 * time( then )
31                 unset($draft_ids[$temp]);
32
33         if ( isset($draft_ids[$temp_id]) ) { // Edit, don't write
34             $_POST['post_ID'] = $draft_ids[$temp_id];
35             unset($_POST['temp_ID']);
36             relocate_children( $temp_id, $_POST['post_ID'] );
37             update_user_option( $user_ID, 'autosave_draft_ids', $draft_ids );
38             return edit_post();
39         }
40     }
41
42     // Rename.
43     $_POST['post_content'] = $_POST['content'];
44     $_POST['post_excerpt'] = $_POST['excerpt'];
45     $_POST['post_parent'] = $_POST['parent_id'];
46     $_POST['to_ping'] = $_POST['trackback_url'];
47
48     if (!empty ( $_POST['post_author_override'] ) ) {
49         $_POST['post_author'] = (int) $_POST['post_author_override'];
50     } else {
51         if (!empty ( $_POST['post_author'] ) ) {
52             $_POST['post_author'] = (int) $_POST['post_author'];
53         } else {
54             $_POST['post_author'] = (int) $_POST['user_ID'];
55         }
56
57     }
58
59     if ( $_POST['post_author'] != $_POST['user_ID'] ) {
60         if ( 'page' == $_POST['post_type'] ) {
61             if ( !current_user_can( 'edit_others_pages' ) )
62                 return new WP_Error( 'edit_others_pages', __( 'You are not allowed to create pages as this user.' ) );
63         } else {
64             if ( !current_user_can( 'edit_others_posts' ) )
65                 return new WP_Error( 'edit_others_posts', __( 'You are not allowed to post as this user.' ) );
66
67         }
68     }
69
70     // What to do based on which button they pressed
71     if ('' != $_POST['saveasdraft'] )
72         $_POST['post_status'] = 'draft';
73     if ('' != $_POST['saveasprivate'] )
74         $_POST['post_status'] = 'private';
75     if ('' != $_POST['publish'] )
76         $_POST['post_status'] = 'publish';
77     if ('' != $_POST['advanced'] )
78         $_POST['post_status'] = 'draft';
79
80     if ( 'page' == $_POST['post_type'] ) {
81         if ('publish' == $_POST['post_status'] && !current_user_can( 'publish_pages' ) )
82             $_POST['post_status'] = 'draft';
83     } else {
84         if ('publish' == $_POST['post_status'] && !current_user_can( 'publish_posts' ) )
85             $_POST['post_status'] = 'draft';
86     }
87
88     if (!isset( $_POST['comment_status'] ))
89         $_POST['comment_status'] = 'closed';
90
91     if (!isset( $_POST['ping_status'] ))
92         $_POST['ping_status'] = 'closed';
93
94     if (!empty ( $_POST['edit_date'] ) ) {
95         $aa = $_POST['aa'];
96         $mm = $_POST['mm'];
97         $jj = $_POST['jj'];
98         $hh = $_POST['hh'];
99         $mn = $_POST['mn'];
100         $ss = $_POST['ss'];
101         $jj = ($jj > 31 ) ? 31 : $jj;
102         $hh = ($hh > 23 ) ? $hh -24 : $hh;
103         $mn = ($mn > 59 ) ? $mn -60 : $mn;
104         $ss = ($ss > 59 ) ? $ss -60 : $ss;
105         $_POST['post_date'] = sprintf( "%04d-%02d-%02d %02d:%02d:%02d", $aa, $mm, $jj, $hh, $mn, $ss );
106         $_POST['post_date_gmt'] = get_gmt_from_date( $_POST['post_date'] );
107     }
108
109     // Create the post.
110     $post_ID = wp_insert_post( $_POST );
111
112     add_meta( $post_ID );
113
114     // Reunite any orphaned attachments with their parent
115     // Update autosave collision detection
116     if ( $temp_id ) {
117         relocate_children( $temp_id, $post_ID );
118         $draft_ids[$temp_id] = $post_ID;
119         update_user_option( $user_ID, 'autosave_draft_ids', $draft_ids );
120     }
121
122     // Now that we have an ID we can fix any attachment anchor hrefs
123     fix_attachment_links( $post_ID );
124
125     return $post_ID;
126 }
127
128 // Move child posts to a new parent
129 function relocate_children( $old_ID, $new_ID ) {
130     global $wpdb;
131     $old_ID = (int) $old_ID;
132     $new_ID = (int) $new_ID;
133     return $wpdb->query( "UPDATE $wpdb->posts SET post_parent = $new_ID WHERE post_parent = $old_ID" );
134 }
135
136 // Replace hrefs of attachment anchors with up-to-date permalinks.
