3 * WordPress AJAX Process Execution.
6 * @subpackage Administration
10 * Executing AJAX process.
14 define('DOING_AJAX', true);
15 define('WP_ADMIN', true);
17 require_once('../wp-load.php');
18 require_once('includes/admin.php');
19 @header('Content-Type: text/html; charset=' . get_option('blog_charset'));
21 do_action('admin_init');
23 if ( ! is_user_logged_in() ) {
25 if ( $_POST['action'] == 'autosave' ) {
26 $id = isset($_POST['post_ID'])? (int) $_POST['post_ID'] : 0;
31 $message = sprintf( __('<strong>ALERT: You are logged out!</strong> Could not save draft. <a href="%s" target="blank">Please log in again.</a>'), wp_login_url() );
32 $x = new WP_Ajax_Response( array(
40 if ( !empty( $_REQUEST['action']) )
41 do_action( 'wp_ajax_nopriv_' . $_REQUEST['action'] );
46 if ( isset( $_GET['action'] ) ) :
47 switch ( $action = $_GET['action'] ) :
48 case 'ajax-tag-search' :
49 if ( !current_user_can( 'edit_posts' ) )
52 $s = $_GET['q']; // is this slashed already?
54 if ( isset($_GET['tax']) )
55 $taxonomy = sanitize_title($_GET['tax']);
59 if ( false !== strpos( $s, ',' ) ) {
60 $s = explode( ',', $s );
61 $s = $s[count( $s ) - 1];
64 if ( strlen( $s ) < 2 )
65 die; // require 2 chars for matching
67 $results = $wpdb->get_col( "SELECT t.name FROM $wpdb->term_taxonomy AS tt INNER JOIN $wpdb->terms AS t ON tt.term_id = t.term_id WHERE tt.taxonomy = '$taxonomy' AND t.name LIKE ('%" . $s . "%')" );
69 echo join( $results, "\n" );
72 case 'wp-compression-test' :
73 if ( !current_user_can( 'manage_options' ) )
76 if ( ini_get('zlib.output_compression') || 'ob_gzhandler' == ini_get('output_handler') ) {
77 update_site_option('can_compress_scripts', 0);
81 if ( isset($_GET['test']) ) {
82 header( 'Expires: Wed, 11 Jan 1984 05:00:00 GMT' );
83 header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
84 header( 'Cache-Control: no-cache, must-revalidate, max-age=0' );
85 header( 'Pragma: no-cache' );
86 header('Content-Type: application/x-javascript; charset=UTF-8');
87 $force_gzip = ( defined('ENFORCE_GZIP') && ENFORCE_GZIP );
88 $test_str = '"wpCompressionTest Lorem ipsum dolor sit amet consectetuer mollis sapien urna ut a. Eu nonummy condimentum fringilla tempor pretium platea vel nibh netus Maecenas. Hac molestie amet justo quis pellentesque est ultrices interdum nibh Morbi. Cras mattis pretium Phasellus ante ipsum ipsum ut sociis Suspendisse Lorem. Ante et non molestie. Porta urna Vestibulum egestas id congue nibh eu risus gravida sit. Ac augue auctor Ut et non a elit massa id sodales. Elit eu Nulla at nibh adipiscing mattis lacus mauris at tempus. Netus nibh quis suscipit nec feugiat eget sed lorem et urna. Pellentesque lacus at ut massa consectetuer ligula ut auctor semper Pellentesque. Ut metus massa nibh quam Curabitur molestie nec mauris congue. Volutpat molestie elit justo facilisis neque ac risus Ut nascetur tristique. Vitae sit lorem tellus et quis Phasellus lacus tincidunt nunc Fusce. Pharetra wisi Suspendisse mus sagittis libero lacinia Integer consequat ac Phasellus. Et urna ac cursus tortor aliquam Aliquam amet tellus volutpat Vestibulum. Justo interdum condimentum In augue congue tellus sollicitudin Quisque quis nibh."';
90 if ( 1 == $_GET['test'] ) {
93 } elseif ( 2 == $_GET['test'] ) {
94 if ( !isset($_SERVER['HTTP_ACCEPT_ENCODING']) )
96 if ( false !== strpos( strtolower($_SERVER['HTTP_ACCEPT_ENCODING']), 'deflate') && function_exists('gzdeflate') && ! $force_gzip ) {
97 header('Content-Encoding: deflate');
98 $out = gzdeflate( $test_str, 1 );
99 } elseif ( false !== strpos( strtolower($_SERVER['HTTP_ACCEPT_ENCODING']), 'gzip') && function_exists('gzencode') ) {
100 header('Content-Encoding: gzip');
101 $out = gzencode( $test_str, 1 );
107 } elseif ( 'no' == $_GET['test'] ) {
108 update_site_option('can_compress_scripts', 0);
109 } elseif ( 'yes' == $_GET['test'] ) {
110 update_site_option('can_compress_scripts', 1);
116 case 'imgedit-preview' :
117 $post_id = intval($_GET['postid']);
118 if ( empty($post_id) || !current_user_can('edit_post', $post_id) )
121 check_ajax_referer( "image_editor-$post_id" );
123 include_once( ABSPATH . 'wp-admin/includes/image-edit.php' );
124 if ( !stream_preview_image($post_id) )
129 case 'oembed-cache' :
130 $return = ( $wp_embed->cache_oembed( $_GET['post'] ) ) ? '1' : '0';
134 do_action( 'wp_ajax_' . $_GET['action'] );
141 * Sends back current comment total and new page links if they need to be updated.
143 * Contrary to normal success AJAX response ("1"), die with time() on success.
