]> scripts.mit.edu Git - autoinstalls/wordpress.git/blob - wp-admin/admin-ajax.php
4e34333ca74d2d36c9a840a2776eb3310145009a
[autoinstalls/wordpress.git] / wp-admin / admin-ajax.php
1 <?php
2 define('DOING_AJAX', true);
3
4 require_once('../wp-config.php');
5 require_once('includes/admin.php');
6
7 if ( !is_user_logged_in() )
8         die('-1');
9
10 if ( isset($_GET['action']) && 'ajax-tag-search' == $_GET['action'] ) {
11         if ( !current_user_can( 'manage_categories' ) )
12                 die('-1');
13
14         $s = $_GET['q']; // is this slashed already?
15
16         if ( strstr( $s, ',' ) )
17                 die; // it's a multiple tag insert, we won't find anything
18         $results = $wpdb->get_col( "SELECT name FROM $wpdb->terms WHERE name LIKE ('%$s%')" );
19         echo join( $results, "\n" );
20         die;
21 }
22
23 $id = isset($_POST['id'])? (int) $_POST['id'] : 0;
24 switch ( $action = $_POST['action'] ) :
25 case 'delete-comment' :
26         check_ajax_referer( "delete-comment_$id" );
27         if ( !$comment = get_comment( $id ) )
28                 die('0');
29         if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) )
30                 die('-1');
31
32         if ( isset($_POST['spam']) && 1 == $_POST['spam'] )
33                 $r = wp_set_comment_status( $comment->comment_ID, 'spam' );
34         else
35                 $r = wp_delete_comment( $comment->comment_ID );
36
37         die( $r ? '1' : '0' );
38         break;
39 case 'delete-cat' :
40         check_ajax_referer( "delete-category_$id" );
41         if ( !current_user_can( 'manage_categories' ) )
42                 die('-1');
43
44         if ( wp_delete_category( $id ) )
45                 die('1');
46         else    die('0');
47         break;
48 case 'delete-tag' :
49         check_ajax_referer( "delete-tag_$id" );
50         if ( !current_user_can( 'manage_categories' ) )
51                 die('-1');
52
53         if ( wp_delete_term($id, 'post_tag'))
54                 die('1');
55         else    die('0');
56         break;
57 case 'delete-link-cat' :
58         check_ajax_referer( "delete-link-category_$id" );
59         if ( !current_user_can( 'manage_categories' ) )
60                 die('-1');
61
62         $cat_name = get_term_field('name', $id, 'link_category');
63
64         // Don't delete the default cats.
65         if ( $id == get_option('default_link_category') ) {
66                 $x = new WP_AJAX_Response( array(
67                         'what' => 'link-cat',
68                         'id' => $id,
69                         'data' => new WP_Error( 'default-link-cat', sprintf(__("Can&#8217;t delete the <strong>%s</strong> category: this is the default one"), $cat_name) )
70                 ) );
71                 $x->send();
72         }
73
74         $r = wp_delete_term($id, 'link_category');
75         if ( !$r )
76                 die('0');
77         if ( is_wp_error($r) ) {
78                 $x = new WP_AJAX_Response( array(
79                         'what' => 'link-cat',
80                         'id' => $id,
81                         'data' => $r
82                 ) );
83                 $x->send();
84         }
85         die('1');
86         break;
87 case 'delete-link' :
88         check_ajax_referer( "delete-bookmark_$id" );
89         if ( !current_user_can( 'manage_links' ) )
90                 die('-1');
91
92         if ( wp_delete_link( $id ) )
93                 die('1');
94         else    die('0');
95         break;
96 case 'delete-meta' :
97         check_ajax_referer( "delete-meta_$id" );
98         if ( !$meta = get_post_meta_by_id( $id ) )
99                 die('0');
100         if ( !current_user_can( 'edit_post', $meta->post_id ) )
101                 die('-1');
102         if ( delete_meta( $meta->meta_id ) )
103                 die('1');
104         die('0');
105         break;
106 case 'delete-post' :
107         check_ajax_referer( "{$action}_$id" );
108         if ( !current_user_can( 'delete_post', $id ) )
109                 die('-1');
110
111         if ( wp_delete_post( $id ) )
112                 die('1');
113         else
114                 die('0');
115         break;
116 case 'delete-page' :
117         check_ajax_referer( "{$action}_$id" );
118         if ( !current_user_can( 'delete_page', $id ) )
119                 die('-1');
120
121         if ( wp_delete_post( $id ) )
