admin-ajax.php

Revision 9103, 27.3 kB (checked in by ryan, 4 days ago)
Draggable dash, first cut. Props mdawaffe. see #7552
Property svn:eol-style set to `native`

Line
1	<?php
2	/**
3	* WordPress AJAX Process Execution.
4	*
5	* @package WordPress
6	* @subpackage Administration
7	*/
8
9	/**
10	* Executing AJAX process.
11	*
12	* @since unknown
13	*/
14	define('DOING_AJAX', true);
15	define('WP_ADMIN', true);
16
17	require_once('../wp-load.php');
18	require_once('includes/admin.php');
19
20	if ( !is_user_logged_in() )
21	die('-1');
22
23	if ( isset($_GET['action']) && 'ajax-tag-search' == $_GET['action'] ) {
24	if ( !current_user_can( 'manage_categories' ) )
25	die('-1');
26
27	$s = $_GET['q']; // is this slashed already?
28
29	if ( false !== strpos( $s, ',' ) ) {
30	$s = explode( ',', $s );
31	$s = $s[count( $s ) - 1];
32	}
33	$s = trim( $s );
34	if ( strlen( $s ) < 2 )
35	die; // require 2 chars for matching
36	$results = $wpdb->get_col( "SELECT name FROM $wpdb->terms WHERE name LIKE ('%". $s . "%')" );
37	echo join( $results, "\n" );
38	die;
39	}
40
41	$id = isset($_POST['id'])? (int) $_POST['id'] : 0;
42	switch ( $action = $_POST['action'] ) :
43	case 'delete-comment' :
44	check_ajax_referer( "delete-comment_$id" );
45	if ( !$comment = get_comment( $id ) )
46	die('1');
47	if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) )
48	die('-1');
49
50	if ( isset($_POST['spam']) && 1 == $_POST['spam'] ) {
51	if ( 'spam' == wp_get_comment_status( $comment->comment_ID ) )
52	die('1');
53	$r = wp_set_comment_status( $comment->comment_ID, 'spam' );
54	} else {
55	$r = wp_delete_comment( $comment->comment_ID );
56	}
57
58	die( $r ? '1' : '0' );
59	break;
60	case 'delete-cat' :
61	check_ajax_referer( "delete-category_$id" );
62	if ( !current_user_can( 'manage_categories' ) )
63	die('-1');
64
65	$cat = get_category( $id );
66	if ( !$cat \|\| is_wp_error( $cat ) )
67	die('1');
68
69	if ( wp_delete_category( $id ) )
70	die('1');
71	else
72	die('0');
73	break;
74	case 'delete-tag' :
75	check_ajax_referer( "delete-tag_$id" );
76	if ( !current_user_can( 'manage_categories' ) )
77	die('-1');
78
79	$tag = get_term( $id, 'post_tag' );
80	if ( !$tag \|\| is_wp_error( $tag ) )
81	die('1');
82
83	if ( wp_delete_term($id, 'post_tag'))
84	die('1');
85	else
86	die('0');
87	break;
88	case 'delete-link-cat' :
89	check_ajax_referer( "delete-link-category_$id" );
90	if ( !current_user_can( 'manage_categories' ) )
91	die('-1');
92
93	$cat = get_term( $id, 'link_category' );
94	if ( !$cat \|\| is_wp_error( $cat ) )
95	die('1');
96
97	$cat_name = get_term_field('name', $id, 'link_category');
98
99	// Don't delete the default cats.
