Navigation

← Previous Changeset
Next Changeset →

Changeset 3759

Timestamp:

05/02/06 22:36:06 (3 years ago)

Author:

ryan

Message:

Nonce from above. #2678

Files:

trunk/wp-admin/admin-functions.php (modified) (1 diff)
trunk/wp-admin/categories.php (modified) (5 diffs)
trunk/wp-admin/comment.php (modified) (4 diffs)
trunk/wp-admin/edit-comments.php (modified) (3 diffs)
trunk/wp-admin/edit-form-advanced.php (modified) (2 diffs)
trunk/wp-admin/edit-form-comment.php (modified) (1 diff)
trunk/wp-admin/edit-link-form.php (modified) (2 diffs)
trunk/wp-admin/edit-page-form.php (modified) (3 diffs)
trunk/wp-admin/edit.php (modified) (2 diffs)
trunk/wp-admin/inline-uploading.php (modified) (4 diffs)
trunk/wp-admin/link-manager.php (modified) (2 diffs)
trunk/wp-admin/link.php (modified) (5 diffs)
trunk/wp-admin/moderation.php (modified) (2 diffs)
trunk/wp-admin/options-discussion.php (modified) (1 diff)
trunk/wp-admin/options-general.php (modified) (1 diff)
trunk/wp-admin/options-misc.php (modified) (1 diff)
trunk/wp-admin/options-permalink.php (modified) (3 diffs)
trunk/wp-admin/options-reading.php (modified) (1 diff)
trunk/wp-admin/options-writing.php (modified) (1 diff)
trunk/wp-admin/options.php (modified) (2 diffs)
trunk/wp-admin/page.php (modified) (4 diffs)
trunk/wp-admin/plugin-editor.php (modified) (2 diffs)
trunk/wp-admin/plugins.php (modified) (3 diffs)
trunk/wp-admin/post.php (modified) (4 diffs)
trunk/wp-admin/profile-update.php (modified) (1 diff)
trunk/wp-admin/profile.php (modified) (1 diff)
trunk/wp-admin/templates.php (modified) (2 diffs)
trunk/wp-admin/theme-editor.php (modified) (2 diffs)
trunk/wp-admin/themes.php (modified) (2 diffs)
trunk/wp-admin/users.php (modified) (7 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/wp-admin/admin-functions.php

r3754	r3759
710	710	<td><a href="<?php the_permalink(); ?>" rel="permalink" class="edit"><?php _e('View'); ?></a></td>
711	711	<td><?php if ( current_user_can('edit_page', $id) ) { echo "<a href='page.php?action=edit&post=$id' class='edit'>" . __('Edit') . "</a>"; } ?></td>
712		<td><?php if ( current_user_can('edit_page', $id) ) { echo "<a href='~~page.php?action=delete&post=$id~~' class='delete' onclick=\"return deleteSomething( 'page', " . $id . ", '" . sprintf(__("You are about to delete the "%s" page.\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td>
	712	<td><?php if ( current_user_can('edit_page', $id) ) { echo "<a href='" . wp_nonce_url("page.php?action=delete&post=$id", 'delete-page' . $id) . "' class='delete' onclick=\"return deleteSomething( 'page', " . $id . ", '" . sprintf(__("You are about to delete the "%s" page.\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td>
713	713	</tr>
714	714

