3 * WordPress AJAX Process Execution.
6 * @subpackage Administration
10 * Executing AJAX process.
14 define('DOING_AJAX', true);
15 define('WP_ADMIN', true);
17 require_once('../wp-load.php');
18 require_once('includes/admin.php');
19 @header('Content-Type: text/html; charset=' . get_option('blog_charset'));
21 do_action('admin_init');
23 if ( ! is_user_logged_in() ) {
25 if ( $_POST['action'] == 'autosave' ) {
26 $id = isset($_POST['post_ID'])? (int) $_POST['post_ID'] : 0;
31 $message = sprintf( __('<strong>ALERT: You are logged out!</strong> Could not save draft. <a href="%s" target="blank">Please log in again.</a>'), wp_login_url() );
32 $x = new WP_Ajax_Response( array(
40 if ( !empty( $_POST['action']) )
41 do_action( 'wp_ajax_nopriv_' . $_POST['action'] );
46 if ( isset( $_GET['action'] ) ) :
47 switch ( $action = $_GET['action'] ) :
48 case 'ajax-tag-search' :
49 if ( !current_user_can( 'edit_posts' ) )
52 $s = $_GET['q']; // is this slashed already?
54 if ( isset($_GET['tax']) )
55 $taxonomy = sanitize_title($_GET['tax']);
59 if ( false !== strpos( $s, ',' ) ) {
60 $s = explode( ',', $s );
61 $s = $s[count( $s ) - 1];
64 if ( strlen( $s ) < 2 )
65 die; // require 2 chars for matching
67 $results = $wpdb->get_col( "SELECT t.name FROM $wpdb->term_taxonomy AS tt INNER JOIN $wpdb->terms AS t ON tt.term_id = t.term_id WHERE tt.taxonomy = '$taxonomy' AND t.name LIKE ('%" . $s . "%')" );
69 echo join( $results, "\n" );
72 case 'wp-compression-test' :
73 if ( !current_user_can( 'manage_options' ) )
76 if ( ini_get('zlib.output_compression') || 'ob_gzhandler' == ini_get('output_handler') ) {
77 update_site_option('can_compress_scripts', 0);
81 if ( isset($_GET['test']) ) {
82 header( 'Expires: Wed, 11 Jan 1984 05:00:00 GMT' );
83 header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
84 header( 'Cache-Control: no-cache, must-revalidate, max-age=0' );
85 header( 'Pragma: no-cache' );
86 header('Content-Type: application/x-javascript; charset=UTF-8');
87 $force_gzip = ( defined('ENFORCE_GZIP') && ENFORCE_GZIP );
88 $test_str = '"wpCompressionTest Lorem ipsum dolor sit amet consectetuer mollis sapien urna ut a. Eu nonummy condimentum fringilla tempor pretium platea vel nibh netus Maecenas. Hac molestie amet justo quis pellentesque est ultrices interdum nibh Morbi. Cras mattis pretium Phasellus ante ipsum ipsum ut sociis Suspendisse Lorem. Ante et non molestie. Porta urna Vestibulum egestas id congue nibh eu risus gravida sit. Ac augue auctor Ut et non a elit massa id sodales. Elit eu Nulla at nibh adipiscing mattis lacus mauris at tempus. Netus nibh quis suscipit nec feugiat eget sed lorem et urna. Pellentesque lacus at ut massa consectetuer ligula ut auctor semper Pellentesque. Ut metus massa nibh quam Curabitur molestie nec mauris congue. Volutpat molestie elit justo facilisis neque ac risus Ut nascetur tristique. Vitae sit lorem tellus et quis Phasellus lacus tincidunt nunc Fusce. Pharetra wisi Suspendisse mus sagittis libero lacinia Integer consequat ac Phasellus. Et urna ac cursus tortor aliquam Aliquam amet tellus volutpat Vestibulum. Justo interdum condimentum In augue congue tellus sollicitudin Quisque quis nibh."';
90 if ( 1 == $_GET['test'] ) {
93 } elseif ( 2 == $_GET['test'] ) {
94 if ( false !== strpos( strtolower($_SERVER['HTTP_ACCEPT_ENCODING']), 'deflate') && function_exists('gzdeflate') && ! $force_gzip ) {
95 header('Content-Encoding: deflate');
96 $out = gzdeflate( $test_str, 1 );
97 } elseif ( false !== strpos( strtolower($_SERVER['HTTP_ACCEPT_ENCODING']), 'gzip') && function_exists('gzencode') ) {
98 header('Content-Encoding: gzip');
99 $out = gzencode( $test_str, 1 );
105 } elseif ( 'no' == $_GET['test'] ) {
106 update_site_option('can_compress_scripts', 0);
107 } elseif ( 'yes' == $_GET['test'] ) {
108 update_site_option('can_compress_scripts', 1);
115 do_action( 'wp_ajax_' . $_GET['action'] );
122 * Sends back current comment total and new page links if they need to be updated.
124 * Contrary to normal success AJAX response ("1"), die with time() on success.
128 * @param int $comment_id
131 function _wp_ajax_delete_comment_response( $comment_id ) {
132 $total = (int) @$_POST['_total'];
133 $per_page = (int) @$_POST['_per_page'];
134 $page = (int) @$_POST['_page'];
135 $url = esc_url_raw( @$_POST['_url'] );
136 // JS didn't send us everything we need to know. Just die with success message
137 if ( !$total || !$per_page || !$page || !$url )
138 die( (string) time() );
140 if ( --$total < 0 ) // Take the total from POST and decrement it (since we just deleted one)
143 if ( 0 != $total % $per_page && 1 != mt_rand( 1, $per_page ) ) // Only do the expensive stuff on a page-break, and about 1 other time per page
144 die( (string) time() );
146 $status = 'total_comments'; // What type of comment count are we looking for?