147 * @param int $comment_id
150 function _wp_ajax_delete_comment_response( $comment_id ) {
151 $total = (int) @$_POST['_total'];
152 $per_page = (int) @$_POST['_per_page'];
153 $page = (int) @$_POST['_page'];
154 $url = esc_url_raw( @$_POST['_url'] );
155 // JS didn't send us everything we need to know. Just die with success message
156 if ( !$total || !$per_page || !$page || !$url )
157 die( (string) time() );
159 if ( --$total < 0 ) // Take the total from POST and decrement it (since we just deleted one)
162 if ( 0 != $total % $per_page && 1 != mt_rand( 1, $per_page ) ) // Only do the expensive stuff on a page-break, and about 1 other time per page
163 die( (string) time() );
166 $status = 'total_comments'; // What type of comment count are we looking for?
167 $parsed = parse_url( $url );
168 if ( isset( $parsed['query'] ) ) {
169 parse_str( $parsed['query'], $query_vars );
170 if ( !empty( $query_vars['comment_status'] ) )
171 $status = $query_vars['comment_status'];
172 if ( !empty( $query_vars['p'] ) )
173 $post_id = (int) $query_vars['p'];
176 $comment_count = wp_count_comments($post_id);
177 $time = time(); // The time since the last comment count
179 if ( isset( $comment_count->$status ) ) // We're looking for a known type of comment count
180 $total = $comment_count->$status;
181 // else use the decremented value from above
183 $page_links = paginate_links( array(
184 'base' => add_query_arg( 'apage', '%#%', $url ),
186 'prev_text' => __('«'),
187 'next_text' => __('»'),
188 'total' => ceil($total / $per_page),
191 $x = new WP_Ajax_Response( array(
193 'id' => $comment_id, // here for completeness - not used
194 'supplemental' => array(
195 'pageLinks' => $page_links,
203 $id = isset($_POST['id'])? (int) $_POST['id'] : 0;
204 switch ( $action = $_POST['action'] ) :
205 case 'delete-comment' : // On success, die with time() instead of 1
206 if ( !$comment = get_comment( $id ) )
207 die( (string) time() );
208 if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) )
211 check_ajax_referer( "delete-comment_$id" );
212 $status = wp_get_comment_status( $comment->comment_ID );
214 if ( isset($_POST['trash']) && 1 == $_POST['trash'] ) {
215 if ( 'trash' == $status )
216 die( (string) time() );
217 $r = wp_trash_comment( $comment->comment_ID );
218 } elseif ( isset($_POST['untrash']) && 1 == $_POST['untrash'] ) {
219 if ( 'trash' != $status )
220 die( (string) time() );
221 $r = wp_untrash_comment( $comment->comment_ID );
222 } elseif ( isset($_POST['spam']) && 1 == $_POST['spam'] ) {
223 if ( 'spam' == $status )
224 die( (string) time() );
225 $r = wp_spam_comment( $comment->comment_ID );
226 } elseif ( isset($_POST['unspam']) && 1 == $_POST['unspam'] ) {
227 if ( 'spam' != $status )
228 die( (string) time() );
229 $r = wp_unspam_comment( $comment->comment_ID );
230 } elseif ( isset($_POST['delete']) && 1 == $_POST['delete'] ) {
231 $r = wp_delete_comment( $comment->comment_ID );
236 if ( $r ) // Decide if we need to send back '1' or a more complicated response including page links and comment counts
237 _wp_ajax_delete_comment_response( $comment->comment_ID );
241 check_ajax_referer( "delete-category_$id" );
242 if ( !current_user_can( 'manage_categories' ) )
245 $cat = get_category( $id );
246 if ( !$cat || is_wp_error( $cat ) )
249 if ( wp_delete_category( $id ) )
255 $tag_id = (int) $_POST['tag_ID'];
256 check_ajax_referer( "delete-tag_$tag_id" );
257 if ( !current_user_can( 'manage_categories' ) )
260 $taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag';
262 $tag = get_term( $tag_id, $taxonomy );
263 if ( !$tag || is_wp_error( $tag ) )
266 if ( wp_delete_term($tag_id, $taxonomy))
271 case 'delete-link-cat' :
272 check_ajax_referer( "delete-link-category_$id" );
273 if ( !current_user_can( 'manage_categories' ) )
276 $cat = get_term( $id, 'link_category' );
277 if ( !$cat || is_wp_error( $cat ) )
280 $cat_name = get_term_field('name', $id, 'link_category');
282 $default = get_option('default_link_category');
284 // Don't delete the default cats.
285 if ( $id == $default ) {
286 $x = new WP_AJAX_Response( array(
287 'what' => 'link-cat',
289 'data' => new WP_Error( 'default-link-cat', sprintf(__("Can’t delete the <strong>%s</strong> category: this is the default one"), $cat_name) )
294 $r = wp_delete_term($id, 'link_category', array('default' => $default));
297 if ( is_wp_error($r) ) {
298 $x = new WP_AJAX_Response( array(
299 'what' => 'link-cat',
308 check_ajax_referer( "delete-bookmark_$id" );
309 if ( !current_user_can( 'manage_links' ) )
312 $link = get_bookmark( $id );
313 if ( !$link || is_wp_error( $link ) )
316 if ( wp_delete_link( $id ) )
322 check_ajax_referer( "delete-meta_$id" );
323 if ( !$meta = get_post_meta_by_id( $id ) )
326 if ( !current_user_can( 'edit_post', $meta->post_id ) )
328 if ( delete_meta( $meta->meta_id ) )
333 check_ajax_referer( "{$action}_$id" );
334 if ( !current_user_can( 'delete_post', $id ) )
337 if ( !get_post( $id ) )
340 if ( wp_delete_post( $id ) )
346 case 'untrash-post' :
347 check_ajax_referer( "{$action}_$id" );
348 if ( !current_user_can( 'delete_post', $id ) )
351 if ( !get_post( $id ) )
354 if ( 'trash-post' == $action )
355 $done = wp_trash_post( $id );
357 $done = wp_untrash_post( $id );
365 check_ajax_referer( "{$action}_$id" );
366 if ( !current_user_can( 'delete_page', $id ) )
369 if ( !get_page( $id ) )
372 if ( wp_delete_post( $id ) )