trunk/wp-admin/categories.php

r3728	r3759
25	25	case 'addcat':
26	26
27		check_admin_referer();
	27	check_admin_referer('add-category');
28	28
29	29	if ( !current_user_can('manage_categories') )
…	…
36	36
37	37	case 'delete':
38
39		check_admin_referer();
	38	$cat_ID = (int) $_GET['cat_ID'];
	39	check_admin_referer('delete-category' . $cat_ID);
40	40
41	41	if ( !current_user_can('manage_categories') )
42	42	die (__('Cheatin’ uh?'));
43	43
44		~~$cat_ID = (int) $_GET['cat_ID'];~~
45	44	$cat_name = get_catname($cat_ID);
46	45
…	…
68	67	<h2><?php _e('Edit Category') ?></h2>
69	68	<form name="editcat" action="categories.php" method="post">
	69	<?php wp_nonce_field('update-category' . $category->cat_ID); ?>
70	70	<table class="editform" width="100%" cellspacing="2" cellpadding="5">
71	71	<tr>
…	…
100	100
101	101	case 'editedcat':
102		check_admin_referer();
	102	$cat_ID = (int) $_POST['cat_ID'];
	103	check_admin_referer('update-category' . $cat_ID);
103	104
104	105	if ( !current_user_can('manage_categories') )
…	…
158	159	<h2><?php _e('Add New Category') ?></h2>
159	160	<form name="addcat" id="addcat" action="categories.php" method="post">
	161	<?php wp_nonce_field('add-category'); ?>
160	162	<div class="alignleft"><?php _e('Name:') ?><br />
161	163	<input type="text" name="cat_name" id="cat_name" value="" /></p>

trunk/wp-admin/comment.php

r3721	r3759
90	90
91	91	case 'deletecomment':
92
93		~~check_admin_referer();~~
94
95	92	$comment = (int) $_REQUEST['comment'];
	93	check_admin_referer('delete-comment' . $comment);
	94
96	95	$p = (int) $_REQUEST['p'];
97	96	if ( isset($_REQUEST['noredir']) ) {
…	…
124	123
125	124	case 'unapprovecomment':
126
127		check_admin_referer();
128
129		$comment = (int) $_GET['comment'];
	125	$comment = (int) $_GET['comment'];
	126	check_admin_referer('unapprove-comment' . $comment);
	127
130	128	$p = (int) $_GET['p'];
131	129	if (isset($_GET['noredir'])) {
…	…
152	150
153	151	case 'approvecomment':
154
155		check_admin_referer();
156
157		$comment = (int) $_GET['comment'];
	152	$comment = (int) $_GET['comment'];
	153	check_admin_referer('approve-comment' . $comment);
	154
158	155	$p = (int) $_GET['p'];
159	156	if (isset($_GET['noredir'])) {
…	…
185	182	case 'editedcomment':
186	183
187		check_admin_referer();
	184	check_admin_referer('update-comment');
188	185
189	186	edit_comment();

trunk/wp-admin/edit-comments.php

r3722	r3759
52	52	<?php
53	53	if ( !empty( $_POST['delete_comments'] ) ) :
54		check_admin_referer();
	54	check_admin_referer('bulk-comments');
55	55
56	56	$i = 0;
…	…
120	120	if ( current_user_can('edit_post', $comment->comment_post_ID) ) {
121	121	echo " <a href='comment.php?action=editcomment&comment=".$comment->comment_ID."\'>" . __('Edit') . '</a>';
122		echo ' \| <a href="~~comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID~~ . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($comment->comment_author, 1)) . "' );\">" . __('Delete') . '</a> ';
	122	echo ' \| <a href="' . wp_nonce_url('comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'delete-comment' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($comment->comment_author, 1)) . "' );\">" . __('Delete') . '</a> ';
123	123	if ( ('none' != $comment_status) && ( current_user_can('moderate_comments') ) ) {
124		echo '<span class="unapprove"> \| <a href="~~comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID~~ . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>';
125		echo '<span class="approve"> \| <a href="~~comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID~~ . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>';
	124	echo '<span class="unapprove"> \| <a href="' . wp_nonce_url('comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'unapprove-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>';
	125	echo '<span class="approve"> \| <a href="' . wp_nonce_url('comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'approve-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>';
126	126	}
127	127	echo " \| <a href=\"comment.php?action=deletecomment&delete_type=spam&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), wp_specialchars( $comment->comment_author, 1 )) . "' );\">" . __('Spam') . "</a> ";
…	…
151	151
152	152	if ($comments) {
153		echo '<form name="deletecomments" id="deletecomments" action="" method="post">
154		<table width="100%" cellpadding="3" cellspacing="3">
	153	echo '<form name="deletecomments" id="deletecomments" action="" method="post"> ';
	154	wp_nonce_field('bulk-comments');
	155	echo '<table width="100%" cellpadding="3" cellspacing="3">
155	156	<tr>
156	157	<th scope="col">*</th>

