| [ Index ] |
PHP Cross Reference of WordPress Trunk (Updated Daily) |
[Summary view] [Print] [Text view]
1 <?php 2 /** 3 * WordPress Customize Manager classes 4 * 5 * @package WordPress 6 * @subpackage Customize 7 * @since 3.4.0 8 */ 9 10 /** 11 * Customize Manager class. 12 * 13 * Bootstraps the Customize experience on the server-side. 14 * 15 * Sets up the theme-switching process if a theme other than the active one is 16 * being previewed and customized. 17 * 18 * Serves as a factory for Customize Controls and Settings, and 19 * instantiates default Customize Controls and Settings. 20 * 21 * @since 3.4.0 22 */ 23 final class WP_Customize_Manager { 24 /** 25 * An instance of the theme being previewed. 26 * 27 * @since 3.4.0 28 * @var WP_Theme 29 */ 30 protected $theme; 31 32 /** 33 * The directory name of the previously active theme (within the theme_root). 34 * 35 * @since 3.4.0 36 * @var string 37 */ 38 protected $original_stylesheet; 39 40 /** 41 * Whether this is a Customizer pageload. 42 * 43 * @since 3.4.0 44 * @var bool 45 */ 46 protected $previewing = false; 47 48 /** 49 * Methods and properties dealing with managing widgets in the Customizer. 50 * 51 * @since 3.9.0 52 * @var WP_Customize_Widgets 53 */ 54 public $widgets; 55 56 /** 57 * Methods and properties dealing with managing nav menus in the Customizer. 58 * 59 * @since 4.3.0 60 * @var WP_Customize_Nav_Menus 61 */ 62 public $nav_menus; 63 64 /** 65 * Methods and properties dealing with selective refresh in the Customizer preview. 66 * 67 * @since 4.5.0 68 * @var WP_Customize_Selective_Refresh 69 */ 70 public $selective_refresh; 71 72 /** 73 * Registered instances of WP_Customize_Setting. 74 * 75 * @since 3.4.0 76 * @var array 77 */ 78 protected $settings = array(); 79 80 /** 81 * Sorted top-level instances of WP_Customize_Panel and WP_Customize_Section. 82 * 83 * @since 4.0.0 84 * @var array 85 */ 86 protected $containers = array(); 87 88 /** 89 * Registered instances of WP_Customize_Panel. 90 * 91 * @since 4.0.0 92 * @var array 93 */ 94 protected $panels = array(); 95 96 /** 97 * List of core components. 98 * 99 * @since 4.5.0 100 * @var array 101 */ 102 protected $components = array( 'widgets', 'nav_menus' ); 103 104 /** 105 * Registered instances of WP_Customize_Section. 106 * 107 * @since 3.4.0 108 * @var array 109 */ 110 protected $sections = array(); 111 112 /** 113 * Registered instances of WP_Customize_Control. 114 * 115 * @since 3.4.0 116 * @var array 117 */ 118 protected $controls = array(); 119 120 /** 121 * Panel types that may be rendered from JS templates. 122 * 123 * @since 4.3.0 124 * @var array 125 */ 126 protected $registered_panel_types = array(); 127 128 /** 129 * Section types that may be rendered from JS templates. 130 * 131 * @since 4.3.0 132 * @var array 133 */ 134 protected $registered_section_types = array(); 135 136 /** 137 * Control types that may be rendered from JS templates. 138 * 139 * @since 4.1.0 140 * @var array 141 */ 142 protected $registered_control_types = array(); 143 144 /** 145 * Initial URL being previewed. 146 * 147 * @since 4.4.0 148 * @var string 149 */ 150 protected $preview_url; 151 152 /** 153 * URL to link the user to when closing the Customizer. 154 * 155 * @since 4.4.0 156 * @var string 157 */ 158 protected $return_url; 159 160 /** 161 * Mapping of 'panel', 'section', 'control' to the ID which should be autofocused. 162 * 163 * @since 4.4.0 164 * @var array 165 */ 166 protected $autofocus = array(); 167 168 /** 169 * Messenger channel. 170 * 171 * @since 4.7.0 172 * @var string 173 */ 174 protected $messenger_channel; 175 176 /** 177 * Whether the autosave revision of the changeset should be loaded. 178 * 179 * @since 4.9.0 180 * @var bool 181 */ 182 protected $autosaved = false; 183 184 /** 185 * Whether the changeset branching is allowed. 186 * 187 * @since 4.9.0 188 * @var bool 189 */ 190 protected $branching = true; 191 192 /** 193 * Whether settings should be previewed. 194 * 195 * @since 4.9.0 196 * @var bool 197 */ 198 protected $settings_previewed = true; 199 200 /** 201 * Whether a starter content changeset was saved. 202 * 203 * @since 4.9.0 204 * @var bool 205 */ 206 protected $saved_starter_content_changeset = false; 207 208 /** 209 * Unsanitized values for Customize Settings parsed from $_POST['customized']. 210 * 211 * @var array 212 */ 213 private $_post_values; 214 215 /** 216 * Changeset UUID. 217 * 218 * @since 4.7.0 219 * @var string 220 */ 221 private $_changeset_uuid; 222 223 /** 224 * Changeset post ID. 225 * 226 * @since 4.7.0 227 * @var int|false 228 */ 229 private $_changeset_post_id; 230 231 /** 232 * Changeset data loaded from a customize_changeset post. 233 * 234 * @since 4.7.0 235 * @var array|null 236 */ 237 private $_changeset_data; 238 239 /** 240 * Constructor. 241 * 242 * @since 3.4.0 243 * @since 4.7.0 Added `$args` parameter. 244 * 245 * @param array $args { 246 * Args. 247 * 248 * @type null|string|false $changeset_uuid Changeset UUID, the `post_name` for the customize_changeset post containing the customized state. 249 * Defaults to `null` resulting in a UUID to be immediately generated. If `false` is provided, then 250 * then the changeset UUID will be determined during `after_setup_theme`: when the 251 * `customize_changeset_branching` filter returns false, then the default UUID will be that 252 * of the most recent `customize_changeset` post that has a status other than 'auto-draft', 253 * 'publish', or 'trash'. Otherwise, if changeset branching is enabled, then a random UUID will be used. 254 * @type string $theme Theme to be previewed (for theme switch). Defaults to customize_theme or theme query params. 255 * @type string $messenger_channel Messenger channel. Defaults to customize_messenger_channel query param. 256 * @type bool $settings_previewed If settings should be previewed. Defaults to true. 257 * @type bool $branching If changeset branching is allowed; otherwise, changesets are linear. Defaults to true. 258 * @type bool $autosaved If data from a changeset's autosaved revision should be loaded if it exists. Defaults to false. 259 * } 260 */ 261 public function __construct( $args = array() ) { 262 263 $args = array_merge( 264 array_fill_keys( array( 'changeset_uuid', 'theme', 'messenger_channel', 'settings_previewed', 'autosaved', 'branching' ), null ), 265 $args 266 ); 267 268 // Note that the UUID format will be validated in the setup_theme() method. 