122                 die('1');
123         else    die('0');
124         break;
125 case 'dim-comment' :
126         if ( !$comment = get_comment( $id ) )
127                 die('0');
128         if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) )
129                 die('-1');
130         if ( !current_user_can( 'moderate_comments' ) )
131                 die('-1');
132
133         if ( 'unapproved' == wp_get_comment_status($comment->comment_ID) ) {
134                 check_ajax_referer( "approve-comment_$id" );
135                 if ( wp_set_comment_status( $comment->comment_ID, 'approve' ) )
136                         die('1');
137         } else {
138                 check_ajax_referer( "unapprove-comment_$id" );
139                 if ( wp_set_comment_status( $comment->comment_ID, 'hold' ) )
140                         die('1');
141         }
142         die('0');
143         break;
144 case 'add-category' : // On the Fly
145         check_ajax_referer( $action );
146         if ( !current_user_can( 'manage_categories' ) )
147                 die('-1');
148         $names = explode(',', $_POST['newcat']);
149         if ( 0 > $parent = (int) $_POST['newcat_parent'] )
150                 $parent = 0;
151         $post_category = isset($_POST['post_category'])? (array) $_POST['post_category'] : array();
152         $checked_categories = array_map( 'absint', (array) $post_category );
153
154         $x = new WP_Ajax_Response();
155         foreach ( $names as $cat_name ) {
156                 $cat_name = trim($cat_name);
157                 $category_nicename = sanitize_title($cat_name);
158                 if ( '' === $category_nicename )
159                         continue;
160                 $cat_id = wp_create_category( $cat_name, $parent );
161                 $checked_categories[] = $cat_id;
162                 if ( $parent ) // Do these all at once in a second
163                         continue;
164                 $category = get_category( $cat_id );
165                 ob_start();
166                         wp_category_checklist( 0, $cat_id, $checked_categories );
167                 $data = ob_get_contents();
168                 ob_end_clean();
169                 $x->add( array(
170                         'what' => 'category',
171                         'id' => $cat_id,
172                         'data' => $data,
173                         'position' => -1
174                 ) );
175         }
176         if ( $parent ) { // Foncy - replace the parent and all its children
177                 $parent = get_category( $parent );
178                 ob_start();
179                         dropdown_categories( 0, $parent );
180                 $data = ob_get_contents();
181                 ob_end_clean();
182                 $x->add( array(
183                         'what' => 'category',
184                         'id' => $parent->term_id,
185                         'old_id' => $parent->term_id,
186                         'data' => $data,
187                         'position' => -1
188                 ) );
189
190         }
191         $x->send();
192         break;
193 case 'add-link-category' : // On the Fly
194         check_ajax_referer( $action );
195         if ( !current_user_can( 'manage_categories' ) )
196                 die('-1');
197         $names = explode(',', $_POST['newcat']);
198         $x = new WP_Ajax_Response();
199         foreach ( $names as $cat_name ) {
200                 $cat_name = trim($cat_name);
201                 $slug = sanitize_title($cat_name);
202                 if ( '' === $slug )
203                         continue;
204                 if ( !$cat_id = is_term( $cat_name, 'link_category' ) ) {
205                         $cat_id = wp_insert_term( $cat_name, 'link_category' );
206                 }
207                 $cat_id = $cat_id['term_id'];
208                 $cat_name = wp_specialchars(stripslashes($cat_name));
209                 $x->add( array(
210                         'what' => 'link-category',
211                         'id' => $cat_id,
212                         'data' => "<li id='link-category-$cat_id'><label for='in-link-category-$cat_id' class='selectit'><input value='$cat_id' type='checkbox' checked='checked' name='link_category[]' id='in-link-category-$cat_id'/> $cat_name</label></li>",
213                         'position' => -1
214                 ) );
215         }