trunk/wp-admin/edit-form-advanced.php

r3664	r3759
23	23	$temp_ID = -1 * time();
24	24	$form_extra = "<input type='hidden' id='post_ID' name='temp_ID' value='$temp_ID' />";
	25	wp_nonce_field('add-post');
25	26	} else {
26	27	$form_action = 'editpost';
27	28	$form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />";
	29	wp_nonce_field('update-post' . $post_ID);
28	30	}
29	31
…	…
174	176	if (current_user_can('upload_files')) {
175	177	$uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID);
176		$uploading_iframe_src = ~~"inline-uploading.php?action=view&post=$uploading_iframe_ID"~~;
	178	$uploading_iframe_src = wp_nonce_url("inline-uploading.php?action=view&post=$uploading_iframe_ID", 'inlineuploading');
177	179	$uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src);
178	180	if ( false != $uploading_iframe_src )

trunk/wp-admin/edit-form-comment.php

r3721	r3759
7	7
8	8	<form name="post" action="comment.php" method="post" id="post">
	9	<?php wp_nonce_field('update-comment' . $comment->comment_ID) ?>
9	10	<div class="wrap">
10	11	<input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" />

trunk/wp-admin/edit-link-form.php

r3729	r3759
3	3	$heading = __('Edit Bookmark');
4	4	$submit_text = __('Save Changes »');
5		$form = '<form name="editlink" id="editlink" method="post" action="link.php">';
	5	$form = '<form name="editlink" id="editlink" method="post" action="link.php">';
	6	$nonce_action = 'update-bookmark' . $link_id;
6	7	} else {
7	8	$heading = __('Create Bookmark');
8	9	$submit_text = __('Add Bookmark »');
9	10	$form = '<form name="addlink" id="addlink" method="post" action="link.php">';
	11	$nonce_action = 'add-bookmark';
10	12	}
11	13
…	…
32	34	<h2><?php echo $heading ?></h2>
33	35	<?php echo $form ?>
34
	36	<?php wp_nonce_field($nonce_action); ?>
	37
35	38	<div id="poststuff">
36	39	<div id="moremeta">

trunk/wp-admin/edit-page-form.php

r3664	r3759
6	6	if (0 == $post_ID) {
7	7	$form_action = 'post';
	8	$nonce_action = 'add-page';
8	9	$temp_ID = -1 * time();
9	10	$form_extra = "<input type='hidden' id='post_ID' name='temp_ID' value='$temp_ID' />";
10	11	} else {
11	12	$form_action = 'editpost';
	13	$nonce_action = 'update-page' . $post_ID;
12	14	$form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />";
13	15	}
…	…
24	26
25	27	<?php
	28	wp_nonce_field($nonce_action);
	29
26	30	if (isset($mode) && 'bookmarklet' == $mode) {
27	31	echo '<input type="hidden" name="mode" value="bookmarklet" />';
…	…
151	155	if (current_user_can('upload_files')) {
152	156	$uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID);
153		$uploading_iframe_src = ~~"inline-uploading.php?action=view&post=$uploading_iframe_ID"~~;
	157	$uploading_iframe_src = wp_nonce_url("inline-uploading.php?action=view&post=$uploading_iframe_ID", 'inlineuploading');
154	158	$uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src);
155	159	if ( false != $uploading_iframe_src )