147 $parsed = parse_url( $url );
148 if ( isset( $parsed['query'] ) ) {
149 parse_str( $parsed['query'], $query_vars );
150 if ( !empty( $query_vars['comment_status'] ) )
151 $status = $query_vars['comment_status'];
154 $comment_count = wp_count_comments();
155 $time = time(); // The time since the last comment count
157 if ( isset( $comment_count->$status ) ) // We're looking for a known type of comment count
158 $total = $comment_count->$status;
159 // else use the decremented value from above
161 $page_links = paginate_links( array(
162 'base' => add_query_arg( 'apage', '%#%', $url ),
164 'prev_text' => __('«'),
165 'next_text' => __('»'),
166 'total' => ceil($total / $per_page),
169 $x = new WP_Ajax_Response( array(
171 'id' => $comment_id, // here for completeness - not used
172 'supplemental' => array(
173 'pageLinks' => $page_links,
181 $id = isset($_POST['id'])? (int) $_POST['id'] : 0;
182 switch ( $action = $_POST['action'] ) :
183 case 'delete-comment' : // On success, die with time() instead of 1
184 check_ajax_referer( "delete-comment_$id" );
185 if ( !$comment = get_comment( $id ) )
186 die( (string) time() );
187 if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) )
190 if ( isset($_POST['spam']) && 1 == $_POST['spam'] ) {
191 if ( 'spam' == wp_get_comment_status( $comment->comment_ID ) )
192 die( (string) time() );
193 $r = wp_set_comment_status( $comment->comment_ID, 'spam' );
195 $r = wp_delete_comment( $comment->comment_ID );
197 if ( $r ) // Decide if we need to send back '1' or a more complicated response including page links and comment counts
198 _wp_ajax_delete_comment_response( $comment->comment_ID );
202 check_ajax_referer( "delete-category_$id" );
203 if ( !current_user_can( 'manage_categories' ) )
206 $cat = get_category( $id );
207 if ( !$cat || is_wp_error( $cat ) )
210 if ( wp_delete_category( $id ) )
216 check_ajax_referer( "delete-tag_$id" );
217 if ( !current_user_can( 'manage_categories' ) )
220 if ( !empty($_POST['taxonomy']) )
221 $taxonomy = $_POST['taxonomy'];
223 $taxonomy = 'post_tag';
225 $tag = get_term( $id, $taxonomy );
226 if ( !$tag || is_wp_error( $tag ) )
229 if ( wp_delete_term($id, $taxonomy))
234 case 'delete-link-cat' :
235 check_ajax_referer( "delete-link-category_$id" );
236 if ( !current_user_can( 'manage_categories' ) )
239 $cat = get_term( $id, 'link_category' );
240 if ( !$cat || is_wp_error( $cat ) )
243 $cat_name = get_term_field('name', $id, 'link_category');
245 $default = get_option('default_link_category');
247 // Don't delete the default cats.
248 if ( $id == $default ) {
249 $x = new WP_AJAX_Response( array(
250 'what' => 'link-cat',
252 'data' => new WP_Error( 'default-link-cat', sprintf(__("Can’t delete the <strong>%s</strong> category: this is the default one"), $cat_name) )
257 $r = wp_delete_term($id, 'link_category', array('default' => $default));
260 if ( is_wp_error($r) ) {
261 $x = new WP_AJAX_Response( array(
262 'what' => 'link-cat',
271 check_ajax_referer( "delete-bookmark_$id" );
272 if ( !current_user_can( 'manage_links' ) )
275 $link = get_bookmark( $id );
276 if ( !$link || is_wp_error( $link ) )
279 if ( wp_delete_link( $id ) )
285 check_ajax_referer( "delete-meta_$id" );
286 if ( !$meta = get_post_meta_by_id( $id ) )
289 if ( !current_user_can( 'edit_post', $meta->post_id ) )
291 if ( delete_meta( $meta->meta_id ) )
296 check_ajax_referer( "{$action}_$id" );
297 if ( !current_user_can( 'delete_post', $id ) )
300 if ( !get_post( $id ) )
303 if ( wp_delete_post( $id ) )
309 check_ajax_referer( "{$action}_$id" );
310 if ( !current_user_can( 'delete_page', $id ) )
313 if ( !get_page( $id ) )
316 if ( wp_delete_post( $id ) )
321 case 'dim-comment' : // On success, die with time() instead of 1
323 if ( !$comment = get_comment( $id ) ) {
324 $x = new WP_Ajax_Response( array(
326 'id' => new WP_Error('invalid_comment', sprintf(__('Comment %d does not exist'), $id))
331 if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) )
333 if ( !current_user_can( 'moderate_comments' ) )
336 $current = wp_get_comment_status( $comment->comment_ID );
337 if ( $_POST['new'] == $current )
338 die( (string) time() );
341 if ( in_array( $current, array( 'unapproved', 'spam' ) ) ) {
342 check_ajax_referer( "approve-comment_$id" );
343 $result = wp_set_comment_status( $comment->comment_ID, 'approve', true );
345 check_ajax_referer( "unapprove-comment_$id" );
346 $result = wp_set_comment_status( $comment->comment_ID, 'hold', true );
348 if ( is_wp_error($result) ) {
349 $x = new WP_Ajax_Response( array(
356 // Decide if we need to send back '1' or a more complicated response including page links and comment counts
357 _wp_ajax_delete_comment_response( $comment->comment_ID );
360 case 'add-category' : // On the Fly
361 check_ajax_referer( $action );
362 if ( !current_user_can( 'manage_categories' ) )
364 $names = explode(',', $_POST['newcat']);
365 if ( 0 > $parent = (int) $_POST['newcat_parent'] )
367 $post_category = isset($_POST['post_category'])? (array) $_POST['post_category'] : array();
368 $checked_categories = array_map( 'absint', (array) $post_category );
369 $popular_ids = isset( $_POST['popular_ids'] ) ?