269 if ( ! isset( $args['changeset_uuid'] ) ) { 270 $args['changeset_uuid'] = wp_generate_uuid4(); 271 } 272 273 // The theme and messenger_channel should be supplied via $args, 274 // but they are also looked at in the $_REQUEST global here for back-compat. 275 if ( ! isset( $args['theme'] ) ) { 276 if ( isset( $_REQUEST['customize_theme'] ) ) { 277 $args['theme'] = wp_unslash( $_REQUEST['customize_theme'] ); 278 } elseif ( isset( $_REQUEST['theme'] ) ) { // Deprecated. 279 $args['theme'] = wp_unslash( $_REQUEST['theme'] ); 280 } 281 } 282 if ( ! isset( $args['messenger_channel'] ) && isset( $_REQUEST['customize_messenger_channel'] ) ) { 283 $args['messenger_channel'] = sanitize_key( wp_unslash( $_REQUEST['customize_messenger_channel'] ) ); 284 } 285 286 $this->original_stylesheet = get_stylesheet(); 287 $this->theme = wp_get_theme( 0 === validate_file( $args['theme'] ) ? $args['theme'] : null ); 288 $this->messenger_channel = $args['messenger_channel']; 289 $this->_changeset_uuid = $args['changeset_uuid']; 290 291 foreach ( array( 'settings_previewed', 'autosaved', 'branching' ) as $key ) { 292 if ( isset( $args[ $key ] ) ) { 293 $this->$key = (bool) $args[ $key ]; 294 } 295 } 296 297 require_once ABSPATH . WPINC . '/class-wp-customize-setting.php'; 298 require_once ABSPATH . WPINC . '/class-wp-customize-panel.php'; 299 require_once ABSPATH . WPINC . '/class-wp-customize-section.php'; 300 require_once ABSPATH . WPINC . '/class-wp-customize-control.php'; 301 302 require_once ABSPATH . WPINC . '/customize/class-wp-customize-color-control.php'; 303 require_once ABSPATH . WPINC . '/customize/class-wp-customize-media-control.php'; 304 require_once ABSPATH . WPINC . '/customize/class-wp-customize-upload-control.php'; 305 require_once ABSPATH . WPINC . '/customize/class-wp-customize-image-control.php'; 306 require_once ABSPATH . WPINC . '/customize/class-wp-customize-background-image-control.php'; 307 require_once ABSPATH . WPINC . '/customize/class-wp-customize-background-position-control.php'; 308 require_once ABSPATH . WPINC . '/customize/class-wp-customize-cropped-image-control.php'; 309 require_once ABSPATH . WPINC . '/customize/class-wp-customize-site-icon-control.php'; 310 require_once ABSPATH . WPINC . '/customize/class-wp-customize-header-image-control.php'; 311 require_once ABSPATH . WPINC . '/customize/class-wp-customize-theme-control.php'; 312 require_once ABSPATH . WPINC . '/customize/class-wp-customize-code-editor-control.php'; 313 require_once ABSPATH . WPINC . '/customize/class-wp-widget-area-customize-control.php'; 314 require_once ABSPATH . WPINC . '/customize/class-wp-widget-form-customize-control.php'; 315 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-control.php'; 316 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-item-control.php'; 317 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-location-control.php'; 318 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-name-control.php'; 319 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-locations-control.php'; 320 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-auto-add-control.php'; 321 322 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menus-panel.php'; 323 324 require_once ABSPATH . WPINC . '/customize/class-wp-customize-themes-panel.php'; 325 require_once ABSPATH . WPINC . '/customize/class-wp-customize-themes-section.php'; 326 require_once ABSPATH . WPINC . '/customize/class-wp-customize-sidebar-section.php'; 327 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-section.php'; 328 329 require_once ABSPATH . WPINC . '/customize/class-wp-customize-custom-css-setting.php'; 330 require_once ABSPATH . WPINC . '/customize/class-wp-customize-filter-setting.php'; 331 require_once ABSPATH . WPINC . '/customize/class-wp-customize-header-image-setting.php'; 332 require_once ABSPATH . WPINC . '/customize/class-wp-customize-background-image-setting.php'; 333 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-item-setting.php'; 334 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-setting.php'; 335 336 /** 337 * Filters the core Customizer components to load. 338 * 339 * This allows Core components to be excluded from being instantiated by 340 * filtering them out of the array. Note that this filter generally runs 341 * during the {@see 'plugins_loaded'} action, so it cannot be added 342 * in a theme. 343 * 344 * @since 4.4.0 345 * 346 * @see WP_Customize_Manager::__construct() 347 * 348 * @param string[] $components Array of core components to load. 349 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 350 */ 351 $components = apply_filters( 'customize_loaded_components', $this->components, $this ); 352 353 require_once ABSPATH . WPINC . '/customize/class-wp-customize-selective-refresh.php'; 354 $this->selective_refresh = new WP_Customize_Selective_Refresh( $this ); 355 356 if ( in_array( 'widgets', $components, true ) ) { 357 require_once ABSPATH . WPINC . '/class-wp-customize-widgets.php'; 358 $this->widgets = new WP_Customize_Widgets( $this ); 359 } 360 361 if ( in_array( 'nav_menus', $components, true ) ) { 362 require_once ABSPATH . WPINC . '/class-wp-customize-nav-menus.php'; 363 $this->nav_menus = new WP_Customize_Nav_Menus( $this ); 364 } 365 366 add_action( 'setup_theme', array( $this, 'setup_theme' ) ); 367 add_action( 'wp_loaded', array( $this, 'wp_loaded' ) ); 368 369 // Do not spawn cron (especially the alternate cron) while running the Customizer. 370 remove_action( 'init', 'wp_cron' ); 371 372 // Do not run update checks when rendering the controls. 373 remove_action( 'admin_init', '_maybe_update_core' ); 374 remove_action( 'admin_init', '_maybe_update_plugins' ); 375 remove_action( 'admin_init', '_maybe_update_themes' ); 376 377 add_action( 'wp_ajax_customize_save', array( $this, 'save' ) ); 378 add_action( 'wp_ajax_customize_trash', array( $this, 'handle_changeset_trash_request' ) ); 379 add_action( 'wp_ajax_customize_refresh_nonces', array( $this, 'refresh_nonces' ) ); 380 add_action( 'wp_ajax_customize_load_themes', array( $this, 'handle_load_themes_request' ) ); 381 add_filter( 'heartbeat_settings', array( $this, 'add_customize_screen_to_heartbeat_settings' ) ); 382 add_filter( 'heartbeat_received', array( $this, 'check_changeset_lock_with_heartbeat' ), 10, 3 ); 383 add_action( 'wp_ajax_customize_override_changeset_lock', array( $this, 'handle_override_changeset_lock_request' ) ); 384 add_action( 'wp_ajax_customize_dismiss_autosave_or_lock', array( $this, 'handle_dismiss_autosave_or_lock_request' ) ); 385 386 add_action( 'customize_register', array( $this, 'register_controls' ) ); 387 add_action( 'customize_register', array( $this, 'register_dynamic_settings' ), 11 ); // Allow code to create settings first. 