trunk/wp-admin/edit.php

r3724	r3759
212	212	case 'control_delete':
213	213	?>
214		<td><?php if ( current_user_can('delete_post',$post->ID) ) { echo "<a href='~~post.php?action=delete&post=$id~~' class='delete' onclick=\"return deleteSomething( 'post', " . $id . ", '" . sprintf(__("You are about to delete this post "%s".\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td>
	214	<td><?php if ( current_user_can('delete_post',$post->ID) ) { echo "<a href='" . wp_nonce_url("post.php?action=delete&post=$id", 'delete-post' . $post->ID) . "' class='delete' onclick=\"return deleteSomething( 'post', " . $id . ", '" . sprintf(__("You are about to delete this post "%s".\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td>
215	215	<?php
216	216	break;
…	…
274	274	if ( current_user_can('edit_post', $comment->comment_post_ID) ) {
275	275	echo " <a href='comment.php?action=editcomment&comment=".$comment->comment_ID."\'>" . __('Edit') . '</a>';
276		echo ' \| <a href="~~comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID~~ . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($comment->comment_author, 1)) . "' );\">" . __('Delete') . '</a> ';
	276	echo ' \| <a href="' . wp_nonce_url('comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'delete-comment' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($comment->comment_author, 1)) . "' );\">" . __('Delete') . '</a> ';
277	277	if ( ('none' != $comment_status) && ( current_user_can('moderate_comments') ) ) {
278		echo '<span class="unapprove"> \| <a href="~~comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID~~ . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>';
279		echo '<span class="approve"> \| <a href="~~comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID~~ . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>';
	278	echo '<span class="unapprove"> \| <a href="' . wp_nonce_url('comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'unapprove-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>';
	279	echo '<span class="approve"> \| <a href="' . wp_nonce_url('comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'approve-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>';
280	280	}
281		echo " \| <a href=\"~~comment.php?action=deletecomment&delete_type=spam&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID.~~"\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), wp_specialchars( $comment->comment_author, 1 )) . "' );\">" . __('Spam') . "</a> ]";
	281	echo " \| <a href=\"" . wp_nonce_url("comment.php?action=deletecomment&delete_type=spam&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID, 'delete-comment' . $comment->comment_ID) . "\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), wp_specialchars( $comment->comment_author, 1 )) . "' );\">" . __('Spam') . "</a> ]";
282	282	} // end if any comments to show
283	283	?>

trunk/wp-admin/inline-uploading.php

r3665	r3759
3	3	require_once('admin.php');
4	4
5		check_admin_referer();
	5	check_admin_referer('inlineuploading');
6	6
7	7	header('Content-Type: text/html; charset=' . get_option('blog_charset'));
…	…
42	42	wp_delete_attachment($attachment);
43	43
44		header("Location: ".~~basename(__FILE__)."?post=$post&all=$all&action=view&start=$start"~~);
	44	header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&all=$all&action=view&start=$start", 'inlineuploading'));
45	45	die;
46	46
…	…
101	101	}
102	102
103		header("Location: ".~~basename(__FILE__)."?post=$post&all=$all&action=view&start=0"~~);
	103	header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&all=$all&action=view&start=0", 'inlineuploading'));
104	104	die();
105	105
…	…
140	140
141	141	if ( count($attachments) == 0 ) {
142		header("Location: ".~~basename(__FILE__)."?post=$post&action=upload"~~);
	142	header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&action=upload", 'inlineuploading') );
143	143	die;
144	144	} elseif ( count($attachments) > $num ) {