100	if ( $id == get_option('default_link_category') ) {
101	$x = new WP_AJAX_Response( array(
102	'what' => 'link-cat',
103	'id' => $id,
104	'data' => new WP_Error( 'default-link-cat', sprintf(__("Can’t delete the <strong>%s</strong> category: this is the default one"), $cat_name) )
105	) );
106	$x->send();
107	}
108
109	$r = wp_delete_term($id, 'link_category');
110	if ( !$r )
111	die('0');
112	if ( is_wp_error($r) ) {
113	$x = new WP_AJAX_Response( array(
114	'what' => 'link-cat',
115	'id' => $id,
116	'data' => $r
117	) );
118	$x->send();
119	}
120	die('1');
121	break;
122	case 'delete-link' :
123	check_ajax_referer( "delete-bookmark_$id" );
124	if ( !current_user_can( 'manage_links' ) )
125	die('-1');
126
127	$link = get_bookmark( $id );
128	if ( !$link \|\| is_wp_error( $link ) )
129	die('1');
130
131	if ( wp_delete_link( $id ) )
132	die('1');
133	else
134	die('0');
135	break;
136	case 'delete-meta' :
137	check_ajax_referer( "delete-meta_$id" );
138	if ( !$meta = get_post_meta_by_id( $id ) )
139	die('1');
140
141	if ( !current_user_can( 'edit_post', $meta->post_id ) )
142	die('-1');
143	if ( delete_meta( $meta->meta_id ) )
144	die('1');
145	die('0');
146	break;
147	case 'delete-post' :
148	check_ajax_referer( "{$action}_$id" );
149	if ( !current_user_can( 'delete_post', $id ) )
150	die('-1');
151
152	if ( !get_post( $id ) )
153	die('1');
154
155	if ( wp_delete_post( $id ) )
156	die('1');
157	else
158	die('0');
159	break;
160	case 'delete-page' :
161	check_ajax_referer( "{$action}_$id" );
162	if ( !current_user_can( 'delete_page', $id ) )
163	die('-1');
164
165	if ( !get_page( $id ) )
166	die('1');
167
168	if ( wp_delete_post( $id ) )
169	die('1');
170	else
171	die('0');
172	break;
173	case 'dim-comment' :
174	if ( !$comment = get_comment( $id ) )
175	die('0');
176
177	if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) )
178	die('-1');
179	if ( !current_user_can( 'moderate_comments' ) )
180	die('-1');
181
182	$current = wp_get_comment_status( $comment->comment_ID );
183	if ( $_POST['new'] == $current )
184	die('1');
185
186	if ( in_array( $current, array( 'unapproved', 'spam' ) ) ) {
187	check_ajax_referer( "approve-comment_$id" );
188	if ( wp_set_comment_status( $comment->comment_ID, 'approve' ) )
189	die('1');
190	} else {
191	check_ajax_referer( "unapprove-comment_$id" );
192	if ( wp_set_comment_status( $comment->comment_ID, 'hold' ) )
193	die('1');
194	}
195	die('0');
196	break;
197	case 'add-category' : // On the Fly
198	check_ajax_referer( $action );
199	if ( !current_user_can( 'manage_categories' ) )
200	die('-1');
201	$names = explode(',', $_POST['newcat']);
202	if ( 0 > $parent = (int) $_POST['newcat_parent'] )
203	$parent = 0;
204	$post_category = isset($_POST['post_category'])? (array) $_POST['post_category'] : array();
205	$checked_categories = array_map( 'absint', (array) $post_category );
206	$popular_ids = isset( $_POST['popular_ids'] ) ?
207	array_map( 'absint', explode( ',', $_POST['popular_ids'] ) ) :
208	false;
209
210	$x = new WP_Ajax_Response();
211	foreach ( $names as $cat_name ) {
212	$cat_name = trim($cat_name);
213	$category_nicename = sanitize_title($cat_name);
214	if ( '' === $category_nicename )
215	continue;
216	$cat_id = wp_create_category( $cat_name, $parent );
217	$checked_categories[] = $cat_id;
218	if ( $parent ) // Do these all at once in a second
219	continue;
220	$category = get_category( $cat_id );
221	ob_start();
222	wp_category_checklist( 0, $cat_id, $checked_categories, $popular_ids );
223	$data = ob_get_contents();
224	ob_end_clean();
225	$x->add( array(
226	'what' => 'category',
227	'id' => $cat_id,
228	'data' => $data,
229	'position' => -1
230	) );
231	}
232	if ( $parent ) { // Foncy - replace the parent and all its children
233	$parent = get_category( $parent );
234	ob_start();
235	dropdown_categories( 0, $parent );
236	$data = ob_get_contents();
237	ob_end_clean();
238	$x->add( array(
239	'what' => 'category',
240	'id' => $parent->term_id,