137 function fix_attachment_links( $post_ID ) {
138     global $wp_rewrite;
139
140     $post = & get_post( $post_ID, ARRAY_A );
141
142     $search = "#<a[^>]+rel=('|\")[^'\"]*attachment[^>]*>#ie";
143
144     // See if we have any rel="attachment" links
145     if ( 0 == preg_match_all( $search, $post['post_content'], $anchor_matches, PREG_PATTERN_ORDER ) )
146         return;
147
148     $i = 0;
149     $search = "#[\s]+rel=(\"|')(.*?)wp-att-(\d+)\\1#i";
150     foreach ( $anchor_matches[0] as $anchor ) {
151         if ( 0 == preg_match( $search, $anchor, $id_matches ) )
152             continue;
153
154         $id = (int) $id_matches[3];
155
156         // While we have the attachment ID, let's adopt any orphans.
157         $attachment = & get_post( $id, ARRAY_A );
158         if ( ! empty( $attachment) && ! is_object( get_post( $attachment['post_parent'] ) ) ) {
159             $attachment['post_parent'] = $post_ID;
160             // Escape data pulled from DB.
161             $attachment = add_magic_quotes( $attachment);
162             wp_update_post( $attachment);
163         }
164
165         $post_search[$i] = $anchor;
166         $post_replace[$i] = preg_replace( "#href=(\"|')[^'\"]*\\1#e", "stripslashes( 'href=\\1' ).get_attachment_link( $id ).stripslashes( '\\1' )", $anchor );
167         ++$i;
168     }
169
170     $post['post_content'] = str_replace( $post_search, $post_replace, $post['post_content'] );
171
172     // Escape data pulled from DB.
173     $post = add_magic_quotes( $post);
174
175     return wp_update_post( $post);
176 }
177
178 // Update an existing post with values provided in $_POST.
179 function edit_post() {
180     global $user_ID;
181
182     $post_ID = (int) $_POST['post_ID'];
183
184     if ( 'page' == $_POST['post_type'] ) {
185         if ( !current_user_can( 'edit_page', $post_ID ) )
186             wp_die( __('You are not allowed to edit this page.' ));
187     } else {
188         if ( !current_user_can( 'edit_post', $post_ID ) )
189             wp_die( __('You are not allowed to edit this post.' ));
190     }
191
192     // Autosave shouldn't save too soon after a real save
193     if ( 'autosave' == $_POST['action'] ) {
194         $post =& get_post( $post_ID );
195         $now = time();
196         $then = strtotime($post->post_date_gmt . ' +0000');
197         // Keep autosave_interval in sync with autosave-js.php.
198         $delta = apply_filters( 'autosave_interval', 120 ) / 2;
199         if ( ($now - $then) < $delta )
200             return $post_ID;
201     }
202
203     // Rename.
204     $_POST['ID'] = (int) $_POST['post_ID'];
205     $_POST['post_content'] = $_POST['content'];
206     $_POST['post_excerpt'] = $_POST['excerpt'];
207     $_POST['post_parent'] = $_POST['parent_id'];
208     $_POST['to_ping'] = $_POST['trackback_url'];
209
210     if (!empty ( $_POST['post_author_override'] ) ) {
211         $_POST['post_author'] = (int) $_POST['post_author_override'];
212     } else
213         if (!empty ( $_POST['post_author'] ) ) {
214             $_POST['post_author'] = (int) $_POST['post_author'];
215         } else {
216             $_POST['post_author'] = (int) $_POST['user_ID'];
217         }
218
219     if ( $_POST['post_author'] != $_POST['user_ID'] ) {
220         if ( 'page' == $_POST['post_type'] ) {
221             if ( !current_user_can( 'edit_others_pages' ) )
222                 wp_die( __('You are not allowed to edit pages as this user.' ));
223         } else {
224             if ( !current_user_can( 'edit_others_posts' ) )
225                 wp_die( __('You are not allowed to edit posts as this user.' ));
226
227         }
228     }
229
230     // What to do based on which button they pressed
231     if ('' != $_POST['saveasdraft'] )
232         $_POST['post_status'] = 'draft';
233     if ('' != $_POST['saveasprivate'] )
234         $_POST['post_status'] = 'private';
235     if ('' != $_POST['publish'] )
236         $_POST['post_status'] = 'publish';
237     if ('' != $_POST['advanced'] )