370 array_map( 'absint', explode( ',', $_POST['popular_ids'] ) ) :
373 $x = new WP_Ajax_Response();
374 foreach ( $names as $cat_name ) {
375 $cat_name = trim($cat_name);
376 $category_nicename = sanitize_title($cat_name);
377 if ( '' === $category_nicename )
379 $cat_id = wp_create_category( $cat_name, $parent );
380 $checked_categories[] = $cat_id;
381 if ( $parent ) // Do these all at once in a second
383 $category = get_category( $cat_id );
385 wp_category_checklist( 0, $cat_id, $checked_categories, $popular_ids );
386 $data = ob_get_contents();
389 'what' => 'category',
395 if ( $parent ) { // Foncy - replace the parent and all its children
396 $parent = get_category( $parent );
398 dropdown_categories( 0, $parent );
399 $data = ob_get_contents();
402 'what' => 'category',
403 'id' => $parent->term_id,
404 'old_id' => $parent->term_id,
412 case 'add-link-category' : // On the Fly
413 check_ajax_referer( $action );
414 if ( !current_user_can( 'manage_categories' ) )
416 $names = explode(',', $_POST['newcat']);
417 $x = new WP_Ajax_Response();
418 foreach ( $names as $cat_name ) {
419 $cat_name = trim($cat_name);
420 $slug = sanitize_title($cat_name);
423 if ( !$cat_id = is_term( $cat_name, 'link_category' ) ) {
424 $cat_id = wp_insert_term( $cat_name, 'link_category' );
426 $cat_id = $cat_id['term_id'];
427 $cat_name = esc_html(stripslashes($cat_name));
429 'what' => 'link-category',
431 'data' => "<li id='link-category-$cat_id'><label for='in-link-category-$cat_id' class='selectit'><input value='" . esc_attr($cat_id) . "' type='checkbox' checked='checked' name='link_category[]' id='in-link-category-$cat_id'/> $cat_name</label></li>",
437 case 'add-cat' : // From Manage->Categories
438 check_ajax_referer( 'add-category' );
439 if ( !current_user_can( 'manage_categories' ) )
442 if ( '' === trim($_POST['cat_name']) ) {
443 $x = new WP_Ajax_Response( array(
445 'id' => new WP_Error( 'cat_name', __('You did not enter a category name.') )
450 if ( category_exists( trim( $_POST['cat_name'] ), $_POST['category_parent'] ) ) {
451 $x = new WP_Ajax_Response( array(
453 'id' => new WP_Error( 'cat_exists', __('The category you are trying to create already exists.'), array( 'form-field' => 'cat_name' ) ),
458 $cat = wp_insert_category( $_POST, true );
460 if ( is_wp_error($cat) ) {
461 $x = new WP_Ajax_Response( array(
468 if ( !$cat || (!$cat = get_category( $cat )) )
472 $cat_full_name = $cat->name;
474 while ( $_cat->parent ) {
475 $_cat = get_category( $_cat->parent );
476 $cat_full_name = $_cat->name . ' — ' . $cat_full_name;
479 $cat_full_name = esc_attr($cat_full_name);
481 $x = new WP_Ajax_Response( array(
483 'id' => $cat->term_id,
485 'data' => _cat_row( $cat, $level, $cat_full_name ),
486 'supplemental' => array('name' => $cat_full_name, 'show-link' => sprintf(__( 'Category <a href="#%s">%s</a> added' ), "cat-$cat->term_id", $cat_full_name))
490 case 'add-link-cat' : // From Blogroll -> Categories
491 check_ajax_referer( 'add-link-category' );
492 if ( !current_user_can( 'manage_categories' ) )
495 if ( '' === trim($_POST['name']) ) {
496 $x = new WP_Ajax_Response( array(
497 'what' => 'link-cat',
498 'id' => new WP_Error( 'name', __('You did not enter a category name.') )
503 $r = wp_insert_term($_POST['name'], 'link_category', $_POST );
504 if ( is_wp_error( $r ) ) {
505 $x = new WP_AJAX_Response( array(
506 'what' => 'link-cat',
512 extract($r, EXTR_SKIP);
514 if ( !$link_cat = link_cat_row( $term_id ) )
517 $x = new WP_Ajax_Response( array(
518 'what' => 'link-cat',
525 case 'add-tag' : // From Manage->Tags
526 check_ajax_referer( 'add-tag' );
527 if ( !current_user_can( 'manage_categories' ) )
530 if ( '' === trim($_POST['name']) ) {
531 $x = new WP_Ajax_Response( array(
533 'id' => new WP_Error( 'name', __('You did not enter a tag name.') )
538 if ( !empty($_POST['taxonomy']) )
539 $taxonomy = $_POST['taxonomy'];
541 $taxonomy = 'post_tag';
543 $tag = wp_insert_term($_POST['name'], $taxonomy, $_POST );
545 if ( is_wp_error($tag) ) {
546 $x = new WP_Ajax_Response( array(
553 if ( !$tag || (!$tag = get_term( $tag['term_id'], $taxonomy )) )
556 $tag_full_name = $tag->name;
557 $tag_full_name = esc_attr($tag_full_name);
559 $x = new WP_Ajax_Response( array(
561 'id' => $tag->term_id,
563 'data' => _tag_row( $tag, '', $taxonomy ),
564 'supplemental' => array('name' => $tag_full_name, 'show-link' => sprintf(__( 'Tag <a href="#%s">%s</a> added' ), "tag-$tag->term_id", $tag_full_name))
568 case 'get-tagcloud' :
569 if ( !current_user_can( 'edit_posts' ) )
572 if ( isset($_POST['tax']) )
573 $taxonomy = sanitize_title($_POST['tax']);
577 $tags = get_terms( $taxonomy, array( 'number' => 45, 'orderby' => 'count', 'order' => 'DESC' ) );
579 if ( empty( $tags ) )
580 die( __('No tags found!') );
582 if ( is_wp_error($tags) )