trunk/wp-admin/link-manager.php

r3718	r3759
111	111
112	112	<form id="links" method="post" action="link.php">
	113	<?php wp_nonce_field('bulk-bookmarks') ?>
113	114	<input type="hidden" name="link_id" value="" />
114	115	<input type="hidden" name="action" value="" />
…	…
176	177
177	178	echo '<td><a href="link.php?link_id='.$link->link_id.'&action=edit" class="edit">'.__('Edit').'</a></td>';
178		echo '<td><a href="~~link.php?link_id='.$link->link_id.'&action=delete~~"'." class='delete' onclick=\"return deleteSomething( 'link', $link->link_id , '".sprintf(__("You are about to delete the "%s" bookmark to %s.\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($link->link_name, 1), wp_specialchars($link->link_url)).'\' );" class="delete">'.__('Delete').'</a></td>';
	179	echo '<td><a href="' . wp_nonce_url('link.php?link_id='.$link->link_id.'&action=delete', 'delete-bookmark' . $link->link_id ) . '"'." class='delete' onclick=\"return deleteSomething( 'link', $link->link_id , '".sprintf(__("You are about to delete the "%s" bookmark to %s.\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($link->link_name, 1), wp_specialchars($link->link_url)).'\' );" class="delete">'.__('Delete').'</a></td>';
179	180	echo '<td align="center"><input type="checkbox" name="linkcheck[]" value="'.$link->link_id.'" /></td>';
180	181	echo "\n </tr>\n";

trunk/wp-admin/link.php

r3570	r3759
30	30	switch ($action) {
31	31	case 'deletebookmarks' :
32		check_admin_referer();
	32	check_admin_referer('bulk-bookmarks');
33	33
34	34	// check the current user's level first.
…	…
54	54
55	55	case 'move' :
56		check_admin_referer();
	56	check_admin_referer('bulk-bookmarks');
57	57
58	58	// check the current user's level first.
…	…
73	73
74	74	case 'add' :
75		check_admin_referer();
	75	check_admin_referer('add-bookmark');
76	76
77	77	add_link();
…	…
81	81
82	82	case 'save' :
83		check_admin_referer();
	83	$link_id = (int) $_POST['link_id'];
	84	check_admin_referer('update-bookmark' . $link_id);
84	85
85		~~$link_id = (int) $_POST['link_id'];~~
86	86	edit_link($link_id);
87	87
…	…
91	91
92	92	case 'delete' :
93		check_admin_referer();
	93	$link_id = (int) $_GET['link_id'];
	94	check_admin_referer('delete-bookmark' . $link_id);
94	95
95	96	if (!current_user_can('manage_links'))
96	97	die(__("Cheatin' uh ?"));
97
98		~~$link_id = (int) $_GET['link_id'];~~
99	98
100	99	wp_delete_link($link_id);

trunk/wp-admin/moderation.php

r3722	r3759
33	33	case 'update':
34	34
35		check_admin_referer();
	35	check_admin_referer('moderate-comments');
36	36
37	37	if ( ! current_user_can('moderate_comments') )
…	…
133	133	<h2><?php _e('Moderation Queue') ?></h2>
134	134	<form name="approval" action="moderation.php" method="post">
	135	<?php wp_nonce_field('moderate-comments') ?>
135	136	<input type="hidden" name="action" value="update" />
136	137	<ol id="the-list" class="commentlist">

trunk/wp-admin/options-discussion.php

r3345	r3759
22	22	<h2><?php _e('Discussion Options') ?></h2>
23	23	<form method="post" action="options.php">
	24	<?php wp_nonce_field('update-options') ?>
24	25	<fieldset class="options">
25	26	<legend><?php _e('Usual settings for an article:<br /><small><em>(These settings may be overridden for individual articles.)</em></small>') ?></legend>

trunk/wp-admin/options-general.php

r3677	r3759
11	11	<h2><?php _e('General Options') ?></h2>
12	12	<form method="post" action="options.php">
	13	<?php wp_nonce_field('update-options') ?>
13	14	<table class="optiontable">
14	15	<tr valign="top">

trunk/wp-admin/options-misc.php

r3570	r3759
12	12	<h2><?php _e('Miscellaneous Options') ?></h2>
13	13	<form method="post" action="options.php">
14
	14	<?php wp_nonce_field('update-options') ?>
15	15	<fieldset class="options">
16	16	<legend><?php _e('Uploading'); ?></legend>