241	'old_id' => $parent->term_id,
242	'data' => $data,
243	'position' => -1
244	) );
245
246	}
247	$x->send();
248	break;
249	case 'add-link-category' : // On the Fly
250	check_ajax_referer( $action );
251	if ( !current_user_can( 'manage_categories' ) )
252	die('-1');
253	$names = explode(',', $_POST['newcat']);
254	$x = new WP_Ajax_Response();
255	foreach ( $names as $cat_name ) {
256	$cat_name = trim($cat_name);
257	$slug = sanitize_title($cat_name);
258	if ( '' === $slug )
259	continue;
260	if ( !$cat_id = is_term( $cat_name, 'link_category' ) ) {
261	$cat_id = wp_insert_term( $cat_name, 'link_category' );
262	}
263	$cat_id = $cat_id['term_id'];
264	$cat_name = wp_specialchars(stripslashes($cat_name));
265	$x->add( array(
266	'what' => 'link-category',
267	'id' => $cat_id,
268	'data' => "<li id='link-category-$cat_id'><label for='in-link-category-$cat_id' class='selectit'><input value='$cat_id' type='checkbox' checked='checked' name='link_category[]' id='in-link-category-$cat_id'/> $cat_name</label></li>",
269	'position' => -1
270	) );
271	}
272	$x->send();
273	break;
274	case 'add-cat' : // From Manage->Categories
275	check_ajax_referer( 'add-category' );
276	if ( !current_user_can( 'manage_categories' ) )
277	die('-1');
278
279	if ( '' === trim($_POST['cat_name']) ) {
280	$x = new WP_Ajax_Response( array(
281	'what' => 'cat',
282	'id' => new WP_Error( 'cat_name', __('You did not enter a category name.') )
283	) );
284	$x->send();
285	}
286
287	if ( category_exists( trim( $_POST['cat_name'] ) ) ) {
288	$x = new WP_Ajax_Response( array(
289	'what' => 'cat',
290	'id' => new WP_Error( 'cat_exists', __('The category you are trying to create already exists.'), array( 'form-field' => 'cat_name' ) ),
291	) );
292	$x->send();
293	}
294
295	$cat = wp_insert_category( $_POST, true );
296
297	if ( is_wp_error($cat) ) {
298	$x = new WP_Ajax_Response( array(
299	'what' => 'cat',
300	'id' => $cat
301	) );
302	$x->send();
303	}
304
305	if ( !$cat \|\| (!$cat = get_category( $cat )) )
306	die('0');
307
308	$level = 0;
309	$cat_full_name = $cat->name;
310	$_cat = $cat;
311	while ( $_cat->parent ) {
312	$_cat = get_category( $_cat->parent );
313	$cat_full_name = $_cat->name . ' — ' . $cat_full_name;
314	$level++;
315	}
316	$cat_full_name = attribute_escape($cat_full_name);
317
318	$x = new WP_Ajax_Response( array(
319	'what' => 'cat',
320	'id' => $cat->term_id,
321	'data' => _cat_row( $cat, $level, $cat_full_name ),
322	'supplemental' => array('name' => $cat_full_name, 'show-link' => sprintf(__( 'Category <a href="#%s">%s</a> added' ), "cat-$cat->term_id", $cat_full_name))
323	) );
324	$x->send();
325	break;
326	case 'add-link-cat' : // From Blogroll -> Categories
327	check_ajax_referer( 'add-link-category' );
328	if ( !current_user_can( 'manage_categories' ) )
329	die('-1');
330
331	if ( '' === trim($_POST['name']) ) {
332	$x = new WP_Ajax_Response( array(
333	'what' => 'link-cat',
334	'id' => new WP_Error( 'name', __('You did not enter a category name.') )
335	) );
336	$x->send();
337	}
338
339	$r = wp_insert_term($_POST['name'], 'link_category', $_POST );
340	if ( is_wp_error( $r ) ) {
341	$x = new WP_AJAX_Response( array(
342	'what' => 'link-cat',
343	'id' => $r
344	) );
345	$x->send();
346	}
347
348	extract($r, EXTR_SKIP);
349
350	if ( !$link_cat = link_cat_row( $term_id ) )
351	die('0');
352
353	$x = new WP_Ajax_Response( array(
354	'what' => 'link-cat',
355	'id' => $term_id,
356	'data' => $link_cat
357	) );
358	$x->send();
359	break;
360	case 'add-tag' : // From Manage->Tags
361	check_ajax_referer( 'add-tag' );
362	if ( !current_user_can( 'manage_categories' ) )
363	die('-1');
364
365	if ( '' === trim($_POST['name']) ) {
366	$x = new WP_Ajax_Response( array(
367	'what' => 'tag',
368	'id' => new WP_Error( 'name', __('You did not enter a tag name.') )
369	) );
370	$x->send();
371	}
372
373	$tag = wp_insert_term($_POST['name'], 'post_tag', $_POST );
374
375	if ( is_wp_error($tag) ) {