377 case 'dim-comment' : // On success, die with time() instead of 1
379 if ( !$comment = get_comment( $id ) ) {
380 $x = new WP_Ajax_Response( array(
382 'id' => new WP_Error('invalid_comment', sprintf(__('Comment %d does not exist'), $id))
387 if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) && !current_user_can( 'moderate_comments' ) )
390 $current = wp_get_comment_status( $comment->comment_ID );
391 if ( $_POST['new'] == $current )
392 die( (string) time() );
394 check_ajax_referer( "approve-comment_$id" );
395 if ( in_array( $current, array( 'unapproved', 'spam' ) ) )
396 $result = wp_set_comment_status( $comment->comment_ID, 'approve', true );
398 $result = wp_set_comment_status( $comment->comment_ID, 'hold', true );
400 if ( is_wp_error($result) ) {
401 $x = new WP_Ajax_Response( array(
408 // Decide if we need to send back '1' or a more complicated response including page links and comment counts
409 _wp_ajax_delete_comment_response( $comment->comment_ID );
412 case 'add-category' : // On the Fly
413 check_ajax_referer( $action );
414 if ( !current_user_can( 'manage_categories' ) )
416 $names = explode(',', $_POST['newcat']);
417 if ( 0 > $parent = (int) $_POST['newcat_parent'] )
419 $post_category = isset($_POST['post_category'])? (array) $_POST['post_category'] : array();
420 $checked_categories = array_map( 'absint', (array) $post_category );
421 $popular_ids = wp_popular_terms_checklist('category', 0, 10, false);
423 foreach ( $names as $cat_name ) {
424 $cat_name = trim($cat_name);
425 $category_nicename = sanitize_title($cat_name);
426 if ( '' === $category_nicename )
428 $cat_id = wp_create_category( $cat_name, $parent );
429 $checked_categories[] = $cat_id;
430 if ( $parent ) // Do these all at once in a second
432 $category = get_category( $cat_id );
434 wp_category_checklist( 0, $cat_id, $checked_categories, $popular_ids );
435 $data = ob_get_contents();
438 'what' => 'category',
440 'data' => str_replace( array("\n", "\t"), '', $data),
444 if ( $parent ) { // Foncy - replace the parent and all its children
445 $parent = get_category( $parent );
446 $term_id = $parent->term_id;
448 while ( $parent->parent ) { // get the top parent
449 $parent = &get_category( $parent->parent );
450 if ( is_wp_error( $parent ) )
452 $term_id = $parent->term_id;
456 wp_category_checklist( 0, $term_id, $checked_categories, $popular_ids, null, false );
457 $data = ob_get_contents();
460 'what' => 'category',
462 'data' => str_replace( array("\n", "\t"), '', $data),
468 wp_dropdown_categories( array( 'hide_empty' => 0, 'name' => 'newcat_parent', 'orderby' => 'name', 'hierarchical' => 1, 'show_option_none' => __('Parent category') ) );
469 $sup = ob_get_contents();
471 $add['supplemental'] = array( 'newcat_parent' => $sup );
473 $x = new WP_Ajax_Response( $add );
476 case 'add-link-category' : // On the Fly
477 check_ajax_referer( $action );
478 if ( !current_user_can( 'manage_categories' ) )
480 $names = explode(',', $_POST['newcat']);
481 $x = new WP_Ajax_Response();
482 foreach ( $names as $cat_name ) {
483 $cat_name = trim($cat_name);
484 $slug = sanitize_title($cat_name);
487 if ( !$cat_id = is_term( $cat_name, 'link_category' ) ) {
488 $cat_id = wp_insert_term( $cat_name, 'link_category' );
490 $cat_id = $cat_id['term_id'];
491 $cat_name = esc_html(stripslashes($cat_name));
493 'what' => 'link-category',
495 'data' => "<li id='link-category-$cat_id'><label for='in-link-category-$cat_id' class='selectit'><input value='" . esc_attr($cat_id) . "' type='checkbox' checked='checked' name='link_category[]' id='in-link-category-$cat_id'/> $cat_name</label></li>",
501 case 'add-cat' : // From Manage->Categories
502 check_ajax_referer( 'add-category' );
503 if ( !current_user_can( 'manage_categories' ) )
506 if ( '' === trim($_POST['cat_name']) ) {
507 $x = new WP_Ajax_Response( array(
509 'id' => new WP_Error( 'cat_name', __('You did not enter a category name.') )
514 if ( category_exists( trim( $_POST['cat_name'] ), $_POST['category_parent'] ) ) {
515 $x = new WP_Ajax_Response( array(
517 'id' => new WP_Error( 'cat_exists', __('The category you are trying to create already exists.'), array( 'form-field' => 'cat_name' ) ),
522 $cat = wp_insert_category( $_POST, true );
524 if ( is_wp_error($cat) ) {
525 $x = new WP_Ajax_Response( array(
532 if ( !$cat || (!$cat = get_category( $cat )) )
536 $cat_full_name = $cat->name;
538 while ( $_cat->parent ) {
539 $_cat = get_category( $_cat->parent );
540 $cat_full_name = $_cat->name . ' — ' . $cat_full_name;
543 $cat_full_name = esc_attr($cat_full_name);
545 $x = new WP_Ajax_Response( array(
547 'id' => $cat->term_id,
549 'data' => _cat_row( $cat, $level, $cat_full_name ),
550 'supplemental' => array('name' => $cat_full_name, 'show-link' => sprintf(__( 'Category <a href="#%s">%s</a> added' ), "cat-$cat->term_id", $cat_full_name))
554 case 'add-link-cat' : // From Blogroll -> Categories
555 check_ajax_referer( 'add-link-category' );
556 if ( !current_user_can( 'manage_categories' ) )
559 if ( '' === trim($_POST['name']) ) {
560 $x = new WP_Ajax_Response( array(
561 'what' => 'link-cat',
562 'id' => new WP_Error( 'name', __('You did not enter a category name.') )
567 $r = wp_insert_term($_POST['name'], 'link_category', $_POST );
568 if ( is_wp_error( $r ) ) {
569 $x = new WP_AJAX_Response( array(
570 'what' => 'link-cat',
576 extract($r, EXTR_SKIP);
578 if ( !$link_cat = link_cat_row( $term_id ) )