trunk/wp-admin/options-permalink.php

r3665	r3759
58	58	$home_path = get_home_path();
59	59
60		if ( isset($_POST) ) {
61		check_admin_referer();
	60	if ( isset($_POST['permalink_structure']) \|\| isset($_POST['category_base']) ) {
	61	check_admin_referer('update-permalink');
62	62
63	63	if ( isset($_POST['permalink_structure']) ) {
…	…
118	118	?>
119	119	<form name="form" action="options-permalink.php" method="post">
	120	<?php wp_nonce_field('update-permalink') ?>
120	121	<h3><?php _e('Common options:'); ?></h3>
121	122	<p>
…	…
166	167	<p><?php _e('If your <code>.htaccess</code> file were <a href="http://codex.wordpress.org/Make_a_Directory_Writable">writable</a>, we could do this automatically, but it isn’t so these are the mod_rewrite rules you should have in your <code>.htaccess</code> file. Click in the field and press <kbd>CTRL + a</kbd> to select all.') ?></p>
167	168	<form action="options-permalink.php" method="post">
	169	<?php wp_nonce_field('update-permalink') ?>
168	170	<p>
169	171	<textarea rows="5" style="width: 98%;" name="rules"><?php echo $wp_rewrite->mod_rewrite_rules(); ?>

trunk/wp-admin/options-reading.php

r3583	r3759
11	11	<h2><?php _e('Reading Options') ?></h2>
12	12	<form name="form1" method="post" action="options.php">
	13	<?php wp_nonce_field('update-options') ?>
13	14
14	15	<?php if ( get_pages() ): ?>

trunk/wp-admin/options-writing.php

r3570	r3759
11	11	<h2><?php _e('Writing Options') ?></h2>
12	12	<form method="post" action="options.php">
	13	<?php wp_nonce_field('update-options') ?>
13	14	<table width="100%" cellspacing="2" cellpadding="5" class="editform">
14	15	<tr valign="top">

trunk/wp-admin/options.php

r3710	r3759
30	30	$any_changed = 0;
31	31
32		check_admin_referer();
	32	check_admin_referer('update-options');
33	33
34	34	if (!$_POST['page_options']) {
…	…
90	90	<h2><?php _e('All options'); ?></h2>
91	91	<form name="form" action="options.php" method="post">
	92	<?php wp_nonce_field('update-options') ?>
92	93	<input type="hidden" name="action" value="update" />
93	94	<table width="98%">

trunk/wp-admin/page.php

r3674	r3759
25	25	switch($action) {
26	26	case 'post':
27
	27	check_admin_referer('add-page');
28	28	$page_ID = write_post();
29	29
…	…
77	77	case 'editattachment':
78	78	$page_id = $post_ID = (int) $_POST['post_ID'];
	79	check_admin_referer('update-attachment' . $page_id);
79	80
80	81	// Don't let these be changed
…	…
92	93
93	94	case 'editpost':
	95	$page_ID = (int) $_POST['post_ID'];
	96	check_admin_referer('update-page' . $page_ID);
	97
94	98	$page_ID = edit_post();
95	99
…	…
115	119
116	120	case 'delete':
117		~~check_admin_referer();~~
118
119	121	$page_id = (isset($_GET['post'])) ? intval($_GET['post']) : intval($_POST['post_ID']);
	122	check_admin_referer('delete-page' . $page_id);
120	123
121	124	$page = & get_post($page_id);

trunk/wp-admin/plugin-editor.php

r3665	r3759
35	35	case 'update':
36	36
37		check_admin_referer();
	37	check_admin_referer('edit-plugin' . $file);
38	38
39	39	if ( !current_user_can('edit_plugins') )
…	…
98	98	<?php if (!$error) { ?>
99	99	<form name="template" id="template" action="plugin-editor.php" method="post">
	100	<?php wp_nonce_field('edit-plugin' . $file) ?>
100	101	<div><textarea cols="70" rows="25" name="newcontent" id="newcontent" tabindex="1"><?php echo $content ?></textarea>
101	102	<input type="hidden" name="action" value="update" />