583 die($tags->get_error_message());
585 foreach ( $tags as $key => $tag ) {
586 $tags[ $key ]->link = '#';
587 $tags[ $key ]->id = $tag->term_id;
590 // We need raw tag names here, so don't filter the output
591 $return = wp_generate_tag_cloud( $tags, array('filter' => 0) );
593 if ( empty($return) )
601 check_ajax_referer( $action );
602 if ( !current_user_can( 'edit_post', $id ) )
604 $search = isset($_POST['s']) ? $_POST['s'] : false;
605 $start = isset($_POST['page']) ? intval($_POST['page']) * 25 - 1: 24;
606 $status = isset($_POST['comment_status']) ? $_POST['comment_status'] : false;
607 $mode = isset($_POST['mode']) ? $_POST['mode'] : 'detail';
608 $p = isset($_POST['p']) ? $_POST['p'] : 0;
609 $comment_type = isset($_POST['comment_type']) ? $_POST['comment_type'] : '';
610 list($comments, $total) = _wp_get_comment_list( $status, $search, $start, 1, $p, $comment_type );
612 if ( get_option('show_avatars') )
613 add_filter( 'comment_author', 'floated_admin_avatar' );
617 $x = new WP_Ajax_Response();
618 foreach ( (array) $comments as $comment ) {
619 get_comment( $comment );
621 _wp_comment_row( $comment->comment_ID, $mode, $status, true, true );
622 $comment_list_item = ob_get_contents();
626 'id' => $comment->comment_ID,
627 'data' => $comment_list_item
632 case 'get-comments' :
633 check_ajax_referer( $action );
635 $post_ID = (int) $_POST['post_ID'];
636 if ( !current_user_can( 'edit_post', $post_ID ) )
639 $start = isset($_POST['start']) ? intval($_POST['start']) : 0;
640 $num = isset($_POST['num']) ? intval($_POST['num']) : 10;
642 list($comments, $total) = _wp_get_comment_list( false, false, $start, $num, $post_ID );
647 $comment_list_item = '';
648 $x = new WP_Ajax_Response();
649 foreach ( (array) $comments as $comment ) {
650 get_comment( $comment );
652 _wp_comment_row( $comment->comment_ID, 'single', false, false );
653 $comment_list_item .= ob_get_contents();
657 'what' => 'comments',
658 'data' => $comment_list_item
662 case 'replyto-comment' :
663 check_ajax_referer( $action );
665 $comment_post_ID = (int) $_POST['comment_post_ID'];
666 if ( !current_user_can( 'edit_post', $comment_post_ID ) )
669 $status = $wpdb->get_var( $wpdb->prepare("SELECT post_status FROM $wpdb->posts WHERE ID = %d", $comment_post_ID) );
671 if ( empty($status) )
673 elseif ( in_array($status, array('draft', 'pending') ) )
674 die( __('Error: you are replying to a comment on a draft post.') );
676 $user = wp_get_current_user();
678 $comment_author = $wpdb->escape($user->display_name);
679 $comment_author_email = $wpdb->escape($user->user_email);
680 $comment_author_url = $wpdb->escape($user->user_url);
681 $comment_content = trim($_POST['content']);
682 if ( current_user_can('unfiltered_html') ) {
683 if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) {
684 kses_remove_filters(); // start with a clean slate
685 kses_init_filters(); // set up the filters
689 die( __('Sorry, you must be logged in to reply to a comment.') );
692 if ( '' == $comment_content )
693 die( __('Error: please type a comment.') );
695 $comment_parent = absint($_POST['comment_ID']);
696 $commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_email', 'comment_author_url', 'comment_content', 'comment_type', 'comment_parent', 'user_ID');
698 $comment_id = wp_new_comment( $commentdata );
699 $comment = get_comment($comment_id);
700 if ( ! $comment ) die('1');
702 $modes = array( 'single', 'detail', 'dashboard' );
703 $mode = isset($_POST['mode']) && in_array( $_POST['mode'], $modes ) ? $_POST['mode'] : 'detail';
704 $position = ( isset($_POST['position']) && (int) $_POST['position']) ? (int) $_POST['position'] : '-1';
705 $checkbox = ( isset($_POST['checkbox']) && true == $_POST['checkbox'] ) ? 1 : 0;
707 if ( get_option('show_avatars') && 'single' != $mode )
708 add_filter( 'comment_author', 'floated_admin_avatar' );
710 $x = new WP_Ajax_Response();
713 if ( 'dashboard' == $mode ) {
714 require_once( ABSPATH . 'wp-admin/includes/dashboard.php' );
715 _wp_dashboard_recent_comments_row( $comment, false );
717 _wp_comment_row( $comment->comment_ID, $mode, false, $checkbox );
719 $comment_list_item = ob_get_contents();
724 'id' => $comment->comment_ID,
725 'data' => $comment_list_item,
726 'position' => $position
731 case 'edit-comment' :
732 check_ajax_referer( 'replyto-comment' );
734 $comment_post_ID = (int) $_POST['comment_post_ID'];
735 if ( ! current_user_can( 'edit_post', $comment_post_ID ) )
738 if ( '' == $_POST['content'] )
739 die( __('Error: please type a comment.') );
741 $comment_id = (int) $_POST['comment_ID'];
742 $_POST['comment_status'] = $_POST['status'];
745 $mode = ( isset($_POST['mode']) && 'single' == $_POST['mode'] ) ? 'single' : 'detail';
746 $position = ( isset($_POST['position']) && (int) $_POST['position']) ? (int) $_POST['position'] : '-1';