388 add_action( 'customize_controls_init', array( $this, 'prepare_controls' ) ); 389 add_action( 'customize_controls_enqueue_scripts', array( $this, 'enqueue_control_scripts' ) ); 390 391 // Render Common, Panel, Section, and Control templates. 392 add_action( 'customize_controls_print_footer_scripts', array( $this, 'render_panel_templates' ), 1 ); 393 add_action( 'customize_controls_print_footer_scripts', array( $this, 'render_section_templates' ), 1 ); 394 add_action( 'customize_controls_print_footer_scripts', array( $this, 'render_control_templates' ), 1 ); 395 396 // Export header video settings with the partial response. 397 add_filter( 'customize_render_partials_response', array( $this, 'export_header_video_settings' ), 10, 3 ); 398 399 // Export the settings to JS via the _wpCustomizeSettings variable. 400 add_action( 'customize_controls_print_footer_scripts', array( $this, 'customize_pane_settings' ), 1000 ); 401 402 // Add theme update notices. 403 if ( current_user_can( 'install_themes' ) || current_user_can( 'update_themes' ) ) { 404 require_once ABSPATH . 'wp-admin/includes/update.php'; 405 add_action( 'customize_controls_print_footer_scripts', 'wp_print_admin_notice_templates' ); 406 } 407 } 408 409 /** 410 * Return true if it's an Ajax request. 411 * 412 * @since 3.4.0 413 * @since 4.2.0 Added `$action` param. 414 * 415 * @param string|null $action Whether the supplied Ajax action is being run. 416 * @return bool True if it's an Ajax request, false otherwise. 417 */ 418 public function doing_ajax( $action = null ) { 419 if ( ! wp_doing_ajax() ) { 420 return false; 421 } 422 423 if ( ! $action ) { 424 return true; 425 } else { 426 /* 427 * Note: we can't just use doing_action( "wp_ajax_{$action}" ) because we need 428 * to check before admin-ajax.php gets to that point. 429 */ 430 return isset( $_REQUEST['action'] ) && wp_unslash( $_REQUEST['action'] ) === $action; 431 } 432 } 433 434 /** 435 * Custom wp_die wrapper. Returns either the standard message for UI 436 * or the Ajax message. 437 * 438 * @since 3.4.0 439 * 440 * @param string|WP_Error $ajax_message Ajax return. 441 * @param string $message Optional. UI message. 442 */ 443 protected function wp_die( $ajax_message, $message = null ) { 444 if ( $this->doing_ajax() ) { 445 wp_die( $ajax_message ); 446 } 447 448 if ( ! $message ) { 449 $message = __( 'Something went wrong.' ); 450 } 451 452 if ( $this->messenger_channel ) { 453 ob_start(); 454 wp_enqueue_scripts(); 455 wp_print_scripts( array( 'customize-base' ) ); 456 457 $settings = array( 458 'messengerArgs' => array( 459 'channel' => $this->messenger_channel, 460 'url' => wp_customize_url(), 461 ), 462 'error' => $ajax_message, 463 ); 464 ?> 465 <script> 466 ( function( api, settings ) { 467 var preview = new api.Messenger( settings.messengerArgs ); 468 preview.send( 'iframe-loading-error', settings.error ); 469 } )( wp.customize, <?php echo wp_json_encode( $settings ); ?> ); 470 </script> 471 <?php 472 $message .= ob_get_clean(); 473 } 474 475 wp_die( $message ); 476 } 477 478 /** 479 * Return the Ajax wp_die() handler if it's a customized request. 480 * 481 * @since 3.4.0 482 * @deprecated 4.7.0 483 * 484 * @return callable Die handler. 485 */ 486 public function wp_die_handler() { 487 _deprecated_function( __METHOD__, '4.7.0' ); 488 489 if ( $this->doing_ajax() || isset( $_POST['customized'] ) ) { 490 return '_ajax_wp_die_handler'; 491 } 492 493 return '_default_wp_die_handler'; 494 } 495 496 /** 497 * Start preview and customize theme. 498 * 499 * Check if customize query variable exist. Init filters to filter the current theme. 500 * 501 * @since 3.4.0 502 * 503 * @global string $pagenow 504 */ 505 public function setup_theme() { 506 global $pagenow; 507 508 // Check permissions for customize.php access since this method is called before customize.php can run any code. 509 if ( 'customize.php' === $pagenow && ! current_user_can( 'customize' ) ) { 510 if ( ! is_user_logged_in() ) { 511 auth_redirect(); 512 } else { 513 wp_die( 514 '<h1>' . __( 'You need a higher level of permission.' ) . '</h1>' . 515 '<p>' . __( 'Sorry, you are not allowed to customize this site.' ) . '</p>', 516 403 517 ); 518 } 519 return; 520 } 521 522 // If a changeset was provided is invalid. 523 if ( isset( $this->_changeset_uuid ) && false !== $this->_changeset_uuid && ! wp_is_uuid( $this->_changeset_uuid ) ) { 524 $this->wp_die( -1, __( 'Invalid changeset UUID' ) ); 525 } 526 527 /* 528 * Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer 529 * application will inject the customize_preview_nonce query parameter into all Ajax requests. 530 * For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out 531 * a user when a valid nonce isn't present. 532 */ 533 $has_post_data_nonce = ( 534 check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false ) 535 || 536 check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false ) 537 || 538 check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false ) 539 ); 540 if ( ! current_user_can( 'customize' ) || ! $has_post_data_nonce ) { 541 unset( $_POST['customized'] ); 542 unset( $_REQUEST['customized'] ); 543 } 544 545 /* 546 * If unauthenticated then require a valid changeset UUID to load the preview. 547 * In this way, the UUID serves as a secret key. If the messenger channel is present, 548 * then send unauthenticated code to prompt re-auth. 549 */ 550 if ( ! current_user_can( 'customize' ) && ! $this->changeset_post_id() ) { 551 $this->wp_die( $this->messenger_channel ? 0 : -1, __( 'Non-existent changeset UUID.' ) ); 552 } 553 554 if ( ! headers_sent() ) { 555 send_origin_headers(); 556 } 557 558 // Hide the admin bar if we're embedded in the customizer iframe. 559 if ( $this->messenger_channel ) { 560 show_admin_bar( false ); 561 } 562 563 if ( $this->is_theme_active() ) { 564 // Once the theme is loaded, we'll validate it. 565 add_action( 'after_setup_theme', array( $this, 'after_setup_theme' ) ); 566 } else { 567 // If the requested theme is not the active theme and the user doesn't have 568 // the switch_themes cap, bail. 569 if ( ! current_user_can( 'switch_themes' ) ) { 570 $this->wp_die( -1, __( 'Sorry, you are not allowed to edit theme options on this site.' ) ); 571 } 572 573 // If the theme has errors while loading, bail. 574 if ( $this->theme()->errors() ) { 575 $this->wp_die( -1, $this->theme()->errors()->get_error_message() ); 576 } 577 578 // If the theme isn't allowed per multisite settings, bail. 579 if ( ! $this->theme()->is_allowed() ) { 580 $this->wp_die( -1, __( 'The requested theme does not exist.' ) ); 581 } 582 } 583 584 // Make sure changeset UUID is established immediately after the theme is loaded. 