581 $x = new WP_Ajax_Response( array(
582 'what' => 'link-cat',
589 case 'add-tag' : // From Manage->Tags
590 check_ajax_referer( 'add-tag' );
591 if ( !current_user_can( 'manage_categories' ) )
594 $taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag';
595 $tag = wp_insert_term($_POST['tag-name'], $taxonomy, $_POST );
597 if ( !$tag || is_wp_error($tag) || (!$tag = get_term( $tag['term_id'], $taxonomy )) ) {
598 echo '<div class="error"><p>' . __('An error has occured. Please reload the page and try again.') . '</p></div>';
602 echo _tag_row( $tag, '', $taxonomy );
605 case 'get-tagcloud' :
606 if ( !current_user_can( 'edit_posts' ) )
609 if ( isset($_POST['tax']) )
610 $taxonomy = sanitize_title($_POST['tax']);
614 $tags = get_terms( $taxonomy, array( 'number' => 45, 'orderby' => 'count', 'order' => 'DESC' ) );
616 if ( empty( $tags ) )
617 die( __('No tags found!') );
619 if ( is_wp_error($tags) )
620 die($tags->get_error_message());
622 foreach ( $tags as $key => $tag ) {
623 $tags[ $key ]->link = '#';
624 $tags[ $key ]->id = $tag->term_id;
627 // We need raw tag names here, so don't filter the output
628 $return = wp_generate_tag_cloud( $tags, array('filter' => 0) );
630 if ( empty($return) )
638 check_ajax_referer( $action );
639 if ( !current_user_can( 'edit_posts' ) )
641 $search = isset($_POST['s']) ? $_POST['s'] : false;
642 $status = isset($_POST['comment_status']) ? $_POST['comment_status'] : 'all';
643 $per_page = isset($_POST['per_page']) ? (int) $_POST['per_page'] + 8 : 28;
644 $start = isset($_POST['page']) ? ( intval($_POST['page']) * $per_page ) -1 : $per_page - 1;
648 $mode = isset($_POST['mode']) ? $_POST['mode'] : 'detail';
649 $p = isset($_POST['p']) ? $_POST['p'] : 0;
650 $comment_type = isset($_POST['comment_type']) ? $_POST['comment_type'] : '';
651 list($comments, $total) = _wp_get_comment_list( $status, $search, $start, 1, $p, $comment_type );
653 if ( get_option('show_avatars') )
654 add_filter( 'comment_author', 'floated_admin_avatar' );
658 $x = new WP_Ajax_Response();
659 foreach ( (array) $comments as $comment ) {
660 get_comment( $comment );
662 _wp_comment_row( $comment->comment_ID, $mode, $status, true, true );
663 $comment_list_item = ob_get_contents();
667 'id' => $comment->comment_ID,
668 'data' => $comment_list_item
673 case 'get-comments' :
674 check_ajax_referer( $action );
676 $post_ID = (int) $_POST['post_ID'];
677 if ( !current_user_can( 'edit_post', $post_ID ) )
680 $start = isset($_POST['start']) ? intval($_POST['start']) : 0;
681 $num = isset($_POST['num']) ? intval($_POST['num']) : 10;
683 list($comments, $total) = _wp_get_comment_list( false, false, $start, $num, $post_ID );
688 $comment_list_item = '';
689 $x = new WP_Ajax_Response();
690 foreach ( (array) $comments as $comment ) {
691 get_comment( $comment );
693 _wp_comment_row( $comment->comment_ID, 'single', false, false );
694 $comment_list_item .= ob_get_contents();
698 'what' => 'comments',
699 'data' => $comment_list_item
703 case 'replyto-comment' :
704 check_ajax_referer( $action );
706 $comment_post_ID = (int) $_POST['comment_post_ID'];
707 if ( !current_user_can( 'edit_post', $comment_post_ID ) )
710 $status = $wpdb->get_var( $wpdb->prepare("SELECT post_status FROM $wpdb->posts WHERE ID = %d", $comment_post_ID) );
712 if ( empty($status) )
714 elseif ( in_array($status, array('draft', 'pending', 'trash') ) )
715 die( __('Error: you are replying to a comment on a draft post.') );
717 $user = wp_get_current_user();
719 $comment_author = $wpdb->escape($user->display_name);
720 $comment_author_email = $wpdb->escape($user->user_email);
721 $comment_author_url = $wpdb->escape($user->user_url);
722 $comment_content = trim($_POST['content']);
723 if ( current_user_can('unfiltered_html') ) {
724 if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) {
725 kses_remove_filters(); // start with a clean slate
726 kses_init_filters(); // set up the filters
730 die( __('Sorry, you must be logged in to reply to a comment.') );
733 if ( '' == $comment_content )
734 die( __('Error: please type a comment.') );
736 $comment_parent = absint($_POST['comment_ID']);
737 $commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_email', 'comment_author_url', 'comment_content', 'comment_type', 'comment_parent', 'user_ID');
739 $comment_id = wp_new_comment( $commentdata );
740 $comment = get_comment($comment_id);
741 if ( ! $comment ) die('1');
743 $modes = array( 'single', 'detail', 'dashboard' );
744 $mode = isset($_POST['mode']) && in_array( $_POST['mode'], $modes ) ? $_POST['mode'] : 'detail';
745 $position = ( isset($_POST['position']) && (int) $_POST['position']) ? (int) $_POST['position'] : '-1';
746 $checkbox = ( isset($_POST['checkbox']) && true == $_POST['checkbox'] ) ? 1 : 0;
748 if ( get_option('show_avatars') && 'single' != $mode )
749 add_filter( 'comment_author', 'floated_admin_avatar' );
751 $x = new WP_Ajax_Response();
754 if ( 'dashboard' == $mode ) {
755 require_once( ABSPATH . 'wp-admin/includes/dashboard.php' );
756 _wp_dashboard_recent_comments_row( $comment, false );
758 _wp_comment_row( $comment->comment_ID, $mode, false, $checkbox );
760 $comment_list_item = ob_get_contents();
765 'id' => $comment->comment_ID,
766 'data' => $comment_list_item,
767 'position' => $position
772 case 'edit-comment' :
773 check_ajax_referer( 'replyto-comment' );
775 $comment_post_ID = (int) $_POST['comment_post_ID'];
776 if ( ! current_user_can( 'edit_post', $comment_post_ID ) )
779 if ( '' == $_POST['content'] )
780 die( __('Error: please type a comment.') );
782 $comment_id = (int) $_POST['comment_ID'];
783 $_POST['comment_status'] = $_POST['status'];
786 $mode = ( isset($_POST['mode']) && 'single' == $_POST['mode'] ) ? 'single' : 'detail';
787 $position = ( isset($_POST['position']) && (int) $_POST['position']) ? (int) $_POST['position'] : '-1';
788 $checkbox = ( isset($_POST['checkbox']) && true == $_POST['checkbox'] ) ? 1 : 0;
789 $comments_listing = isset($_POST['comments_listing']) ? $_POST['comments_listing'] : '';
791 if ( get_option('show_avatars') && 'single' != $mode )
792 add_filter( 'comment_author', 'floated_admin_avatar' );
794 $x = new WP_Ajax_Response();
797 _wp_comment_row( $comment_id, $mode, $comments_listing, $checkbox );
798 $comment_list_item = ob_get_contents();
802 'what' => 'edit_comment',
803 'id' => $comment->comment_ID,
804 'data' => $comment_list_item,
805 'position' => $position
811 check_ajax_referer( 'add-meta' );
813 $pid = (int) $_POST['post_id'];
814 if ( isset($_POST['metakeyselect']) || isset($_POST['metakeyinput']) ) {
815 if ( !current_user_can( 'edit_post', $pid ) )
817 if ( isset($_POST['metakeyselect']) && '#NONE#' == $_POST['metakeyselect'] && empty($_POST['metakeyinput']) )
820 $now = current_time('timestamp', 1);
821 if ( $pid = wp_insert_post( array(
822 'post_title' => sprintf('Draft created on %s at %s', date(get_option('date_format'), $now), date(get_option('time_format'), $now))
824 if ( is_wp_error( $pid ) ) {
825 $x = new WP_Ajax_Response( array(
831 if ( !$mid = add_meta( $pid ) )
832 die(__('Please provide a custom field value.'));
836 } else if ( !$mid = add_meta( $pid ) ) {
837 die(__('Please provide a custom field value.'));
840 $meta = get_post_meta_by_id( $mid );
841 $pid = (int) $meta->post_id;
842 $meta = get_object_vars( $meta );
843 $x = new WP_Ajax_Response( array(
846 'data' => _list_meta_row( $meta, $c ),
848 'supplemental' => array('postid' => $pid)
851 $mid = (int) array_pop(array_keys($_POST['meta']));
852 $key = $_POST['meta'][$mid]['key'];
853 $value = $_POST['meta'][$mid]['value'];
854 if ( !$meta = get_post_meta_by_id( $mid ) )
855 die('0'); // if meta doesn't exist
856 if ( !current_user_can( 'edit_post', $meta->post_id ) )
858 if ( $meta->meta_value != stripslashes($value) ) {
859 if ( !$u = update_meta( $mid, $key, $value ) )
860 die('0'); // We know meta exists; we also know it's unchanged (or DB error, in which case there are bigger problems).
863 $key = stripslashes($key);
864 $value = stripslashes($value);
865 $x = new WP_Ajax_Response( array(
867 'id' => $mid, 'old_id' => $mid,
868 'data' => _list_meta_row( array(
870 'meta_value' => $value,
874 'supplemental' => array('postid' => $meta->post_id)
880 check_ajax_referer( $action );
881 if ( !current_user_can('create_users') )
883 require_once(ABSPATH . WPINC . '/registration.php');
884 if ( !$user_id = add_user() )
886 elseif ( is_wp_error( $user_id ) ) {
887 $x = new WP_Ajax_Response( array(
893 $user_object = new WP_User( $user_id );
895 $x = new WP_Ajax_Response( array(
898 'data' => user_row( $user_object, '', $user_object->roles[0] ),
899 'supplemental' => array(
900 'show-link' => sprintf(__( 'User <a href="#%s">%s</a> added' ), "user-$user_id", $user_object->user_login),
901 'role' => $user_object->roles[0]
906 case 'autosave' : // The name of this action is hardcoded in edit_post()
907 define( 'DOING_AUTOSAVE', true );
909 $nonce_age = check_ajax_referer( 'autosave', 'autosavenonce' );
910 global $current_user;
912 $_POST['post_category'] = explode(",", $_POST['catslist']);
913 if($_POST['post_type'] == 'page' || empty($_POST['post_category']))
914 unset($_POST['post_category']);
916 $do_autosave = (bool) $_POST['autosave'];
920 /* translators: draft saved date format, see http://php.net/date */
921 $draft_saved_date_format = __('g:i:s a');
922 $message = sprintf( __('Draft Saved at %s.'), date_i18n( $draft_saved_date_format ) );
924 $supplemental = array();
925 if ( isset($login_grace_period) )
926 $supplemental['session_expired'] = add_query_arg( 'interim-login', 1, wp_login_url() );
928 $id = $revision_id = 0;
929 if($_POST['post_ID'] < 0) {
930 $_POST['post_status'] = 'draft';
931 $_POST['temp_ID'] = $_POST['post_ID'];
932 if ( $do_autosave ) {
933 $id = wp_write_post();
937 $post_ID = (int) $_POST['post_ID'];
938 $_POST['ID'] = $post_ID;
939 $post = get_post($post_ID);
941 if ( $last = wp_check_post_lock( $post->ID ) ) {
942 $do_autosave = $do_lock = false;
944 $last_user = get_userdata( $last );
945 $last_user_name = $last_user ? $last_user->display_name : __( 'Someone' );
946 $data = new WP_Error( 'locked', sprintf(
947 $_POST['post_type'] == 'page' ? __( 'Autosave disabled: %s is currently editing this page.' ) : __( 'Autosave disabled: %s is currently editing this post.' ),
948 esc_html( $last_user_name )
951 $supplemental['disable_autosave'] = 'disable';
954 if ( 'page' == $post->post_type ) {
955 if ( !current_user_can('edit_page', $post_ID) )
956 die(__('You are not allowed to edit this page.'));
958 if ( !current_user_can('edit_post', $post_ID) )
959 die(__('You are not allowed to edit this post.'));
962 if ( $do_autosave ) {
963 // Drafts are just overwritten by autosave
964 if ( 'draft' == $post->post_status ) {
966 } else { // Non drafts are not overwritten. The autosave is stored in a special post revision.
967 $revision_id = wp_create_post_autosave( $post->ID );
968 if ( is_wp_error($revision_id) )
979 if ( $do_lock && $id && is_numeric($id) )
980 wp_set_post_lock( $id );
982 if ( $nonce_age == 2 ) {
983 $supplemental['replace-autosavenonce'] = wp_create_nonce('autosave');
984 $supplemental['replace-getpermalinknonce'] = wp_create_nonce('getpermalink');
985 $supplemental['replace-samplepermalinknonce'] = wp_create_nonce('samplepermalink');
986 $supplemental['replace-closedpostboxesnonce'] = wp_create_nonce('closedpostboxes');
988 if ( $_POST['post_type'] == 'post' )
989 $supplemental['replace-_wpnonce'] = wp_create_nonce('update-post_' . $id);
990 elseif ( $_POST['post_type'] == 'page' )
991 $supplemental['replace-_wpnonce'] = wp_create_nonce('update-page_' . $id);
995 $x = new WP_Ajax_Response( array(
996 'what' => 'autosave',
998 'data' => $id ? $data : '',
999 'supplemental' => $supplemental
1003 case 'autosave-generate-nonces' :
1004 check_ajax_referer( 'autosave', 'autosavenonce' );
1005 $ID = (int) $_POST['post_ID'];
1006 $post_type = ( 'page' == $_POST['post_type'] ) ? 'page' : 'post';
1007 if ( current_user_can( "edit_{$post_type}", $ID ) )
1008 die( json_encode( array( 'updateNonce' => wp_create_nonce( "update-{$post_type}_{$ID}" ), 'deleteURL' => str_replace( '&', '&', wp_nonce_url( admin_url( $post_type . '.php?action=trash&post=' . $ID ), "trash-{$post_type}_{$ID}" ) ) ) ) );
1009 do_action('autosave_generate_nonces');
1012 case 'closed-postboxes' :
1013 check_ajax_referer( 'closedpostboxes', 'closedpostboxesnonce' );
1014 $closed = isset( $_POST['closed'] ) ? $_POST['closed'] : '';
1015 $closed = explode( ',', $_POST['closed'] );
1016 $hidden = isset( $_POST['hidden'] ) ? $_POST['hidden'] : '';
1017 $hidden = explode( ',', $_POST['hidden'] );
1018 $page = isset( $_POST['page'] ) ? $_POST['page'] : '';
1020 if ( !preg_match( '/^[a-z_-]+$/', $page ) )
1023 if ( ! $user = wp_get_current_user() )
1026 if ( is_array($closed) )
1027 update_usermeta($user->ID, 'closedpostboxes_'.$page, $closed);
1029 if ( is_array($hidden) ) {
1030 $hidden = array_diff( $hidden, array('submitdiv', 'linksubmitdiv') ); // postboxes that are always shown
1031 update_usermeta($user->ID, 'meta-box-hidden_'.$page, $hidden);
1036 case 'hidden-columns' :
1037 check_ajax_referer( 'screen-options-nonce', 'screenoptionnonce' );
1038 $hidden = isset( $_POST['hidden'] ) ? $_POST['hidden'] : '';
1039 $hidden = explode( ',', $_POST['hidden'] );
1040 $page = isset( $_POST['page'] ) ? $_POST['page'] : '';
1042 if ( !preg_match( '/^[a-z_-]+$/', $page ) )
1045 if ( ! $user = wp_get_current_user() )
1048 if ( is_array($hidden) )
1049 update_usermeta($user->ID, "manage-$page-columns-hidden", $hidden);
1053 case 'meta-box-order':
1054 check_ajax_referer( 'meta-box-order' );
1055 $order = isset( $_POST['order'] ) ? (array) $_POST['order'] : false;
1056 $page_columns = isset( $_POST['page_columns'] ) ? (int) $_POST['page_columns'] : 0;
1057 $page = isset( $_POST['page'] ) ? $_POST['page'] : '';
1059 if ( !preg_match( '/^[a-z_-]+$/', $page ) )
1062 if ( ! $user = wp_get_current_user() )
1066 update_user_option($user->ID, "meta-box-order_$page", $order);
1068 if ( $page_columns )
1069 update_usermeta($user->ID, "screen_layout_$page", $page_columns);
1073 case 'get-permalink':
1074 check_ajax_referer( 'getpermalink', 'getpermalinknonce' );
1075 $post_id = isset($_POST['post_id'])? intval($_POST['post_id']) : 0;
1076 die(add_query_arg(array('preview' => 'true'), get_permalink($post_id)));
1078 case 'sample-permalink':
1079 check_ajax_referer( 'samplepermalink', 'samplepermalinknonce' );
1080 $post_id = isset($_POST['post_id'])? intval($_POST['post_id']) : 0;
1081 $title = isset($_POST['new_title'])? $_POST['new_title'] : '';
1082 $slug = isset($_POST['new_slug'])? $_POST['new_slug'] : '';
1083 die(get_sample_permalink_html($post_id, $title, $slug));
1086 check_ajax_referer( 'inlineeditnonce', '_inline_edit' );
1088 if ( ! isset($_POST['post_ID']) || ! ( $post_ID = (int) $_POST['post_ID'] ) )
1091 if ( 'page' == $_POST['post_type'] ) {
1092 if ( ! current_user_can( 'edit_page', $post_ID ) )
1093 die( __('You are not allowed to edit this page.') );
1095 if ( ! current_user_can( 'edit_post', $post_ID ) )
1096 die( __('You are not allowed to edit this post.') );
1099 if ( $last = wp_check_post_lock( $post_ID ) ) {
1100 $last_user = get_userdata( $last );
1101 $last_user_name = $last_user ? $last_user->display_name : __( 'Someone' );
1102 printf( $_POST['post_type'] == 'page' ? __( 'Saving is disabled: %s is currently editing this page.' ) : __( 'Saving is disabled: %s is currently editing this post.' ), esc_html( $last_user_name ) );
1108 $post = get_post( $post_ID, ARRAY_A );
1109 $post = add_magic_quotes($post); //since it is from db
1111 $data['content'] = $post['post_content'];
1112 $data['excerpt'] = $post['post_excerpt'];
1115 $data['user_ID'] = $GLOBALS['user_ID'];
1117 if ( isset($data['post_parent']) )
1118 $data['parent_id'] = $data['post_parent'];
1121 if ( isset($data['keep_private']) && 'private' == $data['keep_private'] )
1122 $data['post_status'] = 'private';
1124 $data['post_status'] = $data['_status'];
1126 if ( empty($data['comment_status']) )
1127 $data['comment_status'] = 'closed';
1128 if ( empty($data['ping_status']) )
1129 $data['ping_status'] = 'closed';
1135 if ( 'page' == $_POST['post_type'] ) {
1136 $post[] = get_post($_POST['post_ID']);
1138 } elseif ( 'post' == $_POST['post_type'] ) {
1139 $mode = $_POST['post_view'];
1140 $post[] = get_post($_POST['post_ID']);
1146 case 'inline-save-tax':
1147 check_ajax_referer( 'taxinlineeditnonce', '_inline_edit' );
1149 if ( ! current_user_can('manage_categories') )
1150 die( __('Cheatin’ uh?') );
1152 if ( ! isset($_POST['tax_ID']) || ! ( $id = (int) $_POST['tax_ID'] ) )
1155 switch ($_POST['tax_type']) {
1158 $data['cat_ID'] = $id;
1159 $data['cat_name'] = $_POST['name'];
1160 $data['category_nicename'] = $_POST['slug'];
1161 if ( isset($_POST['parent']) && (int) $_POST['parent'] > 0 )
1162 $data['category_parent'] = $_POST['parent'];
1164 $cat = get_category($id, ARRAY_A);
1165 $data['category_description'] = $cat['category_description'];
1167 $updated = wp_update_category($data);
1169 if ( $updated && !is_wp_error($updated) )
1170 echo _cat_row( $updated, 0 );
1172 die( __('Category not updated.') );
1176 $updated = wp_update_term($id, 'link_category', $_POST);
1178 if ( $updated && !is_wp_error($updated) )
1179 echo link_cat_row($updated['term_id']);
1181 die( __('Category not updated.') );
1185 $taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag';
1187 $tag = get_term( $id, $taxonomy );
1188 $_POST['description'] = $tag->description;
1190 $updated = wp_update_term($id, $taxonomy, $_POST);
1191 if ( $updated && !is_wp_error($updated) ) {
1192 $tag = get_term( $updated['term_id'], $taxonomy );
1193 if ( !$tag || is_wp_error( $tag ) )
1194 die( __('Tag not updated.') );
1196 echo _tag_row($tag, '', $taxonomy);
1198 die( __('Tag not updated.') );
1207 check_ajax_referer( 'find-posts' );
1209 if ( empty($_POST['ps']) )
1212 $what = isset($_POST['pages']) ? 'page' : 'post';
1213 $s = stripslashes($_POST['ps']);
1214 preg_match_all('/".*?("|$)|((?<=[\\s",+])|^)[^\\s",+]+/', $s, $matches);
1215 $search_terms = array_map('_search_terms_tidy', $matches[0]);
1217 $searchand = $search = '';
1218 foreach ( (array) $search_terms as $term ) {
1219 $term = addslashes_gpc($term);
1220 $search .= "{$searchand}(($wpdb->posts.post_title LIKE '%{$term}%') OR ($wpdb->posts.post_content LIKE '%{$term}%'))";
1221 $searchand = ' AND ';
1223 $term = $wpdb->escape($s);
1224 if ( count($search_terms) > 1 && $search_terms[0] != $s )
1225 $search .= " OR ($wpdb->posts.post_title LIKE '%{$term}%') OR ($wpdb->posts.post_content LIKE '%{$term}%')";
1227 $posts = $wpdb->get_results( "SELECT ID, post_title, post_status, post_date FROM $wpdb->posts WHERE post_type = '$what' AND post_status IN ('draft', 'publish') AND ($search) ORDER BY post_date_gmt DESC LIMIT 50" );
1230 exit( __('No posts found.') );
1232 $html = '<table class="widefat" cellspacing="0"><thead><tr><th class="found-radio"><br /></th><th>'.__('Title').'</th><th>'.__('Date').'</th><th>'.__('Status').'</th></tr></thead><tbody>';
1233 foreach ( $posts as $post ) {
1235 switch ( $post->post_status ) {
1238 $stat = __('Published');
1241 $stat = __('Scheduled');
1244 $stat = __('Pending Review');
1247 $stat = __('Draft');
1251 if ( '0000-00-00 00:00:00' == $post->post_date ) {
1254 /* translators: date format in table columns, see http://php.net/date */
1255 $time = mysql2date(__('Y/m/d'), $post->post_date);
1258 $html .= '<tr class="found-posts"><td class="found-radio"><input type="radio" id="found-'.$post->ID.'" name="found_post_id" value="' . esc_attr($post->ID) . '"></td>';
1259 $html .= '<td><label for="found-'.$post->ID.'">'.esc_html( $post->post_title ).'</label></td><td>'.esc_html( $time ).'</td><td>'.esc_html( $stat ).'</td></tr>'."\n\n";
1261 $html .= '</tbody></table>';
1263 $x = new WP_Ajax_Response();
1271 case 'lj-importer' :
1272 check_ajax_referer( 'lj-api-import' );
1273 if ( !current_user_can( 'publish_posts' ) )
1275 if ( empty( $_POST['step'] ) )
1277 define('WP_IMPORTING', true);
1278 include( ABSPATH . 'wp-admin/import/livejournal.php' );
1279 $result = $lj_api_import->{ 'step' . ( (int) $_POST['step'] ) }();
1280 if ( is_wp_error( $result ) )
1281 echo $result->get_error_message();
1284 case 'widgets-order' :
1285 check_ajax_referer( 'save-sidebar-widgets', 'savewidgets' );
1287 if ( !current_user_can('switch_themes') )
1290 unset( $_POST['savewidgets'], $_POST['action'] );
1292 // save widgets order for all sidebars
1293 if ( is_array($_POST['sidebars']) ) {
1294 $sidebars = array();
1295 foreach ( $_POST['sidebars'] as $key => $val ) {
1297 if ( !empty($val) ) {
1298 $val = explode(',', $val);
1299 foreach ( $val as $k => $v ) {
1300 if ( strpos($v, 'widget-') === false )
1303 $sb[$k] = substr($v, strpos($v, '_') + 1);
1306 $sidebars[$key] = $sb;
1308 wp_set_sidebars_widgets($sidebars);
1314 case 'save-widget' :
1315 check_ajax_referer( 'save-sidebar-widgets', 'savewidgets' );
1317 if ( !current_user_can('switch_themes') || !isset($_POST['id_base']) )
1320 unset( $_POST['savewidgets'], $_POST['action'] );
1322 do_action('load-widgets.php');
1323 do_action('widgets.php');
1324 do_action('sidebar_admin_setup');
1326 $id_base = $_POST['id_base'];
1327 $widget_id = $_POST['widget-id'];
1328 $sidebar_id = $_POST['sidebar'];
1329 $multi_number = !empty($_POST['multi_number']) ? (int) $_POST['multi_number'] : 0;
1330 $settings = isset($_POST['widget-' . $id_base]) && is_array($_POST['widget-' . $id_base]) ? $_POST['widget-' . $id_base] : false;
1331 $error = '<p>' . __('An error has occured. Please reload the page and try again.') . '</p>';
1333 $sidebars = wp_get_sidebars_widgets();
1334 $sidebar = isset($sidebars[$sidebar_id]) ? $sidebars[$sidebar_id] : array();
1337 if ( isset($_POST['delete_widget']) && $_POST['delete_widget'] ) {
1339 if ( !isset($wp_registered_widgets[$widget_id]) )
1342 $sidebar = array_diff( $sidebar, array($widget_id) );
1343 $_POST = array('sidebar' => $sidebar_id, 'widget-' . $id_base => array(), 'the-widget-id' => $widget_id, 'delete_widget' => '1');
1344 } elseif ( $settings && preg_match( '/__i__|%i%/', key($settings) ) ) {
1345 if ( !$multi_number )
1348 $_POST['widget-' . $id_base] = array( $multi_number => array_shift($settings) );
1349 $widget_id = $id_base . '-' . $multi_number;
1350 $sidebar[] = $widget_id;
1352 $_POST['widget-id'] = $sidebar;
1354 foreach ( (array) $wp_registered_widget_updates as $name => $control ) {
1356 if ( $name == $id_base ) {
1357 if ( !is_callable( $control['callback'] ) )
1361 call_user_func_array( $control['callback'], $control['params'] );
1367 if ( isset($_POST['delete_widget']) && $_POST['delete_widget'] ) {
1368 $sidebars[$sidebar_id] = $sidebar;
1369 wp_set_sidebars_widgets($sidebars);
1370 echo "deleted:$widget_id";
1374 if ( !empty($_POST['add_new']) )
1377 if ( $form = $wp_registered_widget_controls[$widget_id] )
1378 call_user_func_array( $form['callback'], $form['params'] );
1382 case 'image-editor':
1383 $attachment_id = intval($_POST['postid']);
1384 if ( empty($attachment_id) || !current_user_can('edit_post', $attachment_id) )
1387 check_ajax_referer( "image_editor-$attachment_id" );
1388 include_once( ABSPATH . 'wp-admin/includes/image-edit.php' );
1391 switch ( $_POST['do'] ) {
1393 $msg = wp_save_image($attachment_id);
1394 $msg = json_encode($msg);
1398 $msg = wp_save_image($attachment_id);
1401 $msg = wp_restore_image($attachment_id);
1405 wp_image_editor($attachment_id, $msg);
1408 case 'set-post-thumbnail':
1409 $post_id = intval( $_POST['post_id'] );
1410 if ( !current_user_can( 'edit_post', $post_id ) )
1412 $thumbnail_id = intval( $_POST['thumbnail_id'] );
1414 if ( $thumbnail_id == '-1' ) {
1415 delete_post_meta( $post_id, '_thumbnail_id' );
1416 die( _wp_post_thumbnail_html() );
1419 if ( $thumbnail_id && get_post( $thumbnail_id ) ) {
1420 $thumbnail_html = wp_get_attachment_image( $thumbnail_id, 'thumbnail' );
1421 if ( !empty( $thumbnail_html ) ) {
1422 update_post_meta( $post_id, '_thumbnail_id', $thumbnail_id );
1423 die( _wp_post_thumbnail_html( $thumbnail_id ) );
1428 do_action( 'wp_ajax_' . $_POST['action'] );