747 $checkbox = ( isset($_POST['checkbox']) && true == $_POST['checkbox'] ) ? 1 : 0;
748 $comments_listing = isset($_POST['comments_listing']) ? $_POST['comments_listing'] : '';
750 if ( get_option('show_avatars') && 'single' != $mode )
751 add_filter( 'comment_author', 'floated_admin_avatar' );
753 $x = new WP_Ajax_Response();
756 _wp_comment_row( $comment_id, $mode, $comments_listing, $checkbox );
757 $comment_list_item = ob_get_contents();
761 'what' => 'edit_comment',
762 'id' => $comment->comment_ID,
763 'data' => $comment_list_item,
764 'position' => $position
770 check_ajax_referer( 'add-meta' );
772 $pid = (int) $_POST['post_id'];
773 if ( isset($_POST['metakeyselect']) || isset($_POST['metakeyinput']) ) {
774 if ( !current_user_can( 'edit_post', $pid ) )
776 if ( isset($_POST['metakeyselect']) && '#NONE#' == $_POST['metakeyselect'] && empty($_POST['metakeyinput']) )
779 $now = current_time('timestamp', 1);
780 if ( $pid = wp_insert_post( array(
781 'post_title' => sprintf('Draft created on %s at %s', date(get_option('date_format'), $now), date(get_option('time_format'), $now))
783 if ( is_wp_error( $pid ) ) {
784 $x = new WP_Ajax_Response( array(
790 if ( !$mid = add_meta( $pid ) )
791 die(__('Please provide a custom field value.'));
795 } else if ( !$mid = add_meta( $pid ) ) {
796 die(__('Please provide a custom field value.'));
799 $meta = get_post_meta_by_id( $mid );
800 $pid = (int) $meta->post_id;
801 $meta = get_object_vars( $meta );
802 $x = new WP_Ajax_Response( array(
805 'data' => _list_meta_row( $meta, $c ),
807 'supplemental' => array('postid' => $pid)
810 $mid = (int) array_pop(array_keys($_POST['meta']));
811 $key = $_POST['meta'][$mid]['key'];
812 $value = $_POST['meta'][$mid]['value'];
813 if ( !$meta = get_post_meta_by_id( $mid ) )
814 die('0'); // if meta doesn't exist
815 if ( !current_user_can( 'edit_post', $meta->post_id ) )
817 if ( !$u = update_meta( $mid, $key, $value ) )
818 die('0'); // We know meta exists; we also know it's unchanged (or DB error, in which case there are bigger problems).
820 $key = stripslashes($key);
821 $value = stripslashes($value);
822 $x = new WP_Ajax_Response( array(
824 'id' => $mid, 'old_id' => $mid,
825 'data' => _list_meta_row( array(
827 'meta_value' => $value,
831 'supplemental' => array('postid' => $meta->post_id)
837 check_ajax_referer( $action );
838 if ( !current_user_can('create_users') )
840 require_once(ABSPATH . WPINC . '/registration.php');
841 if ( !$user_id = add_user() )
843 elseif ( is_wp_error( $user_id ) ) {
844 $x = new WP_Ajax_Response( array(
850 $user_object = new WP_User( $user_id );
852 $x = new WP_Ajax_Response( array(
855 'data' => user_row( $user_object, '', $user_object->roles[0] ),
856 'supplemental' => array(
857 'show-link' => sprintf(__( 'User <a href="#%s">%s</a> added' ), "user-$user_id", $user_object->user_login),
858 'role' => $user_object->roles[0]
863 case 'autosave' : // The name of this action is hardcoded in edit_post()
864 define( 'DOING_AUTOSAVE', true );
866 $nonce_age = check_ajax_referer( 'autosave', 'autosavenonce' );
867 global $current_user;
869 $_POST['post_category'] = explode(",", $_POST['catslist']);
870 if($_POST['post_type'] == 'page' || empty($_POST['post_category']))
871 unset($_POST['post_category']);
873 $do_autosave = (bool) $_POST['autosave'];
877 /* translators: draft saved date format, see http://php.net/date */
878 $draft_saved_date_format = __('g:i:s a');
879 $message = sprintf( __('Draft Saved at %s.'), date_i18n( $draft_saved_date_format ) );
881 $supplemental = array();
883 $id = $revision_id = 0;
884 if($_POST['post_ID'] < 0) {
885 $_POST['post_status'] = 'draft';
886 $_POST['temp_ID'] = $_POST['post_ID'];
887 if ( $do_autosave ) {
888 $id = wp_write_post();
892 $post_ID = (int) $_POST['post_ID'];
893 $_POST['ID'] = $post_ID;
894 $post = get_post($post_ID);
896 if ( $last = wp_check_post_lock( $post->ID ) ) {
897 $do_autosave = $do_lock = false;
899 $last_user = get_userdata( $last );
900 $last_user_name = $last_user ? $last_user->display_name : __( 'Someone' );
901 $data = new WP_Error( 'locked', sprintf(
902 $_POST['post_type'] == 'page' ? __( 'Autosave disabled: %s is currently editing this page.' ) : __( 'Autosave disabled: %s is currently editing this post.' ),
903 esc_html( $last_user_name )
906 $supplemental['disable_autosave'] = 'disable';
909 if ( 'page' == $post->post_type ) {
910 if ( !current_user_can('edit_page', $post_ID) )
911 die(__('You are not allowed to edit this page.'));
913 if ( !current_user_can('edit_post', $post_ID) )
914 die(__('You are not allowed to edit this post.'));
917 if ( $do_autosave ) {
918 // Drafts are just overwritten by autosave
919 if ( 'draft' == $post->post_status ) {
921 } else { // Non drafts are not overwritten. The autosave is stored in a special post revision.