trunk/wp-admin/plugins.php

r3517	r3759
3	3
4	4	if ( isset($_GET['action']) ) {
5		~~check_admin_referer();~~
6
7	5	if ('activate' == $_GET['action']) {
	6	check_admin_referer('activate-plugin' . $_GET['plugin']);
8	7	$current = get_settings('active_plugins');
9	8	if (!in_array($_GET['plugin'], $current)) {
…	…
16	15	header('Location: plugins.php?activate=true');
17	16	} else if ('deactivate' == $_GET['action']) {
	17	check_admin_referer('deactivate-plugin' . $_GET['plugin']);
18	18	$current = get_settings('active_plugins');
19	19	array_splice($current, array_search( $_GET['plugin'], $current), 1 ); // Array-fu!
…	…
99	99
100	100	if (!empty($current_plugins) && in_array($plugin_file, $current_plugins)) {
101		$action = "<a href='~~plugins.php?action=deactivate&plugin=$plugin_file~~' title='".__('Deactivate this plugin')."' class='delete'>".__('Deactivate')."</a>";
	101	$action = "<a href='" . wp_nonce_url("plugins.php?action=deactivate&plugin=$plugin_file", 'deactivate-plugin' . $plugin_file) . "' title='".__('Deactivate this plugin')."' class='delete'>".__('Deactivate')."</a>";
102	102	$plugin_data['Title'] = "<strong>{$plugin_data['Title']}</strong>";
103	103	$style .= $style == 'alternate' ? ' active' : 'active';
104	104	} else {
105		$action = "<a href='~~plugins.php?action=activate&plugin=$plugin_file~~' title='".__('Activate this plugin')."' class='edit'>".__('Activate')."</a>";
	105	$action = "<a href='" . wp_nonce_url("plugins.php?action=activate&plugin=$plugin_file", 'activate-plugin' . $plugin_file) . "' title='".__('Activate this plugin')."' class='edit'>".__('Activate')."</a>";
106	106	}
107	107	$plugin_data['Description'] = wp_kses($plugin_data['Description'], array('a' => array('href' => array(),'title' => array()),'abbr' => array('title' => array()),'acronym' => array('title' => array()),'code' => array(),'em' => array(),'strong' => array()) ); ;

trunk/wp-admin/post.php

r3721	r3759
25	25	case 'postajaxpost':
26	26	case 'post':
27		check_admin_referer();
	27	check_admin_referer('add-post');
28	28
29	29	$post_ID = 'post' == $action ? write_post() : edit_post();
…	…
79	79
80	80	case 'editattachment':
81		~~check_admin_referer()~~;
	81	$post_id = (int) $_POST['post_ID'];
82	82
83		~~$post_id = (int) $_POST['post_ID']~~;
	83	check_admin_referer('update-attachment' . $post_id);
84	84
85	85	// Don't let these be changed
…	…
97	97
98	98	case 'editpost':
99		check_admin_referer();
	99	$post_ID = (int) $_POST['post_ID'];
	100	check_admin_referer('update-post' . $post_ID);
100	101
101	102	$post_ID = edit_post();
…	…
122	123
123	124	case 'delete':
124		~~check_admin_referer();~~
125
126	125	$post_id = (isset($_GET['post'])) ? intval($_GET['post']) : intval($_POST['post_ID']);
	126	check_admin_referer('delete-post' . $post_id);
127	127
128	128	$post = & get_post($post_id);

trunk/wp-admin/profile-update.php

r3679 r3759

3 3 require_once('admin.php');
4 4
5 check_admin_referer();
5 check_admin_referer('update-profile' . $user_ID);
6 6
7 7 if ( !$_POST )

trunk/wp-admin/profile.php

r3412	r3759
20	20	<h2><?php _e('Your Profile and Personal Options'); ?></h2>
21	21	<form name="profile" id="your-profile" action="profile-update.php" method="post">
	22	<?php wp_nonce_field('update-profile' . $user_ID) ?>
22	23	<p>
23	24	<input type="hidden" name="from" value="profile" />