376	$x = new WP_Ajax_Response( array(
377	'what' => 'tag',
378	'id' => $tag
379	) );
380	$x->send();
381	}
382
383	if ( !$tag \|\| (!$tag = get_term( $tag['term_id'], 'post_tag' )) )
384	die('0');
385
386	$tag_full_name = $tag->name;
387	$tag_full_name = attribute_escape($tag_full_name);
388
389	$x = new WP_Ajax_Response( array(
390	'what' => 'tag',
391	'id' => $tag->term_id,
392	'data' => _tag_row( $tag ),
393	'supplemental' => array('name' => $tag_full_name, 'show-link' => sprintf(__( 'Tag <a href="#%s">%s</a> added' ), "tag-$tag->term_id", $tag_full_name))
394	) );
395	$x->send();
396	break;
397	case 'add-comment' :
398	check_ajax_referer( $action );
399	if ( !current_user_can( 'edit_post', $id ) )
400	die('-1');
401	$search = isset($_POST['s']) ? $_POST['s'] : false;
402	$start = isset($_POST['page']) ? intval($_POST['page']) * 25 - 1: 24;
403	$status = isset($_POST['comment_status']) ? $_POST['comment_status'] : false;
404	$mode = isset($_POST['mode']) ? $_POST['mode'] : 'detail';
405
406	list($comments, $total) = _wp_get_comment_list( $status, $search, $start, 1 );
407
408	if ( get_option('show_avatars') )
409	add_filter( 'comment_author', 'floated_admin_avatar' );
410
411	if ( !$comments )
412	die('1');
413	$x = new WP_Ajax_Response();
414	foreach ( (array) $comments as $comment ) {
415	get_comment( $comment );
416	ob_start();
417	_wp_comment_row( $comment->comment_ID, $mode, $status );
418	$comment_list_item = ob_get_contents();
419	ob_end_clean();
420	$x->add( array(
421	'what' => 'comment',
422	'id' => $comment->comment_ID,
423	'data' => $comment_list_item
424	) );
425	}
426	$x->send();
427	break;
428	case 'replyto-comment' :
429	check_ajax_referer( $action );
430
431	$comment_post_ID = (int) $_POST['comment_post_ID'];
432	if ( !current_user_can( 'edit_post', $comment_post_ID ) )
433	die('-1');
434
435	$status = $wpdb->get_var( $wpdb->prepare("SELECT post_status FROM $wpdb->posts WHERE ID = %d", $comment_post_ID) );
436
437	if ( empty($status) )
438	die('1');
439	elseif ( in_array($status->post_status, array('draft', 'pending') ) )
440	die( __('Error: you are replying to comment on a draft post.') );
441
442	$user = wp_get_current_user();
443	if ( $user->ID ) {
444	$comment_author = $wpdb->escape($user->display_name);
445	$comment_author_email = $wpdb->escape($user->user_email);
446	$comment_author_url = $wpdb->escape($user->user_url);
447	$comment_content = trim($_POST['content']);
448	if ( current_user_can('unfiltered_html') ) {
449	if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) {
450	kses_remove_filters(); // start with a clean slate
451	kses_init_filters(); // set up the filters
452	}
453	}
454	} else {
455	die( __('Sorry, you must be logged in to reply to a comment.') );
456	}
457
458	if ( '' == $comment_content )
459	die( __('Error: please type a comment.') );
460
461	$comment_parent = absint($_POST['comment_ID']);
462	$commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_email', 'comment_author_url', 'comment_content', 'comment_type', 'comment_parent', 'user_ID');
463
464	$comment_id = wp_new_comment( $commentdata );
465	$comment = get_comment($comment_id);
466	if ( ! $comment ) die('1');
467
468	$modes = array( 'single', 'detail', 'dashboard' );
469	$mode = isset($_POST['mode']) && in_array( $_POST['mode'], $modes ) ? $_POST['mode'] : 'detail';
470	$position = ( isset($_POST['position']) && (int) $_POST['position']) ? (int) $_POST['position'] : '-1';
471	$checkbox = ( isset($_POST['checkbox']) && true == $_POST['checkbox'] ) ? 1 : 0;
472
473	if ( get_option('show_avatars') && 'single' != $mode )
474	add_filter( 'comment_author', 'floated_admin_avatar' );
475
476	$x = new WP_Ajax_Response();
477
478	ob_start();
479	if ( 'dashboard' == $mode ) {
480	require_once( ABSPATH . 'wp-admin/includes/dashboard.php' );
481	_wp_dashboard_recent_comments_row( $comment, false );
482	} else {
483	_wp_comment_row( $comment->comment_ID, $mode, false, $checkbox );
484	}
485