X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/41578db67d72562346e4dbb2a14889b23d522813..9e77185fafaf4e60e2b73821e0e4b9b1a11fb85f:/wp-admin/customize.php

diff --git a/wp-admin/customize.php b/wp-admin/customize.php
index b1485d1f..3cfa0c78 100644
--- a/wp-admin/customize.php
+++ b/wp-admin/customize.php
@@ -12,16 +12,26 @@ define( 'IFRAME_REQUEST', true );
 /** Load WordPress Administration Bootstrap */
 require_once( dirname( __FILE__ ) . '/admin.php' );
 
-if ( ! current_user_can( 'edit_theme_options' ) )
+if ( ! current_user_can( 'customize' ) ) {
 	wp_die( __( 'Cheatin’ uh?' ) );
+}
 
 wp_reset_vars( array( 'url', 'return' ) );
-$url = urldecode( $url );
+$url = wp_unslash( $url );
 $url = wp_validate_redirect( $url, home_url( '/' ) );
-if ( $return )
-	$return = wp_validate_redirect( urldecode( $return ) );
-if ( ! $return )
-	$return = $url;
+if ( $return ) {
+	$return = wp_unslash( $return );
+	$return = wp_validate_redirect( $return );
+}
+if ( ! $return ) {
+	if ( $url ) {
+		$return = $url;
+	} elseif ( current_user_can( 'edit_theme_options' ) || current_user_can( 'switch_themes' ) ) {
+		$return = admin_url( 'themes.php' );
+	} else {
+		$return = admin_url();
+	}
+}
 
 global $wp_scripts, $wp_customize;
 
@@ -63,7 +73,7 @@ $body_class = 'wp-core-ui wp-customizer js';
 if ( wp_is_mobile() ) :
 	$body_class .= ' mobile';
 
-	?><meta name="viewport" id="viewport-meta" content="width=device-width, initial-scale=0.8, minimum-scale=0.5, maximum-scale=1.2"><?php
+	?><meta name="viewport" id="viewport-meta" content="width=device-width, initial-scale=0.8, minimum-scale=0.5, maximum-scale=1.2" /><?php
 endif;
 
 $is_ios = wp_is_mobile() && preg_match( '/iPad|iPod|iPhone/', $_SERVER['HTTP_USER_AGENT'] );
@@ -108,14 +118,15 @@ do_action( 'customize_controls_print_scripts' );
 				submit_button( $save_text, 'primary save', 'save', false );
 			?>
 			<span class="spinner"></span>
-			<a class="back button" href="<?php echo esc_url( $return ? $return : admin_url( 'themes.php' ) ); ?>">
-				<?php _e( 'Cancel' ); ?>
+			<a class="customize-controls-close" href="<?php echo esc_url( $return ); ?>">
+				<span class="screen-reader-text"><?php _e( 'Cancel' ); ?></span>
 			</a>
+			<span class="control-panel-back" tabindex="-1"><span class="screen-reader-text"><?php _e( 'Back' ); ?></span></span>
 		</div>
 
 		<?php
 			$screenshot = $wp_customize->theme()->get_screenshot();
-			$cannot_expand = ! ( $screenshot || $wp_customize->theme()->get('Description') );
+			$cannot_expand = ! ( $wp_customize->is_theme_active() || $screenshot || $wp_customize->theme()->get('Description') );
 		?>
 
 		<div id="widgets-right"><!-- For Widget Customizer, many widgets try to look for instances under div#widgets-right, so we have to add that ID to a container div in the customizer for compat -->
@@ -123,27 +134,37 @@ do_action( 'customize_controls_print_scripts' );
 			<div id="customize-info" class="accordion-section <?php if ( $cannot_expand ) echo ' cannot-expand'; ?>">
 				<div class="accordion-section-title" aria-label="<?php esc_attr_e( 'Theme Customizer Options' ); ?>" tabindex="0">
 					<span class="preview-notice"><?php
-						/* translators: %s is the theme name in the Customize/Live Preview pane */
-						echo sprintf( __( 'You are previewing %s' ), '<strong class="theme-name">' . $wp_customize->theme()->display('Name') . '</strong>' );
+						if ( ! $wp_customize->is_theme_active() ) {
+							/* translators: %s is the theme name in the Customize/Live Preview pane */
+							echo sprintf( __( 'You are previewing %s' ), '<strong class="theme-name">' . $wp_customize->theme()->display('Name') . '</strong>' );
+						} else {
+							/* translators: %s is the site/panel title in the Customize pane */
+							echo sprintf( __( 'You are customizing %s' ), '<strong class="theme-name site-title">' . get_bloginfo( 'name' ) . '</strong>' );
+						}
 					?></span>
 				</div>
 				<?php if ( ! $cannot_expand ) : ?>
 				<div class="accordion-section-content">
-					<?php if ( $screenshot ) : ?>
-						<img class="theme-screenshot" src="<?php echo esc_url( $screenshot ); ?>" />
-					<?php endif; ?>
-
-					<?php if ( $wp_customize->theme()->get('Description') ): ?>
-						<div class="theme-description"><?php echo $wp_customize->theme()->display('Description'); ?></div>
-					<?php endif; ?>
+					<?php if ( ! $wp_customize->is_theme_active() ) :
+						if ( $screenshot ) : ?>
+							<img class="theme-screenshot" src="<?php echo esc_url( $screenshot ); ?>" />
+						<?php endif; ?>
+
+						<?php if ( $wp_customize->theme()->get('Description') ): ?>
+							<div class="theme-description"><?php echo $wp_customize->theme()->display('Description'); ?></div>
+						<?php endif;
+					else:
+						echo __( 'The Customizer allows you to preview changes to your site before publishing them. You can also navigate to different pages on your site to preview them.' );
+					endif; ?>
 				</div>
 				<?php endif; ?>
 			</div>
 
 			<div id="customize-theme-controls"><ul>
 				<?php
-				foreach ( $wp_customize->sections() as $section )
-					$section->maybe_render();
+				foreach ( $wp_customize->containers() as $container ) {
+					$container->maybe_render();
+				}
 				?>
 			</ul></div>
 		</div>
@@ -166,12 +187,14 @@ do_action( 'customize_controls_print_scripts' );
 	 */
 	do_action( 'customize_controls_print_footer_scripts' );
 
-	// If the frontend and the admin are served from the same domain, load the
-	// preview over ssl if the customizer is being loaded over ssl. This avoids
-	// insecure content warnings. This is not attempted if the admin and frontend
-	// are on different domains to avoid the case where the frontend doesn't have
-	// ssl certs. Domain mapping plugins can allow other urls in these conditions
-	// using the customize_allowed_urls filter.
+	/*
+	 * If the frontend and the admin are served from the same domain, load the
+	 * preview over ssl if the customizer is being loaded over ssl. This avoids
+	 * insecure content warnings. This is not attempted if the admin and frontend
+	 * are on different domains to avoid the case where the frontend doesn't have
+	 * ssl certs. Domain mapping plugins can allow other urls in these conditions
+	 * using the customize_allowed_urls filter.
+	 */
 
 	$allowed_urls = array( home_url('/') );
 	$admin_origin = parse_url( admin_url() );