585 add_action( 'after_setup_theme', array( $this, 'establish_loaded_changeset' ), 5 ); 586 587 /* 588 * Import theme starter content for fresh installations when landing in the customizer. 589 * Import starter content at after_setup_theme:100 so that any 590 * add_theme_support( 'starter-content' ) calls will have been made. 591 */ 592 if ( get_option( 'fresh_site' ) && 'customize.php' === $pagenow ) { 593 add_action( 'after_setup_theme', array( $this, 'import_theme_starter_content' ), 100 ); 594 } 595 596 $this->start_previewing_theme(); 597 } 598 599 /** 600 * Establish the loaded changeset. 601 * 602 * This method runs right at after_setup_theme and applies the 'customize_changeset_branching' filter to determine 603 * whether concurrent changesets are allowed. Then if the Customizer is not initialized with a `changeset_uuid` param, 604 * this method will determine which UUID should be used. If changeset branching is disabled, then the most saved 605 * changeset will be loaded by default. Otherwise, if there are no existing saved changesets or if changeset branching is 606 * enabled, then a new UUID will be generated. 607 * 608 * @since 4.9.0 609 * @global string $pagenow 610 */ 611 public function establish_loaded_changeset() { 612 global $pagenow; 613 614 if ( empty( $this->_changeset_uuid ) ) { 615 $changeset_uuid = null; 616 617 if ( ! $this->branching() && $this->is_theme_active() ) { 618 $unpublished_changeset_posts = $this->get_changeset_posts( 619 array( 620 'post_status' => array_diff( get_post_stati(), array( 'auto-draft', 'publish', 'trash', 'inherit', 'private' ) ), 621 'exclude_restore_dismissed' => false, 622 'author' => 'any', 623 'posts_per_page' => 1, 624 'order' => 'DESC', 625 'orderby' => 'date', 626 ) 627 ); 628 $unpublished_changeset_post = array_shift( $unpublished_changeset_posts ); 629 if ( ! empty( $unpublished_changeset_post ) && wp_is_uuid( $unpublished_changeset_post->post_name ) ) { 630 $changeset_uuid = $unpublished_changeset_post->post_name; 631 } 632 } 633 634 // If no changeset UUID has been set yet, then generate a new one. 635 if ( empty( $changeset_uuid ) ) { 636 $changeset_uuid = wp_generate_uuid4(); 637 } 638 639 $this->_changeset_uuid = $changeset_uuid; 640 } 641 642 if ( is_admin() && 'customize.php' === $pagenow ) { 643 $this->set_changeset_lock( $this->changeset_post_id() ); 644 } 645 } 646 647 /** 648 * Callback to validate a theme once it is loaded 649 * 650 * @since 3.4.0 651 */ 652 public function after_setup_theme() { 653 $doing_ajax_or_is_customized = ( $this->doing_ajax() || isset( $_POST['customized'] ) ); 654 if ( ! $doing_ajax_or_is_customized && ! validate_current_theme() ) { 655 wp_redirect( 'themes.php?broken=true' ); 656 exit; 657 } 658 } 659 660 /** 661 * If the theme to be previewed isn't the active theme, add filter callbacks 662 * to swap it out at runtime. 663 * 664 * @since 3.4.0 665 */ 666 public function start_previewing_theme() { 667 // Bail if we're already previewing. 668 if ( $this->is_preview() ) { 669 return; 670 } 671 672 $this->previewing = true; 673 674 if ( ! $this->is_theme_active() ) { 675 add_filter( 'template', array( $this, 'get_template' ) ); 676 add_filter( 'stylesheet', array( $this, 'get_stylesheet' ) ); 677 add_filter( 'pre_option_current_theme', array( $this, 'current_theme' ) ); 678 679 // @link: https://core.trac.wordpress.org/ticket/20027 680 add_filter( 'pre_option_stylesheet', array( $this, 'get_stylesheet' ) ); 681 add_filter( 'pre_option_template', array( $this, 'get_template' ) ); 682 683 // Handle custom theme roots. 684 add_filter( 'pre_option_stylesheet_root', array( $this, 'get_stylesheet_root' ) ); 685 add_filter( 'pre_option_template_root', array( $this, 'get_template_root' ) ); 686 } 687 688 /** 689 * Fires once the Customizer theme preview has started. 690 * 691 * @since 3.4.0 692 * 693 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 694 */ 695 do_action( 'start_previewing_theme', $this ); 696 } 697 698 /** 699 * Stop previewing the selected theme. 700 * 701 * Removes filters to change the current theme. 702 * 703 * @since 3.4.0 704 */ 705 public function stop_previewing_theme() { 706 if ( ! $this->is_preview() ) { 707 return; 708 } 709 710 $this->previewing = false; 711 712 if ( ! $this->is_theme_active() ) { 713 remove_filter( 'template', array( $this, 'get_template' ) ); 714 remove_filter( 'stylesheet', array( $this, 'get_stylesheet' ) ); 715 remove_filter( 'pre_option_current_theme', array( $this, 'current_theme' ) ); 716 717 // @link: https://core.trac.wordpress.org/ticket/20027 718 remove_filter( 'pre_option_stylesheet', array( $this, 'get_stylesheet' ) ); 719 remove_filter( 'pre_option_template', array( $this, 'get_template' ) ); 720 721 // Handle custom theme roots. 722 remove_filter( 'pre_option_stylesheet_root', array( $this, 'get_stylesheet_root' ) ); 723 remove_filter( 'pre_option_template_root', array( $this, 'get_template_root' ) ); 724 } 725 726 /** 727 * Fires once the Customizer theme preview has stopped. 728 * 729 * @since 3.4.0 730 * 731 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 732 */ 733 do_action( 'stop_previewing_theme', $this ); 734 } 735 736 /** 737 * Gets whether settings are or will be previewed. 738 * 739 * @since 4.9.0 740 * @see WP_Customize_Setting::preview() 741 * 742 * @return bool 743 */ 744 public function settings_previewed() { 745 return $this->settings_previewed; 746 } 747 748 /** 749 * Gets whether data from a changeset's autosaved revision should be loaded if it exists. 750 * 751 * @since 4.9.0 752 * @see WP_Customize_Manager::changeset_data() 753 * 754 * @return bool Is using autosaved changeset revision. 755 */ 756 public function autosaved() { 757 return $this->autosaved; 758 } 759 760 /** 761 * Whether the changeset branching is allowed. 762 * 763 * @since 4.9.0 764 * @see WP_Customize_Manager::establish_loaded_changeset() 765 * 766 * @return bool Is changeset branching. 767 */ 768 public function branching() { 769 770 /** 771 * Filters whether or not changeset branching is allowed. 772 * 773 * By default in core, when changeset branching is not allowed, changesets will operate 774 * linearly in that only one saved changeset will exist at a time (with a 'draft' or 775 * 'future' status). This makes the Customizer operate in a way that is similar to going to 776 * "edit" to one existing post: all users will be making changes to the same post, and autosave 777 * revisions will be made for that post. 778 * 779 * By contrast, when changeset branching is allowed, then the model is like users going 780 * to "add new" for a page and each user makes changes independently of each other since 781 * they are all operating on their own separate pages, each getting their own separate 782 * initial auto-drafts and then once initially saved, autosave revisions on top of that 783 * user's specific post. 784 * 785 * Since linear changesets are deemed to be more suitable for the majority of WordPress users, 786 * they are the default. For WordPress sites that have heavy site management in the Customizer 787 * by multiple users then branching changesets should be enabled by means of this filter. 788 * 789 * @since 4.9.0 790 * 791 * @param bool $allow_branching Whether branching is allowed. If `false`, the default, 792 * then only one saved changeset exists at a time. 793 * @param WP_Customize_Manager $wp_customize Manager instance. 794 */ 795 $this->branching = apply_filters( 'customize_changeset_branching', $this->branching, $this ); 796 797 return $this->branching; 798 } 799 800 /** 801 * Get the changeset UUID. 802 * 803 * @since 4.7.0 804 * @see WP_Customize_Manager::establish_loaded_changeset() 805 * 806 * @return string UUID. 807 */ 808 public function changeset_uuid() { 809 if ( empty( $this->_changeset_uuid ) ) { 810 $this->establish_loaded_changeset(); 811 } 812 return $this->_changeset_uuid; 813 } 814 815 /** 816 * Get the theme being customized. 817 * 818 * @since 3.4.0 819 * 820 * @return WP_Theme 821 */ 822 public function theme() { 823 if ( ! $this->theme ) { 824 $this->theme = wp_get_theme(); 825 } 826 return $this->theme; 827 } 828 829 /** 830 * Get the registered settings. 831 * 832 * @since 3.4.0 833 * 834 * @return array 835 */ 836 public function settings() { 837 return $this->settings; 838 } 839 840 /** 841 * Get the registered controls. 842 * 843 * @since 3.4.0 844 * 845 * @return array 846 */ 847 public function controls() { 848 return $this->controls; 849 } 850 851 /** 852 * Get the registered containers. 853 * 854 * @since 4.0.0 855 * 856 * @return array 857 */ 858 public function containers() { 859 return $this->containers; 860 } 861 862 /** 863 * Get the registered sections. 864 * 865 * @since 3.4.0 866 * 867 * @return array 868 */ 869 public function sections() { 870 return $this->sections; 871 } 872 873 /** 874 * Get the registered panels. 875 * 876 * @since 4.0.0 877 * 878 * @return array Panels. 879 */ 880 public function panels() { 881 return $this->panels; 882 } 883 884 /** 885 * Checks if the current theme is active. 886 * 887 * @since 3.4.0 888 * 889 * @return bool 890 */ 891 public function is_theme_active() { 892 return $this->get_stylesheet() == $this->original_stylesheet; 893 } 894 895 /** 896 * Register styles/scripts and initialize the preview of each setting 897 * 898 * @since 3.4.0 899 */ 900 public function wp_loaded() { 901 902 // Unconditionally register core types for panels, sections, and controls 903 // in case plugin unhooks all customize_register actions. 904 $this->register_panel_type( 'WP_Customize_Panel' ); 905 $this->register_panel_type( 'WP_Customize_Themes_Panel' ); 906 $this->register_section_type( 'WP_Customize_Section' ); 907 $this->register_section_type( 'WP_Customize_Sidebar_Section' ); 908 $this->register_section_type( 'WP_Customize_Themes_Section' ); 909 $this->register_control_type( 'WP_Customize_Color_Control' ); 910 $this->register_control_type( 'WP_Customize_Media_Control' ); 911 $this->register_control_type( 'WP_Customize_Upload_Control' ); 912 $this->register_control_type( 'WP_Customize_Image_Control' ); 913 $this->register_control_type( 'WP_Customize_Background_Image_Control' ); 914 $this->register_control_type( 'WP_Customize_Background_Position_Control' ); 915 $this->register_control_type( 'WP_Customize_Cropped_Image_Control' ); 916 $this->register_control_type( 'WP_Customize_Site_Icon_Control' ); 917 $this->register_control_type( 'WP_Customize_Theme_Control' ); 918 $this->register_control_type( 'WP_Customize_Code_Editor_Control' ); 919 $this->register_control_type( 'WP_Customize_Date_Time_Control' ); 920 921 /** 922 * Fires once WordPress has loaded, allowing scripts and styles to be initialized. 923 * 924 * @since 3.4.0 925 * 926 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 927 */ 928 do_action( 'customize_register', $this ); 929 930 if ( $this->settings_previewed() ) { 931 foreach ( $this->settings as $setting ) { 932 $setting->preview(); 933 } 934 } 935 936 if ( $this->is_preview() && ! is_admin() ) { 937 $this->customize_preview_init(); 938 } 939 } 940 941 /** 942 * Prevents Ajax requests from following redirects when previewing a theme 943 * by issuing a 200 response instead of a 30x. 944 * 945 * Instead, the JS will sniff out the location header. 946 * 947 * @since 3.4.0 948 * @deprecated 4.7.0 949 * 950 * @param int $status Status. 951 * @return int 952 */ 953 public function wp_redirect_status( $status ) { 954 _deprecated_function( __FUNCTION__, '4.7.0' ); 955 956 if ( $this->is_preview() && ! is_admin() ) { 957 return 200; 958 } 959 960 return $status; 961 } 962 963 /** 964 * Find the changeset post ID for a given changeset UUID. 965 * 966 * @since 4.7.0 967 * 968 * @param string $uuid Changeset UUID. 969 * @return int|null Returns post ID on success and null on failure. 970 */ 971 public function find_changeset_post_id( $uuid ) { 972 $cache_group = 'customize_changeset_post'; 973 $changeset_post_id = wp_cache_get( $uuid, $cache_group ); 974 if ( $changeset_post_id && 'customize_changeset' === get_post_type( $changeset_post_id ) ) { 975 return $changeset_post_id; 976 } 977 978 $changeset_post_query = new WP_Query( 979 array( 980 'post_type' => 'customize_changeset', 981 'post_status' => get_post_stati(), 982 'name' => $uuid, 983 'posts_per_page' => 1, 984 'no_found_rows' => true, 985 'cache_results' => true, 986 'update_post_meta_cache' => false, 987 'update_post_term_cache' => false, 988 'lazy_load_term_meta' => false, 989 ) 990 ); 991 if ( ! empty( $changeset_post_query->posts ) ) { 992 // Note: 'fields'=>'ids' is not being used in order to cache the post object as it will be needed. 