trunk/wp-admin/templates.php

r3687	r3759
37	37	case 'update':
38	38
39		check_admin_referer();
	39	check_admin_referer('edit-file' . $file);
40	40
41	41	if ( ! current_user_can('edit_files') )
…	…
129	129	<?php if (!$error) { ?>
130	130	<form name="template" id="template" action="templates.php" method="post">
	131	<?php wp_nonce_field('edit-file' . $file) ?>
131	132	<div><textarea cols="70" rows="25" name="newcontent" id='newcontent' tabindex="1"><?php echo $content ?></textarea>
132	133	<input type="hidden" name="action" value="update" />

trunk/wp-admin/theme-editor.php

r3665	r3759
48	48	case 'update':
49	49
50		check_admin_referer();
	50	check_admin_referer('edit-theme' . $file . $theme);
51	51
52	52	if ( !current_user_can('edit_themes') )
…	…
132	132	?>
133	133	<form name="template" id="template" action="theme-editor.php" method="post">
	134	<?php wp_nonce_field('edit-theme' . $file . $theme) ?>
134	135	<div><textarea cols="70" rows="25" name="newcontent" id="newcontent" tabindex="1"><?php echo $content ?></textarea>
135	136	<input type="hidden" name="action" value="update" />

trunk/wp-admin/themes.php

r3517	r3759
3	3
4	4	if ( isset($_GET['action']) ) {
5		check_admin_referer();
	5	check_admin_referer('switch-theme' . $_GET['template']);
6	6
7	7	if ('activate' == $_GET['action']) {
…	…
70	70	$screenshot = $themes[$theme_name]['Screenshot'];
71	71	$stylesheet_dir = $themes[$theme_name]['Stylesheet Dir'];
72		$activate_link = ~~"themes.php?action=activate&template=$template&stylesheet=$stylesheet"~~;
	72	$activate_link = wp_nonce_url("themes.php?action=activate&template=$template&stylesheet=$stylesheet", 'switch-theme' . $template);
73	73	?>
74	74	<div class="available-theme">

trunk/wp-admin/users.php

r3679	r3759
12	12
13	13	case 'promote':
14		check_admin_referer();
	14	check_admin_referer('bulk-users');
15	15
16	16	if (empty($_POST['users'])) {
…	…
40	40	case 'dodelete':
41	41
42		check_admin_referer();
	42	check_admin_referer('delete-users');
43	43
44	44	if ( empty($_POST['users']) ) {
…	…
73	73	case 'delete':
74	74
75		check_admin_referer();
	75	check_admin_referer('bulk-users');
76	76
77	77	if (empty($_POST['users'])) {
…	…
87	87	?>
88	88	<form action="" method="post" name="updateusers" id="updateusers">
	89	<?php wp_nonce_field('delete-users') ?>
89	90	<div class="wrap">
90	91	<h2><?php _e('Delete Users'); ?></h2>
…	…
132	133
133	134	case 'adduser':
134		check_admin_referer();
	135	check_admin_referer('add-user');
135	136
136	137	$user_id = add_user();
…	…
206	207
207	208	<form action="" method="post" name="updateusers" id="updateusers">
	209	<?php wp_nonce_field('bulk-users') ?>
208	210	<div class="wrap">
209	211	<h2><?php _e('User List by Role'); ?></h2>
…	…
258	260	<?php echo '<p>'.sprintf(__('Users can <a href="%1$s">register themselves</a> or you can manually create users here.'), get_settings('siteurl').'/wp-register.php').'</p>'; ?>
259	261	<form action="" method="post" name="adduser" id="adduser">
	262	<?php wp_nonce_field('add-user') ?>
260	263	<table class="editform" width="100%" cellspacing="2" cellpadding="5">
261	264	<tr>

r3679	r3759
3	3	require_once('admin.php');
4	4
5		check_admin_referer();
	5	check_admin_referer('update-profile' . $user_ID);
6	6
7	7	if ( !$_POST )

Navigation

Changeset 3759

Legend:

Download in other formats: