X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/784f914b1e4b1c62d6657e86397c2e83bcee4295..4ea0dca21bda49aab5ccb91ec12bb4ef5924ed3e:/wp-admin/includes/class-wp-press-this.php
diff --git a/wp-admin/includes/class-wp-press-this.php b/wp-admin/includes/class-wp-press-this.php
index 0288ed05..9527ef58 100644
--- a/wp-admin/includes/class-wp-press-this.php
+++ b/wp-admin/includes/class-wp-press-this.php
@@ -13,8 +13,8 @@
* @since 4.2.0
*/
class WP_Press_This {
-
// Used to trigger the bookmarklet update notice.
+ const VERSION = 8;
public $version = 8;
private $images = array();
@@ -42,7 +42,7 @@ class WP_Press_This {
public function site_settings() {
return array(
/**
- * Filter whether or not Press This should redirect the user in the parent window upon save.
+ * Filters whether or not Press This should redirect the user in the parent window upon save.
*
* @since 4.2.0
*
@@ -96,7 +96,7 @@ class WP_Press_This {
}
/**
- * AJAX handler for saving the post as draft or published.
+ * Ajax handler for saving the post as draft or published.
*
* @since 4.2.0
* @access public
@@ -119,10 +119,28 @@ class WP_Press_This {
'post_type' => 'post',
'post_status' => 'draft',
'post_format' => ( ! empty( $_POST['post_format'] ) ) ? sanitize_text_field( $_POST['post_format'] ) : '',
- 'tax_input' => ( ! empty( $_POST['tax_input'] ) ) ? $_POST['tax_input'] : array(),
- 'post_category' => ( ! empty( $_POST['post_category'] ) ) ? $_POST['post_category'] : array(),
);
+ // Only accept categories if the user actually can assign
+ $category_tax = get_taxonomy( 'category' );
+ if ( current_user_can( $category_tax->cap->assign_terms ) ) {
+ $post_data['post_category'] = ( ! empty( $_POST['post_category'] ) ) ? $_POST['post_category'] : array();
+ }
+
+ // Only accept taxonomies if the user can actually assign
+ if ( ! empty( $_POST['tax_input'] ) ) {
+ $tax_input = $_POST['tax_input'];
+ foreach ( $tax_input as $tax => $_ti ) {
+ $tax_object = get_taxonomy( $tax );
+ if ( ! $tax_object || ! current_user_can( $tax_object->cap->assign_terms ) ) {
+ unset( $tax_input[ $tax ] );
+ }
+ }
+
+ $post_data['tax_input'] = $tax_input;
+ }
+
+ // Toggle status to pending if user cannot actually publish
if ( ! empty( $_POST['post_status'] ) && 'publish' === $_POST['post_status'] ) {
if ( current_user_can( 'publish_posts' ) ) {
$post_data['post_status'] = 'publish';
@@ -134,8 +152,9 @@ class WP_Press_This {
$post_data['post_content'] = $this->side_load_images( $post_id, $post_data['post_content'] );
/**
- * Filter the post data of a Press This post before saving/updating, after
- * side_load_images action had run.
+ * Filters the post data of a Press This post before saving/updating.
+ *
+ * The {@see 'side_load_images'} action has already run at this point.
*
* @since 4.5.0
*
@@ -168,7 +187,7 @@ class WP_Press_This {
}
/**
- * Filter the URL to redirect to when Press This saves.
+ * Filters the URL to redirect to when Press This saves.
*
* @since 4.2.0
*
@@ -188,7 +207,7 @@ class WP_Press_This {
}
/**
- * AJAX handler for adding a new category.
+ * Ajax handler for adding a new category.
*
* @since 4.2.0
* @access public
@@ -266,8 +285,6 @@ class WP_Press_This {
* @return string Source's HTML sanitized markup
*/
public function fetch_source_html( $url ) {
- global $wp_version;
-
if ( empty( $url ) ) {
return new WP_Error( 'invalid-url', __( 'A valid URL was not provided.' ) );
}
@@ -275,7 +292,7 @@ class WP_Press_This {
$remote_url = wp_safe_remote_get( $url, array(
'timeout' => 30,
// Use an explicit user-agent for Press This
- 'user-agent' => 'Press This (WordPress/' . $wp_version . '); ' . get_bloginfo( 'url' )
+ 'user-agent' => 'Press This (WordPress/' . get_bloginfo( 'version' ) . '); ' . get_bloginfo( 'url' )
) );
if ( is_wp_error( $remote_url ) ) {
@@ -454,7 +471,7 @@ class WP_Press_This {
* @since 4.2.0
*
* @param string $src Embed source URL.
- * @return string If not from a supported provider, an empty string. Otherwise, a reformattd embed URL.
+ * @return string If not from a supported provider, an empty string. Otherwise, a reformatted embed URL.
*/
private function _limit_embed( $src ) {
$src = $this->_limit_url( $src );
@@ -478,7 +495,6 @@ class WP_Press_This {
// Embedded Daily Motion videos
$src = 'https://www.dailymotion.com/video/' . $src_matches[2];
} else {
- require_once( ABSPATH . WPINC . '/class-oembed.php' );
$oembed = _wp_oembed_get_object();
if ( ! $oembed->get_provider( $src, array( 'discover' => false ) ) ) {
@@ -690,7 +706,7 @@ class WP_Press_This {
}
/**
- * Filter whether to enable in-source media discovery in Press This.
+ * Filters whether to enable in-source media discovery in Press This.
*
* @since 4.2.0
*
@@ -765,7 +781,7 @@ class WP_Press_This {
}
/**
- * Filter the Press This data array.
+ * Filters the Press This data array.
*
* @since 4.2.0
*
@@ -793,36 +809,7 @@ class WP_Press_This {
$press_this = str_replace( '.css', '-rtl.css', $press_this );
}
- $open_sans_font_url = '';
-
- /* translators: If there are characters in your language that are not supported
- * by Open Sans, translate this to 'off'. Do not translate into your own language.
- */
- if ( 'off' !== _x( 'on', 'Open Sans font: on or off' ) ) {
- $subsets = 'latin,latin-ext';
-
- /* translators: To add an additional Open Sans character subset specific to your language,
- * translate this to 'greek', 'cyrillic' or 'vietnamese'. Do not translate into your own language.
- */
- $subset = _x( 'no-subset', 'Open Sans font: add new subset (greek, cyrillic, vietnamese)' );
-
- if ( 'cyrillic' == $subset ) {
- $subsets .= ',cyrillic,cyrillic-ext';
- } elseif ( 'greek' == $subset ) {
- $subsets .= ',greek,greek-ext';
- } elseif ( 'vietnamese' == $subset ) {
- $subsets .= ',vietnamese';
- }
-
- $query_args = array(
- 'family' => urlencode( 'Open Sans:400italic,700italic,400,600,700' ),
- 'subset' => urlencode( $subsets ),
- );
-
- $open_sans_font_url = ',' . add_query_arg( $query_args, 'https://fonts.googleapis.com/css' );
- }
-
- return $styles . $press_this . $open_sans_font_url;
+ return $styles . $press_this;
}
/**
@@ -884,6 +871,12 @@ class WP_Press_This {
public function categories_html( $post ) {
$taxonomy = get_taxonomy( 'category' );
+ // Bail if user cannot assign terms
+ if ( ! current_user_can( $taxonomy->cap->assign_terms ) ) {
+ return;
+ }
+
+ // Only show "add" if user can edit terms
if ( current_user_can( $taxonomy->cap->edit_terms ) ) {
?>
-