993 $changeset_post_id = $changeset_post_query->posts[0]->ID; 994 wp_cache_set( $uuid, $changeset_post_id, $cache_group ); 995 return $changeset_post_id; 996 } 997 998 return null; 999 } 1000 1001 /** 1002 * Get changeset posts. 1003 * 1004 * @since 4.9.0 1005 * 1006 * @param array $args { 1007 * Args to pass into `get_posts()` to query changesets. 1008 * 1009 * @type int $posts_per_page Number of posts to return. Defaults to -1 (all posts). 1010 * @type int $author Post author. Defaults to current user. 1011 * @type string $post_status Status of changeset. Defaults to 'auto-draft'. 1012 * @type bool $exclude_restore_dismissed Whether to exclude changeset auto-drafts that have been dismissed. Defaults to true. 1013 * } 1014 * @return WP_Post[] Auto-draft changesets. 1015 */ 1016 protected function get_changeset_posts( $args = array() ) { 1017 $default_args = array( 1018 'exclude_restore_dismissed' => true, 1019 'posts_per_page' => -1, 1020 'post_type' => 'customize_changeset', 1021 'post_status' => 'auto-draft', 1022 'order' => 'DESC', 1023 'orderby' => 'date', 1024 'no_found_rows' => true, 1025 'cache_results' => true, 1026 'update_post_meta_cache' => false, 1027 'update_post_term_cache' => false, 1028 'lazy_load_term_meta' => false, 1029 ); 1030 if ( get_current_user_id() ) { 1031 $default_args['author'] = get_current_user_id(); 1032 } 1033 $args = array_merge( $default_args, $args ); 1034 1035 if ( ! empty( $args['exclude_restore_dismissed'] ) ) { 1036 unset( $args['exclude_restore_dismissed'] ); 1037 $args['meta_query'] = array( 1038 array( 1039 'key' => '_customize_restore_dismissed', 1040 'compare' => 'NOT EXISTS', 1041 ), 1042 ); 1043 } 1044 1045 return get_posts( $args ); 1046 } 1047 1048 /** 1049 * Dismiss all of the current user's auto-drafts (other than the present one). 1050 * 1051 * @since 4.9.0 1052 * @return int The number of auto-drafts that were dismissed. 1053 */ 1054 protected function dismiss_user_auto_draft_changesets() { 1055 $changeset_autodraft_posts = $this->get_changeset_posts( 1056 array( 1057 'post_status' => 'auto-draft', 1058 'exclude_restore_dismissed' => true, 1059 'posts_per_page' => -1, 1060 ) 1061 ); 1062 $dismissed = 0; 1063 foreach ( $changeset_autodraft_posts as $autosave_autodraft_post ) { 1064 if ( $autosave_autodraft_post->ID === $this->changeset_post_id() ) { 1065 continue; 1066 } 1067 if ( update_post_meta( $autosave_autodraft_post->ID, '_customize_restore_dismissed', true ) ) { 1068 $dismissed++; 1069 } 1070 } 1071 return $dismissed; 1072 } 1073 1074 /** 1075 * Get the changeset post id for the loaded changeset. 1076 * 1077 * @since 4.7.0 1078 * 1079 * @return int|null Post ID on success or null if there is no post yet saved. 1080 */ 1081 public function changeset_post_id() { 1082 if ( ! isset( $this->_changeset_post_id ) ) { 1083 $post_id = $this->find_changeset_post_id( $this->changeset_uuid() ); 1084 if ( ! $post_id ) { 1085 $post_id = false; 1086 } 1087 $this->_changeset_post_id = $post_id; 1088 } 1089 if ( false === $this->_changeset_post_id ) { 1090 return null; 1091 } 1092 return $this->_changeset_post_id; 1093 } 1094 1095 /** 1096 * Get the data stored in a changeset post. 1097 * 1098 * @since 4.7.0 1099 * 1100 * @param int $post_id Changeset post ID. 1101 * @return array|WP_Error Changeset data or WP_Error on error. 1102 */ 1103 protected function get_changeset_post_data( $post_id ) { 1104 if ( ! $post_id ) { 1105 return new WP_Error( 'empty_post_id' ); 1106 } 1107 $changeset_post = get_post( $post_id ); 1108 if ( ! $changeset_post ) { 1109 return new WP_Error( 'missing_post' ); 1110 } 1111 if ( 'revision' === $changeset_post->post_type ) { 1112 if ( 'customize_changeset' !== get_post_type( $changeset_post->post_parent ) ) { 1113 return new WP_Error( 'wrong_post_type' ); 1114 } 1115 } elseif ( 'customize_changeset' !== $changeset_post->post_type ) { 1116 return new WP_Error( 'wrong_post_type' ); 1117 } 1118 $changeset_data = json_decode( $changeset_post->post_content, true ); 1119 $last_error = json_last_error(); 1120 if ( $last_error ) { 1121 return new WP_Error( 'json_parse_error', '', $last_error ); 1122 } 1123 if ( ! is_array( $changeset_data ) ) { 1124 return new WP_Error( 'expected_array' ); 1125 } 1126 return $changeset_data; 1127 } 1128 1129 /** 1130 * Get changeset data. 1131 * 1132 * @since 4.7.0 1133 * @since 4.9.0 This will return the changeset's data with a user's autosave revision merged on top, if one exists and $autosaved is true. 1134 * 1135 * @return array Changeset data. 1136 */ 1137 public function changeset_data() { 1138 if ( isset( $this->_changeset_data ) ) { 1139 return $this->_changeset_data; 1140 } 1141 $changeset_post_id = $this->changeset_post_id(); 1142 if ( ! $changeset_post_id ) { 1143 $this->_changeset_data = array(); 1144 } else { 1145 if ( $this->autosaved() && is_user_logged_in() ) { 1146 $autosave_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() ); 1147 if ( $autosave_post ) { 1148 $data = $this->get_changeset_post_data( $autosave_post->ID ); 1149 if ( ! is_wp_error( $data ) ) { 1150 $this->_changeset_data = $data; 1151 } 1152 } 1153 } 1154 1155 // Load data from the changeset if it was not loaded from an autosave. 1156 if ( ! isset( $this->_changeset_data ) ) { 1157 $data = $this->get_changeset_post_data( $changeset_post_id ); 1158 if ( ! is_wp_error( $data ) ) { 1159 $this->_changeset_data = $data; 1160 } else { 1161 $this->_changeset_data = array(); 1162 } 1163 } 1164 } 1165 return $this->_changeset_data; 1166 } 1167 1168 /** 1169 * Starter content setting IDs. 1170 * 1171 * @since 4.7.0 1172 * @var array 1173 */ 1174 protected $pending_starter_content_settings_ids = array(); 1175 1176 /** 1177 * Import theme starter content into the customized state. 1178 * 1179 * @since 4.7.0 1180 * 1181 * @param array $starter_content Starter content. Defaults to `get_theme_starter_content()`. 1182 */ 1183 function import_theme_starter_content( $starter_content = array() ) { 1184 if ( empty( $starter_content ) ) { 1185 $starter_content = get_theme_starter_content(); 1186 } 1187 1188 $changeset_data = array(); 1189 if ( $this->changeset_post_id() ) { 1190 /* 1191 * Don't re-import starter content into a changeset saved persistently. 1192 * This will need to be revisited in the future once theme switching 1193 * is allowed with drafted/scheduled changesets, since switching to 1194 * another theme could result in more starter content being applied. 1195 * However, when doing an explicit save it is currently possible for 1196 * nav menus and nav menu items specifically to lose their starter_content 1197 * flags, thus resulting in duplicates being created since they fail 1198 * to get re-used. See #40146. 1199 */ 1200 if ( 'auto-draft' !== get_post_status( $this->changeset_post_id() ) ) { 1201 return; 1202 } 1203 1204 $changeset_data = $this->get_changeset_post_data( $this->changeset_post_id() ); 1205 } 1206 1207 $sidebars_widgets = isset( $starter_content['widgets'] ) && ! empty( $this->widgets ) ? $starter_content['widgets'] : array(); 1208 $attachments = isset( $starter_content['attachments'] ) && ! empty( $this->nav_menus ) ? $starter_content['attachments'] : array(); 1209 $posts = isset( $starter_content['posts'] ) && ! empty( $this->nav_menus ) ? $starter_content['posts'] : array(); 1210 $options = isset( $starter_content['options'] ) ? $starter_content['options'] : array(); 1211 $nav_menus = isset( $starter_content['nav_menus'] ) && ! empty( $this->nav_menus ) ? $starter_content['nav_menus'] : array(); 1212 $theme_mods = isset( $starter_content['theme_mods'] ) ? $starter_content['theme_mods'] : array(); 1213 1214 // Widgets. 1215 $max_widget_numbers = array(); 1216 foreach ( $sidebars_widgets as $sidebar_id => $widgets ) { 1217 $sidebar_widget_ids = array(); 1218 foreach ( $widgets as $widget ) { 1219 list( $id_base, $instance ) = $widget; 1220 1221 if ( ! isset( $max_widget_numbers[ $id_base ] ) ) { 1222 1223 // When $settings is an array-like object, get an intrinsic array for use with array_keys(). 1224 $settings = get_option( "widget_{$id_base}", array() ); 1225 if ( $settings instanceof ArrayObject || $settings instanceof ArrayIterator ) { 1226 $settings = $settings->getArrayCopy(); 1227 } 1228 1229 // Find the max widget number for this type. 1230 $widget_numbers = array_keys( $settings ); 1231 if ( count( $widget_numbers ) > 0 ) { 1232 $widget_numbers[] = 1; 1233 $max_widget_numbers[ $id_base ] = max( ...$widget_numbers ); 1234 } else { 1235 $max_widget_numbers[ $id_base ] = 1; 1236 } 1237 } 1238 $max_widget_numbers[ $id_base ] += 1; 1239 1240 $widget_id = sprintf( '%s-%d', $id_base, $max_widget_numbers[ $id_base ] ); 1241 $setting_id = sprintf( 'widget_%s[%d]', $id_base, $max_widget_numbers[ $id_base ] ); 1242 1243 $setting_value = $this->widgets->sanitize_widget_js_instance( $instance ); 1244 if ( empty( $changeset_data[ $setting_id ] ) || ! empty( $changeset_data[ $setting_id ]['starter_content'] ) ) { 1245 $this->set_post_value( $setting_id, $setting_value ); 1246 $this->pending_starter_content_settings_ids[] = $setting_id; 1247 } 1248 $sidebar_widget_ids[] = $widget_id; 1249 } 1250 1251 $setting_id = sprintf( 'sidebars_widgets[%s]', $sidebar_id ); 1252 if ( empty( $changeset_data[ $setting_id ] ) || ! empty( $changeset_data[ $setting_id ]['starter_content'] ) ) { 1253 $this->set_post_value( $setting_id, $sidebar_widget_ids ); 1254 $this->pending_starter_content_settings_ids[] = $setting_id; 1255 } 1256 } 1257 1258 $starter_content_auto_draft_post_ids = array(); 1259 if ( ! empty( $changeset_data['nav_menus_created_posts']['value'] ) ) { 1260 $starter_content_auto_draft_post_ids = array_merge( $starter_content_auto_draft_post_ids, $changeset_data['nav_menus_created_posts']['value'] ); 1261 } 1262 1263 // Make an index of all the posts needed and what their slugs are. 1264 $needed_posts = array(); 1265 $attachments = $this->prepare_starter_content_attachments( $attachments ); 1266 foreach ( $attachments as $attachment ) { 1267 $key = 'attachment:' . $attachment['post_name']; 1268 $needed_posts[ $key ] = true; 1269 } 1270 foreach ( array_keys( $posts ) as $post_symbol ) { 1271 if ( empty( $posts[ $post_symbol ]['post_name'] ) && empty( $posts[ $post_symbol ]['post_title'] ) ) { 1272 unset( $posts[ $post_symbol ] ); 1273 continue; 1274 } 1275 if ( empty( $posts[ $post_symbol ]['post_name'] ) ) { 1276 $posts[ $post_symbol ]['post_name'] = sanitize_title( $posts[ $post_symbol ]['post_title'] ); 1277 } 1278 if ( empty( $posts[ $post_symbol ]['post_type'] ) ) { 1279 $posts[ $post_symbol ]['post_type'] = 'post'; 1280 } 1281 $needed_posts[ $posts[ $post_symbol ]['post_type'] . ':' . $posts[ $post_symbol ]['post_name'] ] = true; 1282 } 1283 $all_post_slugs = array_merge( 1284 wp_list_pluck( $attachments, 'post_name' ), 1285 wp_list_pluck( $posts, 'post_name' ) 1286 ); 1287 1288 /* 1289 * Obtain all post types referenced in starter content to use in query. 1290 * This is needed because 'any' will not account for post types not yet registered. 1291 */ 1292 $post_types = array_filter( array_merge( array( 'attachment' ), wp_list_pluck( $posts, 'post_type' ) ) ); 1293 1294 // Re-use auto-draft starter content posts referenced in the current customized state. 1295 $existing_starter_content_posts = array(); 1296 if ( ! empty( $starter_content_auto_draft_post_ids ) ) { 1297 $existing_posts_query = new WP_Query( 1298 array( 1299 'post__in' => $starter_content_auto_draft_post_ids, 1300 'post_status' => 'auto-draft', 1301 'post_type' => $post_types, 1302 'posts_per_page' => -1, 1303 ) 1304 ); 1305 foreach ( $existing_posts_query->posts as $existing_post ) { 1306 $post_name = $existing_post->post_name; 1307 if ( empty( $post_name ) ) { 1308 $post_name = get_post_meta( $existing_post->ID, '_customize_draft_post_name', true ); 1309 } 1310 $existing_starter_content_posts[ $existing_post->post_type . ':' . $post_name ] = $existing_post; 1311 } 1312 } 1313 1314 // Re-use non-auto-draft posts. 1315 if ( ! empty( $all_post_slugs ) ) { 1316 $existing_posts_query = new WP_Query( 1317 array( 1318 'post_name__in' => $all_post_slugs, 1319 'post_status' => array_diff( get_post_stati(), array( 'auto-draft' ) ), 1320 'post_type' => 'any', 1321 'posts_per_page' => -1, 1322 ) 1323 ); 1324 foreach ( $existing_posts_query->posts as $existing_post ) { 1325 $key = $existing_post->post_type . ':' . $existing_post->post_name; 1326 if ( isset( $needed_posts[ $key ] ) && ! isset( $existing_starter_content_posts[ $key ] ) ) { 1327 $existing_starter_content_posts[ $key ] = $existing_post; 1328 } 1329 } 1330 } 1331 1332 // Attachments are technically posts but handled differently. 