216         $x->send();
217         break;
218 case 'add-cat' : // From Manage->Categories
219         check_ajax_referer( 'add-category' );
220         if ( !current_user_can( 'manage_categories' ) )
221                 die('-1');
222
223         if ( '' === trim($_POST['cat_name']) ) {
224                 $x = new WP_Ajax_Response( array(
225                         'what' => 'cat',
226                         'id' => new WP_Error( 'cat_name', __('You did not enter a category name.') )
227                 ) );
228                 $x->send();
229         }
230
231         if ( category_exists( trim( $_POST['cat_name'] ) ) ) {
232                 $x = new WP_Ajax_Response( array(
233                         'what' => 'cat',
234                         'id' => new WP_Error( 'cat_exists', __('The category you are trying to create already exists.'), array( 'form-field' => 'cat_name' ) ),
235                 ) );
236                 $x->send();
237         }
238         
239         $cat = wp_insert_category( $_POST, true );
240
241         if ( is_wp_error($cat) ) {
242                 $x = new WP_Ajax_Response( array(
243                         'what' => 'cat',
244                         'id' => $cat
245                 ) );
246                 $x->send();
247         }
248
249         if ( !$cat || (!$cat = get_category( $cat )) )
250                 die('0');
251
252         $level = 0;
253         $cat_full_name = $cat->name;
254         $_cat = $cat;
255         while ( $_cat->parent ) {
256                 $_cat = get_category( $_cat->parent );
257                 $cat_full_name = $_cat->name . ' &#8212; ' . $cat_full_name;
258                 $level++;
259         }
260         $cat_full_name = attribute_escape($cat_full_name);
261
262         $x = new WP_Ajax_Response( array(
263                 'what' => 'cat',
264                 'id' => $cat->term_id,
265                 'data' => _cat_row( $cat, $level, $cat_full_name ),
266                 'supplemental' => array('name' => $cat_full_name, 'show-link' => sprintf(__( 'Category <a href="#%s">%s</a> added' ), "cat-$cat->term_id", $cat_full_name))
267         ) );
268         $x->send();
269         break;
270 case 'add-link-cat' : // From Blogroll -> Categories
271         check_ajax_referer( 'add-link-category' );
272         if ( !current_user_can( 'manage_categories' ) )
273                 die('-1');
274
275         if ( '' === trim($_POST['name']) ) {
276                 $x = new WP_Ajax_Response( array(
277                         'what' => 'link-cat',
278                         'id' => new WP_Error( 'name', __('You did not enter a category name.') )
279                 ) );
280                 $x->send();
281         }
282
283         $r = wp_insert_term($_POST['name'], 'link_category', $_POST );
284         if ( is_wp_error( $r ) ) {
285                 $x = new WP_AJAX_Response( array(
286                         'what' => 'link-cat',
287                         'id' => $r
288                 ) );
289                 $x->send();
290         }
291
292         extract($r, EXTR_SKIP);
293
294         if ( !$link_cat = link_cat_row( $term_id ) )
295                 die('0');
296
297         $x = new WP_Ajax_Response( array(
298                 'what' => 'link-cat',
299                 'id' => $term_id,
300                 'data' => $link_cat
301         ) );
302         $x->send();
303         break;
304 case 'add-tag' : // From Manage->Tags
305         check_ajax_referer( 'add-tag' );
306         if ( !current_user_can( 'manage_categories' ) )
307                 die('-1');
308
309         if ( '' === trim($_POST['name']) ) {
310                 $x = new WP_Ajax_Response( array(
311                         'what' => 'tag',
312                         'id' => new WP_Error( 'name', __('You did not enter a tag name.') )
313                 ) );
314                 $x->send();
315         }
316
317         $tag = wp_insert_term($_POST['name'], 'post_tag', $_POST );
318
319         if ( is_wp_error($tag) ) {
320                 $x = new WP_Ajax_Response( array(
321                         'what' => 'tag',
322                         'id' => $tag
323                 ) );
324                 $x->send();
325         }
326
327         if ( !$tag || (!$tag = get_term( $tag['term_id'], 'post_tag' )) )
328                 die('0');
329
330         $tag_full_name = $tag->name;