922 $revision_id = wp_create_post_autosave( $post->ID );
923 if ( is_wp_error($revision_id) )
934 if ( $do_lock && $id && is_numeric($id) )
935 wp_set_post_lock( $id );
937 if ( $nonce_age == 2 ) {
938 $supplemental['replace-autosavenonce'] = wp_create_nonce('autosave');
939 $supplemental['replace-getpermalinknonce'] = wp_create_nonce('getpermalink');
940 $supplemental['replace-samplepermalinknonce'] = wp_create_nonce('samplepermalink');
941 $supplemental['replace-closedpostboxesnonce'] = wp_create_nonce('closedpostboxes');
943 if ( $_POST['post_type'] == 'post' )
944 $supplemental['replace-_wpnonce'] = wp_create_nonce('update-post_' . $id);
945 elseif ( $_POST['post_type'] == 'page' )
946 $supplemental['replace-_wpnonce'] = wp_create_nonce('update-page_' . $id);
950 $x = new WP_Ajax_Response( array(
951 'what' => 'autosave',
953 'data' => $id ? $data : '',
954 'supplemental' => $supplemental
958 case 'autosave-generate-nonces' :
959 check_ajax_referer( 'autosave', 'autosavenonce' );
960 $ID = (int) $_POST['post_ID'];
961 if($_POST['post_type'] == 'post') {
962 if(current_user_can('edit_post', $ID))
963 die(wp_create_nonce('update-post_' . $ID));
965 if($_POST['post_type'] == 'page') {
966 if(current_user_can('edit_page', $ID)) {
967 die(wp_create_nonce('update-page_' . $ID));
972 case 'closed-postboxes' :
973 check_ajax_referer( 'closedpostboxes', 'closedpostboxesnonce' );
974 $closed = isset( $_POST['closed'] ) ? $_POST['closed'] : '';
975 $closed = explode( ',', $_POST['closed'] );
976 $hidden = isset( $_POST['hidden'] ) ? $_POST['hidden'] : '';
977 $hidden = explode( ',', $_POST['hidden'] );
978 $page = isset( $_POST['page'] ) ? $_POST['page'] : '';
980 if ( !preg_match( '/^[a-z_-]+$/', $page ) )
983 if ( ! $user = wp_get_current_user() )
986 if ( is_array($closed) )
987 update_usermeta($user->ID, 'closedpostboxes_'.$page, $closed);
989 if ( is_array($hidden) ) {
990 $hidden = array_diff( $hidden, array('submitdiv', 'pagesubmitdiv', 'linksubmitdiv') ); // postboxes that are always shown
991 update_usermeta($user->ID, 'meta-box-hidden_'.$page, $hidden);
996 case 'hidden-columns' :
997 check_ajax_referer( 'screen-options-nonce', 'screenoptionnonce' );
998 $hidden = isset( $_POST['hidden'] ) ? $_POST['hidden'] : '';
999 $hidden = explode( ',', $_POST['hidden'] );
1000 $page = isset( $_POST['page'] ) ? $_POST['page'] : '';
1002 if ( !preg_match( '/^[a-z_-]+$/', $page ) )
1005 if ( ! $user = wp_get_current_user() )
1008 if ( is_array($hidden) )
1009 update_usermeta($user->ID, "manage-$page-columns-hidden", $hidden);
1013 case 'meta-box-order':
1014 check_ajax_referer( 'meta-box-order' );
1015 $order = isset( $_POST['order'] ) ? (array) $_POST['order'] : false;
1016 $page_columns = isset( $_POST['page_columns'] ) ? (int) $_POST['page_columns'] : 0;
1017 $page = isset( $_POST['page'] ) ? $_POST['page'] : '';
1019 if ( !preg_match( '/^[a-z_-]+$/', $page ) )
1022 if ( ! $user = wp_get_current_user() )
1026 update_user_option($user->ID, "meta-box-order_$page", $order);
1028 if ( $page_columns )
1029 update_usermeta($user->ID, "screen_layout_$page", $page_columns);
1033 case 'get-permalink':
1034 check_ajax_referer( 'getpermalink', 'getpermalinknonce' );
1035 $post_id = isset($_POST['post_id'])? intval($_POST['post_id']) : 0;
1036 die(add_query_arg(array('preview' => 'true'), get_permalink($post_id)));
1038 case 'sample-permalink':
1039 check_ajax_referer( 'samplepermalink', 'samplepermalinknonce' );
1040 $post_id = isset($_POST['post_id'])? intval($_POST['post_id']) : 0;
1041 $title = isset($_POST['new_title'])? $_POST['new_title'] : '';
1042 $slug = isset($_POST['new_slug'])? $_POST['new_slug'] : '';
1043 die(get_sample_permalink_html($post_id, $title, $slug));
1046 check_ajax_referer( 'inlineeditnonce', '_inline_edit' );
1048 if ( ! isset($_POST['post_ID']) || ! ( $post_ID = (int) $_POST['post_ID'] ) )
1051 if ( 'page' == $_POST['post_type'] ) {
1052 if ( ! current_user_can( 'edit_page', $post_ID ) )
1053 die( __('You are not allowed to edit this page.') );
1055 if ( ! current_user_can( 'edit_post', $post_ID ) )
1056 die( __('You are not allowed to edit this post.') );
1059 if ( $last = wp_check_post_lock( $post_ID ) ) {
1060 $last_user = get_userdata( $last );
1061 $last_user_name = $last_user ? $last_user->display_name : __( 'Someone' );
1062 printf( $_POST['post_type'] == 'page' ? __( 'Saving is disabled: %s is currently editing this page.' ) : __( 'Saving is disabled: %s is currently editing this post.' ), esc_html( $last_user_name ) );
1068 $post = get_post( $post_ID, ARRAY_A );
1069 $post = add_magic_quotes($post); //since it is from db
1071 $data['content'] = $post['post_content'];
1072 $data['excerpt'] = $post['post_excerpt'];
1075 $data['user_ID'] = $GLOBALS['user_ID'];
1077 if ( isset($data['post_parent']) )
1078 $data['parent_id'] = $data['post_parent'];
1081 if ( isset($data['keep_private']) && 'private' == $data['keep_private'] )
1082 $data['post_status'] = 'private';
1084 $data['post_status'] = $data['_status'];
1086 if ( empty($data['comment_status']) )
1087 $data['comment_status'] = 'closed';
1088 if ( empty($data['ping_status']) )
1089 $data['ping_status'] = 'closed';
1095 if ( 'page' == $_POST['post_type'] ) {
1096 $post[] = get_post($_POST['post_ID']);
1098 } elseif ( 'post' == $_POST['post_type'] ) {
1099 $mode = $_POST['post_view'];
1100 $post[] = get_post($_POST['post_ID']);
1106 case 'inline-save-tax':
1107 check_ajax_referer( 'taxinlineeditnonce', '_inline_edit' );
1109 if ( ! current_user_can('manage_categories') )
1110 die( __('Cheatin’ uh?') );
1112 if ( ! isset($_POST['tax_ID']) || ! ( $id = (int) $_POST['tax_ID'] ) )
1115 switch ($_POST['tax_type']) {
1118 $data['cat_ID'] = $id;
1119 $data['cat_name'] = $_POST['name'];
1120 $data['category_nicename'] = $_POST['slug'];
1121 if ( isset($_POST['parent']) && (int) $_POST['parent'] > 0 )
1122 $data['category_parent'] = $_POST['parent'];
1124 $cat = get_category($id, ARRAY_A);
1125 $data['category_description'] = $cat['category_description'];
1127 $updated = wp_update_category($data);
1129 if ( $updated && !is_wp_error($updated) )
1130 echo _cat_row( $updated, 0 );
1132 die( __('Category not updated.') );
1136 $updated = wp_update_term($id, 'link_category', $_POST);
1138 if ( $updated && !is_wp_error($updated) )
1139 echo link_cat_row($updated['term_id']);
1141 die( __('Category not updated.') );
1145 if ( !empty($_POST['taxonomy']) )
1146 $taxonomy = $_POST['taxonomy'];
1148 $taxonomy = 'post_tag';
1150 $tag = get_term( $id, $taxonomy );
1151 $_POST['description'] = $tag->description;
1153 $updated = wp_update_term($id, $taxonomy, $_POST);
1154 if ( $updated && !is_wp_error($updated) ) {
1155 $tag = get_term( $updated['term_id'], $taxonomy );
1156 if ( !$tag || is_wp_error( $tag ) )
1157 die( __('Tag not updated.') );
1159 echo _tag_row($tag);
1161 die( __('Tag not updated.') );
1170 check_ajax_referer( 'find-posts' );
1172 if ( empty($_POST['ps']) )
1175 $what = isset($_POST['pages']) ? 'page' : 'post';
1176 $s = stripslashes($_POST['ps']);
1177 preg_match_all('/".*?("|$)|((?<=[\\s",+])|^)[^\\s",+]+/', $s, $matches);
1178 $search_terms = array_map(create_function('$a', 'return trim($a, "\\"\'\\n\\r ");'), $matches[0]);
1180 $searchand = $search = '';
1181 foreach( (array) $search_terms as $term) {
1182 $term = addslashes_gpc($term);
1183 $search .= "{$searchand}(($wpdb->posts.post_title LIKE '%{$term}%') OR ($wpdb->posts.post_content LIKE '%{$term}%'))";
1184 $searchand = ' AND ';
1186 $term = $wpdb->escape($s);
1187 if ( count($search_terms) > 1 && $search_terms[0] != $s )
1188 $search .= " OR ($wpdb->posts.post_title LIKE '%{$term}%') OR ($wpdb->posts.post_content LIKE '%{$term}%')";
1190 $posts = $wpdb->get_results( "SELECT ID, post_title, post_status, post_date FROM $wpdb->posts WHERE post_type = '$what' AND $search ORDER BY post_date_gmt DESC LIMIT 50" );
1193 exit( __('No posts found.') );
1195 $html = '<table class="widefat" cellspacing="0"><thead><tr><th class="found-radio"><br /></th><th>'.__('Title').'</th><th>'.__('Time').'</th><th>'.__('Status').'</th></tr></thead><tbody>';