238         $_POST['post_status'] = 'draft';
239
240     if ( 'page' == $_POST['post_type'] ) {
241         if ('publish' == $_POST['post_status'] && !current_user_can( 'edit_published_pages' ))
242             $_POST['post_status'] = 'draft';
243     } else {
244         if ('publish' == $_POST['post_status'] && !current_user_can( 'edit_published_posts' ))
245             $_POST['post_status'] = 'draft';
246     }
247
248     if (!isset( $_POST['comment_status'] ))
249         $_POST['comment_status'] = 'closed';
250
251     if (!isset( $_POST['ping_status'] ))
252         $_POST['ping_status'] = 'closed';
253
254     if (!empty ( $_POST['edit_date'] ) ) {
255         $aa = $_POST['aa'];
256         $mm = $_POST['mm'];
257         $jj = $_POST['jj'];
258         $hh = $_POST['hh'];
259         $mn = $_POST['mn'];
260         $ss = $_POST['ss'];
261         $jj = ($jj > 31 ) ? 31 : $jj;
262         $hh = ($hh > 23 ) ? $hh -24 : $hh;
263         $mn = ($mn > 59 ) ? $mn -60 : $mn;
264         $ss = ($ss > 59 ) ? $ss -60 : $ss;
265         $_POST['post_date'] = "$aa-$mm-$jj $hh:$mn:$ss";
266         $_POST['post_date_gmt'] = get_gmt_from_date( "$aa-$mm-$jj $hh:$mn:$ss" );
267     }
268
269     // Meta Stuff
270     if ( $_POST['meta'] ) {
271         foreach ( $_POST['meta'] as $key => $value )
272             update_meta( $key, $value['key'], $value['value'] );
273     }
274
275     if ( $_POST['deletemeta'] ) {
276         foreach ( $_POST['deletemeta'] as $key => $value )
277             delete_meta( $key );
278     }
279
280     add_meta( $post_ID );
281
282     wp_update_post( $_POST);
283
284     // Now that we have an ID we can fix any attachment anchor hrefs
285     fix_attachment_links( $post_ID );
286
287     return $post_ID;
288 }
289
290 function edit_comment() {
291     global $user_ID;
292
293     $comment_ID = (int) $_POST['comment_ID'];
294     $comment_post_ID = (int) $_POST['comment_post_ID'];
295
296     if (!current_user_can( 'edit_post', $comment_post_ID ))
297         wp_die( __('You are not allowed to edit comments on this post, so you cannot edit this comment.' ));
298
299     $_POST['comment_author'] = $_POST['newcomment_author'];
300     $_POST['comment_author_email'] = $_POST['newcomment_author_email'];
301     $_POST['comment_author_url'] = $_POST['newcomment_author_url'];
302     $_POST['comment_approved'] = $_POST['comment_status'];
303     $_POST['comment_content'] = $_POST['content'];
304     $_POST['comment_ID'] = (int) $_POST['comment_ID'];
305
306     if (!empty ( $_POST['edit_date'] ) ) {
307         $aa = $_POST['aa'];
308         $mm = $_POST['mm'];
309         $jj = $_POST['jj'];
310         $hh = $_POST['hh'];
311         $mn = $_POST['mn'];
312         $ss = $_POST['ss'];
313         $jj = ($jj > 31 ) ? 31 : $jj;
314         $hh = ($hh > 23 ) ? $hh -24 : $hh;
315         $mn = ($mn > 59 ) ? $mn -60 : $mn;
316         $ss = ($ss > 59 ) ? $ss -60 : $ss;
317         $_POST['comment_date'] = "$aa-$mm-$jj $hh:$mn:$ss";
318     }
319
320     wp_update_comment( $_POST);
321 }
322
323 // Get an existing post and format it for editing.
324 function get_post_to_edit( $id ) {
325
326     $post = get_post( $id );
327
328     $post->post_content = format_to_edit( $post->post_content, user_can_richedit() );
329     $post->post_content = apply_filters( 'content_edit_pre', $post->post_content);
330
331     $post->post_excerpt = format_to_edit( $post->post_excerpt);
332     $post->post_excerpt = apply_filters( 'excerpt_edit_pre', $post->post_excerpt);
333
334     $post->post_title = format_to_edit( $post->post_title );
335     $post->post_title = apply_filters( 'title_edit_pre', $post->post_title );
336
337     $post->post_password = format_to_edit( $post->post_password );
338
339     if ( $post->post_type == 'page' )
340         $post->page_template = get_post_meta( $id, '_wp_page_template', true );
341
342     return $post;
343 }
344
345 // Default post information to use when populating the "Write Post" form.
346 function get_default_post_to_edit() {
347     if ( !empty( $_REQUEST['post_title'] ) )
348         $post_title = wp_specialchars( stripslashes( $_REQUEST['post_title'] ));
349     else if ( !empty( $_REQUEST['popuptitle'] ) ) {
350         $post_title = wp_specialchars( stripslashes( $_REQUEST['popuptitle'] ));
351         $post_title = funky_javascript_fix( $post_title );
352     } else {
353         $post_title = '';
354     }
355
356     if ( !empty( $_REQUEST['content'] ) )
357         $post_content = wp_specialchars( stripslashes( $_REQUEST['content'] ));
358     else if ( !empty( $post_title ) ) {
359         $text       = wp_specialchars( stripslashes( urldecode( $_REQUEST['text'] ) ) );
360         $text       = funky_javascript_fix( $text);
361         $popupurl   = clean_url($_REQUEST['popupurl']);
362         $post_content = '<a href="'.$popupurl.'">'.$post_title.'</a>'."\n$text";
363     }
364
365     if ( !empty( $_REQUEST['excerpt'] ) )
366         $post_excerpt = wp_specialchars( stripslashes( $_REQUEST['excerpt'] ));
367     else
368         $post_excerpt = '';
369
370     $post->post_status = 'draft';
371     $post->comment_status = get_option( 'default_comment_status' );
372     $post->ping_status = get_option( 'default_ping_status' );
373     $post->post_pingback = get_option( 'default_pingback_flag' );
374     $post->post_category = get_option( 'default_category' );
375     $post->post_content = apply_filters( 'default_content', $post_content);
376     $post->post_title = apply_filters( 'default_title', $post_title );
377     $post->post_excerpt = apply_filters( 'default_excerpt', $post_excerpt);
378     $post->page_template = 'default';
379     $post->post_parent = 0;
380     $post->menu_order = 0;
381
382     return $post;
383 }
384
385 function get_comment_to_edit( $id ) {
386     $comment = get_comment( $id );
387
388     $comment->comment_content = format_to_edit( $comment->comment_content, user_can_richedit() );
389     $comment->comment_content = apply_filters( 'comment_edit_pre', $comment->comment_content);
390
391     $comment->comment_author = format_to_edit( $comment->comment_author );
392     $comment->comment_author_email = format_to_edit( $comment->comment_author_email );
393     $comment->comment_author_url = format_to_edit( $comment->comment_author_url );
394
395     return $comment;
396 }
397
398 function get_category_to_edit( $id ) {
399     $category = get_category( $id );
400
401     return $category;
402 }
403
404 function wp_dropdown_roles( $default = false ) {
405     global $wp_roles;
406     $r = '';
407     foreach( $wp_roles->role_names as $role => $name )
408         if ( $default == $role ) // Make default first in list
409             $p = "\n\t<option selected='selected' value='$role'>$name</option>";
410         else
411             $r .= "\n\t<option value='$role'>$name</option>";
412     echo $p . $r;
413 }
414
415
416 function get_user_to_edit( $user_id ) {
417     $user = new WP_User( $user_id );
418     $user->user_login   = attribute_escape($user->user_login);
419     $user->user_email   = attribute_escape($user->user_email);
420     $user->user_url     = clean_url($user->user_url);
421     $user->first_name   = attribute_escape($user->first_name);
422     $user->last_name    = attribute_escape($user->last_name);
423     $user->display_name = attribute_escape($user->display_name);
424     $user->nickname     = attribute_escape($user->nickname);
425     $user->aim          = attribute_escape($user->aim);
426     $user->yim          = attribute_escape($user->yim);
427     $user->jabber       = attribute_escape($user->jabber);
428     $user->description  wp_specialchars($user->description);
429
430     return $user;
431 }
432
433 // Creates a new user from the "Users" form using $_POST information.
434
435 function add_user() {
436     if ( func_num_args() ) { // The hackiest hack that ever did hack
437         global $current_user, $wp_roles;
438         $user_id = (int) func_get_arg( 0 );
439
440         if ( isset( $_POST['role'] ) ) {
441             if( $user_id != $current_user->id || $wp_roles->role_objects[$_POST['role']]->has_cap( 'edit_users' ) ) {
442                 $user = new WP_User( $user_id );