331         $tag_full_name = attribute_escape($tag_full_name);
332
333         $x = new WP_Ajax_Response( array(
334                 'what' => 'tag',
335                 'id' => $tag->term_id,
336                 'data' => _tag_row( $tag ),
337                 'supplemental' => array('name' => $tag_full_name, 'show-link' => sprintf(__( 'Tag <a href="#%s">%s</a> added' ), "tag-$tag->term_id", $tag_full_name))
338         ) );
339         $x->send();
340         break;
341 case 'add-comment' :
342         check_ajax_referer( $action );
343         if ( !current_user_can( 'edit_post', $id ) )
344                 die('-1');
345         $search = isset($_POST['s']) ? $_POST['s'] : false;
346         $start = isset($_POST['page']) ? intval($_POST['page']) * 25 - 1: 24;
347         $status = isset($_POST['comment_status']) ? $_POST['comment_status'] : false;
348         $mode = isset($_POST['mode']) ? $_POST['mode'] : 'detail';
349
350         list($comments, $total) = _wp_get_comment_list( $status, $search, $start, 1 );
351
352         if ( !$comments )
353                 die('1');
354         $x = new WP_Ajax_Response();
355         foreach ( (array) $comments as $comment ) {
356                 get_comment( $comment );
357                 ob_start();
358                         _wp_comment_row( $comment->comment_ID, $mode, false );
359                         $comment_list_item = ob_get_contents();
360                 ob_end_clean();
361                 $x->add( array(
362                         'what' => 'comment',
363                         'id' => $comment->comment_ID,
364                         'data' => $comment_list_item
365                 ) );
366         }
367         $x->send();
368         break;
369 case 'add-meta' :
370         check_ajax_referer( 'add-meta' );
371         $c = 0;
372         $pid = (int) $_POST['post_id'];
373         if ( isset($_POST['metakeyselect']) || isset($_POST['metakeyinput']) ) {
374                 if ( !current_user_can( 'edit_post', $pid ) )
375                         die('-1');
376                 if ( '#NONE#' == $_POST['metakeyselect'] && empty($_POST['metakeyinput']) )
377                         die('1');
378                 if ( $pid < 0 ) {
379                         $now = current_time('timestamp', 1);
380                         if ( $pid = wp_insert_post( array(
381                                 'post_title' => sprintf('Draft created on %s at %s', date(get_option('date_format'), $now), date(get_option('time_format'), $now))
382                         ) ) ) {
383                                 if ( is_wp_error( $pid ) ) {
384                                         $x = new WP_Ajax_Response( array(
385                                                 'what' => 'meta',
386                                                 'data' => $pid
387                                         ) );
388                                         $x->send();
389                                 }
390                                 $mid = add_meta( $pid );
391                         } else {
392                                 die('0');
393                         }
394                 } else if ( !$mid = add_meta( $pid ) ) {
395                         die('0');
396                 }
397
398                 $meta = get_post_meta_by_id( $mid );
399                 $pid = (int) $meta->post_id;
400                 $meta = get_object_vars( $meta );
401                 $x = new WP_Ajax_Response( array(
402                         'what' => 'meta',
403                         'id' => $mid,
404                         'data' => _list_meta_row( $meta, $c ),
405                         'position' => 1,
406                         'supplemental' => array('postid' => $pid)
407                 ) );
408         } else {
409                 $mid = (int) array_pop(array_keys($_POST['meta']));
410                 $key = $_POST['meta'][$mid]['key'];
411                 $value = $_POST['meta'][$mid]['value'];
412                 if ( !$meta = get_post_meta_by_id( $mid ) )
413                         die('0'); // if meta doesn't exist
414                 if ( !current_user_can( 'edit_post', $meta->post_id ) )
415                         die('-1');
416                 if ( !$u = update_meta( $mid, $key, $value ) )
417                         die('1'); // We know meta exists; we also know it's unchanged (or DB error, in which case there are bigger problems).
418                 $key = stripslashes($key);
419                 $value = stripslashes($value);
420                 $x = new WP_Ajax_Response( array(
421                         'what' => 'meta',
422                         'id' => $mid, 'old_id' => $mid,
423                         'data' => _list_meta_row( array(
424                                 'meta_key' => $key,
425                                 'meta_value' => $value,
426                                 'meta_id' => $mid
427                         ), $c ),
428                         'position' => 0,
429                         'supplemental' => array('postid' => $meta->post_id)
430                 ) );
431         }
432         $x->send();
433         break;
434 case 'add-user' :
435         check_ajax_referer( $action );
436         if ( !current_user_can('create_users') )
437                 die('-1');
438         require_once(ABSPATH . WPINC . '/registration.php');
439         if ( !$user_id = add_user() )
440                 die('0');
441         elseif ( is_wp_error( $user_id ) ) {
442                 $x = new WP_Ajax_Response( array(
443                         'what' => 'user',
444                         'id' => $user_id
445                 ) );
446                 $x->send();
447         }
448         $user_object = new WP_User( $user_id );
449
450         $x = new WP_Ajax_Response( array(
451                 'what' => 'user',
452                 'id' => $user_id,
453                 'data' => user_row( $user_object, '', $user_object->roles[0] ),
454                 'supplemental' => array(
455                         'show-link' => sprintf(__( 'User <a href="#%s">%s</a> added' ), "user-$user_id", $user_object->user_login),
456                         'role' => $user_object->roles[0]
457                 )
458         ) );
459         $x->send();
460         break;
461 case 'autosave' : // The name of this action is hardcoded in edit_post()
462         $nonce_age = check_ajax_referer( 'autosave', 'autosavenonce');
463         global $current_user;
464
465         $_POST['post_status'] = 'draft';
466         $_POST['post_category'] = explode(",", $_POST['catslist']);
467         $_POST['tags_input'] = explode(",", $_POST['tags_input']);
468         if($_POST['post_type'] == 'page' || empty($_POST['post_category']))
469                 unset($_POST['post_category']);
470
471         $do_autosave = (bool) $_POST['autosave'];
472         $do_lock = true;
473
474         $data = '';
475         $message = sprintf( __('Draft Saved at %s.'), date( __('g:i:s a'), current_time( 'timestamp', true ) ) );
476
477         $supplemental = array();
478
479         $id = 0;
480         if($_POST['post_ID'] < 0) {
481                 $_POST['temp_ID'] = $_POST['post_ID'];
482                 if ( $do_autosave ) {
483                         $id = wp_write_post();
484                         $data = $message;
485                 }
486         } else {
487                 $post_ID = (int) $_POST['post_ID'];
488                 $_POST['ID'] = $post_ID;
489                 $post = get_post($post_ID);
490
491                 if ( $last = wp_check_post_lock( $post->ID ) ) {
492                         $do_autosave = $do_lock = false;
493
494                         $last_user = get_userdata( $last );
495                         $last_user_name = $last_user ? $last_user->display_name : __( 'Someone' );
496                         $data = new WP_Error( 'locked', sprintf(
497                                 $_POST['post_type'] == 'page' ? __( 'Autosave disabled: %s is currently editing this page.' ) : __( 'Autosave disabled: %s is currently editing this post.' ),
498                                 wp_specialchars( $last_user_name )
499                         ) );
500
501                         $supplemental['disable_autosave'] = 'disable';
502                 }
503
504                 if ( 'page' == $post->post_type ) {
505                         if ( !current_user_can('edit_page', $post_ID) )
506                                 die(__('You are not allowed to edit this page.'));
507                 } else {
508                         if ( !current_user_can('edit_post', $post_ID) )
509                                 die(__('You are not allowed to edit this post.'));
510                 }
511                 if ( $do_autosave ) {
512                         $id = edit_post();
513                         $data = $message;
514                 } else {
515                         $id = $post->ID;
516                 }
517         }
518
519         if ( $do_lock && $id && is_numeric($id) )
520                 wp_set_post_lock( $id );
521
522         if ( $nonce_age == 2 ) {
523                 $supplemental['replace-autosavenonce'] = wp_create_nonce('autosave');
524                 $supplemental['replace-getpermalinknonce'] = wp_create_nonce('getpermalink');
525                 $supplemental['replace-samplepermalinknonce'] = wp_create_nonce('samplepermalink');
526                 $supplemental['replace-closedpostboxesnonce'] = wp_create_nonce('closedpostboxes');
527                 if ( $id ) {
528                         if ( $_POST['post_type'] == 'post' )
529                                 $supplemental['replace-_wpnonce'] = wp_create_nonce('update-post_' . $id);
530                         elseif ( $_POST['post_type'] == 'page' )
531                                 $supplemental['replace-_wpnonce'] = wp_create_nonce('update-page_' . $id);
532                 }
533         }
534
535         $x = new WP_Ajax_Response( array(
536                 'what' => 'autosave',
537                 'id' => $id,
538                 'data' => $id ? $data : '',
539                 'supplemental' => $supplemental
540         ) );
541         $x->send();
542         break;
543 case 'autosave-generate-nonces' :
544         check_ajax_referer( 'autosave', 'autosavenonce' );
545         $ID = (int) $_POST['post_ID'];
546         if($_POST['post_type'] == 'post') {
547                 if(current_user_can('edit_post', $ID))
548                         die(wp_create_nonce('update-post_' . $ID));
549         }
550         if($_POST['post_type'] == 'page') {
551                 if(current_user_can('edit_page', $ID)) {
552                         die(wp_create_nonce('update-page_' . $ID));
553                 }
554         }
555         die('0');
556 break;
557 case 'closed-postboxes' :
558         check_ajax_referer( 'closedpostboxes', 'closedpostboxesnonce' );
559         $closed = isset( $_POST['closed'] )? $_POST['closed'] : '';
560         $closed = explode( ',', $_POST['closed'] );
561         $page = isset( $_POST['page'] )? $_POST['page'] : '';
562         if ( !preg_match( '/^[a-z-]+$/', $page ) ) {
563                 die(-1);
564         }
565         if (!is_array($closed)) break;
566         $current_user = wp_get_current_user();
567         update_usermeta($current_user->ID, 'closedpostboxes_'.$page, $closed);
568 break;
569 case 'get-permalink':
570         check_ajax_referer( 'getpermalink', 'getpermalinknonce' );
571         $post_id = isset($_POST['post_id'])? intval($_POST['post_id']) : 0;
572         die(add_query_arg(array('preview' => 'true'), get_permalink($post_id)));
573 break;
574 case 'sample-permalink':
575         check_ajax_referer( 'samplepermalink', 'samplepermalinknonce' );
576         $post_id = isset($_POST['post_id'])? intval($_POST['post_id']) : 0;
577         $title = isset($_POST['new_title'])? $_POST['new_title'] : '';
578         $slug = isset($_POST['new_slug'])? $_POST['new_slug'] : '';
579         die(get_sample_permalink_html($post_id, $title, $slug));
580 break;
581 default :
582         do_action( 'wp_ajax_' . $_POST['action'] );
583         die('0');
584         break;
585 endswitch;
586 ?>