1196 foreach ( $posts as $post ) {
1198 switch ( $post->post_status ) {
1201 $stat = __('Published');
1204 $stat = __('Scheduled');
1207 $stat = __('Pending Review');
1210 $stat = __('Unpublished');
1214 if ( '0000-00-00 00:00:00' == $post->post_date ) {
1217 /* translators: date format in table columns, see http://php.net/date */
1218 $time = mysql2date(__('Y/m/d'), $post->post_date);
1221 $html .= '<tr class="found-posts"><td class="found-radio"><input type="radio" id="found-'.$post->ID.'" name="found_post_id" value="' . esc_attr($post->ID) . '"></td>';
1222 $html .= '<td><label for="found-'.$post->ID.'">'.esc_html( $post->post_title ).'</label></td><td>'.esc_html( $time ).'</td><td>'.esc_html( $stat ).'</td></tr>'."\n\n";
1224 $html .= '</tbody></table>';
1226 $x = new WP_Ajax_Response();
1234 case 'lj-importer' :
1235 check_ajax_referer( 'lj-api-import' );
1236 if ( !current_user_can( 'publish_posts' ) )
1238 if ( empty( $_POST['step'] ) )
1240 define('WP_IMPORTING', true);
1241 include( ABSPATH . 'wp-admin/import/livejournal.php' );
1242 $result = $lj_api_import->{ 'step' . ( (int) $_POST['step'] ) }();
1243 if ( is_wp_error( $result ) )
1244 echo $result->get_error_message();
1247 case 'widgets-order' :
1248 check_ajax_referer( 'save-sidebar-widgets', 'savewidgets' );
1250 if ( !current_user_can('switch_themes') )
1253 unset( $_POST['savewidgets'], $_POST['action'] );
1255 // save widgets order for all sidebars
1256 if ( is_array($_POST['sidebars']) ) {
1257 $sidebars = array();
1258 foreach ( $_POST['sidebars'] as $key => $val ) {
1260 if ( !empty($val) ) {
1261 $val = explode(',', $val);
1262 foreach ( $val as $k => $v ) {
1263 if ( strpos($v, 'widget-') === false )
1266 $sb[$k] = substr($v, strpos($v, '_') + 1);
1269 $sidebars[$key] = $sb;
1271 wp_set_sidebars_widgets($sidebars);
1277 case 'save-widget' :
1278 check_ajax_referer( 'save-sidebar-widgets', 'savewidgets' );
1280 if ( !current_user_can('switch_themes') || !isset($_POST['id_base']) )
1283 unset( $_POST['savewidgets'], $_POST['action'] );
1285 do_action('load-widgets.php');
1286 do_action('widgets.php');
1287 do_action('sidebar_admin_setup');
1289 $id_base = $_POST['id_base'];
1290 $widget_id = $_POST['widget-id'];
1291 $sidebar_id = $_POST['sidebar'];
1292 $multi_number = !empty($_POST['multi_number']) ? (int) $_POST['multi_number'] : 0;
1293 $settings = isset($_POST['widget-' . $id_base]) && is_array($_POST['widget-' . $id_base]) ? $_POST['widget-' . $id_base] : false;
1294 $error = '<p>' . __('An error has occured. Please reload the page and try again.') . '</p>';
1296 $sidebars = wp_get_sidebars_widgets();
1297 $sidebar = isset($sidebars[$sidebar_id]) ? $sidebars[$sidebar_id] : array();
1300 if ( isset($_POST['delete_widget']) && $_POST['delete_widget'] ) {
1302 if ( !isset($wp_registered_widgets[$widget_id]) )
1305 $sidebar = array_diff( $sidebar, array($widget_id) );
1306 $_POST = array('sidebar' => $sidebar_id, 'widget-' . $id_base => array(), 'the-widget-id' => $widget_id, 'delete_widget' => '1');
1307 } elseif ( $settings && preg_match( '/__i__|%i%/', key($settings) ) ) {
1308 if ( !$multi_number )
1311 $_POST['widget-' . $id_base] = array( $multi_number => array_shift($settings) );
1312 $widget_id = $id_base . '-' . $multi_number;
1313 $sidebar[] = $widget_id;
1315 $_POST['widget-id'] = $sidebar;
1317 foreach ( (array) $wp_registered_widget_updates as $name => $control ) {
1319 if ( $name == $id_base ) {
1320 if ( !is_callable( $control['callback'] ) )
1324 call_user_func_array( $control['callback'], $control['params'] );
1330 if ( isset($_POST['delete_widget']) && $_POST['delete_widget'] ) {
1331 $sidebars[$sidebar_id] = $sidebar;
1332 wp_set_sidebars_widgets($sidebars);
1333 echo "deleted:$widget_id";
1337 if ( !empty($_POST['add_new']) )
1340 if ( $form = $wp_registered_widget_controls[$widget_id] )
1341 call_user_func_array( $form['callback'], $form['params'] );
1346 do_action( 'wp_ajax_' . $_POST['action'] );