1333 if ( ! empty( $attachments ) ) { 1334 1335 $attachment_ids = array(); 1336 1337 foreach ( $attachments as $symbol => $attachment ) { 1338 $file_array = array( 1339 'name' => $attachment['file_name'], 1340 ); 1341 $file_path = $attachment['file_path']; 1342 $attachment_id = null; 1343 $attached_file = null; 1344 if ( isset( $existing_starter_content_posts[ 'attachment:' . $attachment['post_name'] ] ) ) { 1345 $attachment_post = $existing_starter_content_posts[ 'attachment:' . $attachment['post_name'] ]; 1346 $attachment_id = $attachment_post->ID; 1347 $attached_file = get_attached_file( $attachment_id ); 1348 if ( empty( $attached_file ) || ! file_exists( $attached_file ) ) { 1349 $attachment_id = null; 1350 $attached_file = null; 1351 } elseif ( $this->get_stylesheet() !== get_post_meta( $attachment_post->ID, '_starter_content_theme', true ) ) { 1352 1353 // Re-generate attachment metadata since it was previously generated for a different theme. 1354 $metadata = wp_generate_attachment_metadata( $attachment_post->ID, $attached_file ); 1355 wp_update_attachment_metadata( $attachment_id, $metadata ); 1356 update_post_meta( $attachment_id, '_starter_content_theme', $this->get_stylesheet() ); 1357 } 1358 } 1359 1360 // Insert the attachment auto-draft because it doesn't yet exist or the attached file is gone. 1361 if ( ! $attachment_id ) { 1362 1363 // Copy file to temp location so that original file won't get deleted from theme after sideloading. 1364 $temp_file_name = wp_tempnam( wp_basename( $file_path ) ); 1365 if ( $temp_file_name && copy( $file_path, $temp_file_name ) ) { 1366 $file_array['tmp_name'] = $temp_file_name; 1367 } 1368 if ( empty( $file_array['tmp_name'] ) ) { 1369 continue; 1370 } 1371 1372 $attachment_post_data = array_merge( 1373 wp_array_slice_assoc( $attachment, array( 'post_title', 'post_content', 'post_excerpt' ) ), 1374 array( 1375 'post_status' => 'auto-draft', // So attachment will be garbage collected in a week if changeset is never published. 1376 ) 1377 ); 1378 1379 $attachment_id = media_handle_sideload( $file_array, 0, null, $attachment_post_data ); 1380 if ( is_wp_error( $attachment_id ) ) { 1381 continue; 1382 } 1383 update_post_meta( $attachment_id, '_starter_content_theme', $this->get_stylesheet() ); 1384 update_post_meta( $attachment_id, '_customize_draft_post_name', $attachment['post_name'] ); 1385 } 1386 1387 $attachment_ids[ $symbol ] = $attachment_id; 1388 } 1389 $starter_content_auto_draft_post_ids = array_merge( $starter_content_auto_draft_post_ids, array_values( $attachment_ids ) ); 1390 } 1391 1392 // Posts & pages. 1393 if ( ! empty( $posts ) ) { 1394 foreach ( array_keys( $posts ) as $post_symbol ) { 1395 if ( empty( $posts[ $post_symbol ]['post_type'] ) || empty( $posts[ $post_symbol ]['post_name'] ) ) { 1396 continue; 1397 } 1398 $post_type = $posts[ $post_symbol ]['post_type']; 1399 if ( ! empty( $posts[ $post_symbol ]['post_name'] ) ) { 1400 $post_name = $posts[ $post_symbol ]['post_name']; 1401 } elseif ( ! empty( $posts[ $post_symbol ]['post_title'] ) ) { 1402 $post_name = sanitize_title( $posts[ $post_symbol ]['post_title'] ); 1403 } else { 1404 continue; 1405 } 1406 1407 // Use existing auto-draft post if one already exists with the same type and name. 1408 if ( isset( $existing_starter_content_posts[ $post_type . ':' . $post_name ] ) ) { 1409 $posts[ $post_symbol ]['ID'] = $existing_starter_content_posts[ $post_type . ':' . $post_name ]->ID; 1410 continue; 1411 } 1412 1413 // Translate the featured image symbol. 1414 if ( ! empty( $posts[ $post_symbol ]['thumbnail'] ) 1415 && preg_match( '/^{{(?P<symbol>.+)}}$/', $posts[ $post_symbol ]['thumbnail'], $matches ) 1416 && isset( $attachment_ids[ $matches['symbol'] ] ) ) { 1417 $posts[ $post_symbol ]['meta_input']['_thumbnail_id'] = $attachment_ids[ $matches['symbol'] ]; 1418 } 1419 1420 if ( ! empty( $posts[ $post_symbol ]['template'] ) ) { 1421 $posts[ $post_symbol ]['meta_input']['_wp_page_template'] = $posts[ $post_symbol ]['template']; 1422 } 1423 1424 $r = $this->nav_menus->insert_auto_draft_post( $posts[ $post_symbol ] ); 1425 if ( $r instanceof WP_Post ) { 1426 $posts[ $post_symbol ]['ID'] = $r->ID; 1427 } 1428 } 1429 1430 $starter_content_auto_draft_post_ids = array_merge( $starter_content_auto_draft_post_ids, wp_list_pluck( $posts, 'ID' ) ); 1431 } 1432 1433 // The nav_menus_created_posts setting is why nav_menus component is dependency for adding posts. 1434 if ( ! empty( $this->nav_menus ) && ! empty( $starter_content_auto_draft_post_ids ) ) { 1435 $setting_id = 'nav_menus_created_posts'; 1436 $this->set_post_value( $setting_id, array_unique( array_values( $starter_content_auto_draft_post_ids ) ) ); 1437 $this->pending_starter_content_settings_ids[] = $setting_id; 1438 } 1439 1440 // Nav menus. 1441 $placeholder_id = -1; 1442 $reused_nav_menu_setting_ids = array(); 1443 foreach ( $nav_menus as $nav_menu_location => $nav_menu ) { 1444 1445 $nav_menu_term_id = null; 1446 $nav_menu_setting_id = null; 1447 $matches = array(); 1448 1449 // Look for an existing placeholder menu with starter content to re-use. 1450 foreach ( $changeset_data as $setting_id => $setting_params ) { 1451 $can_reuse = ( 1452 ! empty( $setting_params['starter_content'] ) 1453 && 1454 ! in_array( $setting_id, $reused_nav_menu_setting_ids, true ) 1455 && 1456 preg_match( '#^nav_menu\[(?P<nav_menu_id>-?\d+)\]$#', $setting_id, $matches ) 1457 ); 1458 if ( $can_reuse ) { 1459 $nav_menu_term_id = intval( $matches['nav_menu_id'] ); 1460 $nav_menu_setting_id = $setting_id; 1461 $reused_nav_menu_setting_ids[] = $setting_id; 1462 break; 1463 } 1464 } 1465 1466 if ( ! $nav_menu_term_id ) { 1467 while ( isset( $changeset_data[ sprintf( 'nav_menu[%d]', $placeholder_id ) ] ) ) { 1468 $placeholder_id--; 1469 } 1470 $nav_menu_term_id = $placeholder_id; 1471 $nav_menu_setting_id = sprintf( 'nav_menu[%d]', $placeholder_id ); 1472 } 1473 1474 $this->set_post_value( 1475 $nav_menu_setting_id, 1476 array( 1477 'name' => isset( $nav_menu['name'] ) ? $nav_menu['name'] : $nav_menu_location, 1478 ) 1479 ); 1480 $this->pending_starter_content_settings_ids[] = $nav_menu_setting_id; 1481 1482 // @todo Add support for menu_item_parent. 1483 $position = 0; 1484 foreach ( $nav_menu['items'] as $nav_menu_item ) { 1485 $nav_menu_item_setting_id = sprintf( 'nav_menu_item[%d]', $placeholder_id-- ); 1486 if ( ! isset( $nav_menu_item['position'] ) ) { 1487 $nav_menu_item['position'] = $position++; 1488 } 1489 $nav_menu_item['nav_menu_term_id'] = $nav_menu_term_id; 1490 1491 if ( isset( $nav_menu_item['object_id'] ) ) { 1492 if ( 'post_type' === $nav_menu_item['type'] && preg_match( '/^{{(?P<symbol>.+)}}$/', $nav_menu_item['object_id'], $matches ) && isset( $posts[ $matches['symbol'] ] ) ) { 1493 $nav_menu_item['object_id'] = $posts[ $matches['symbol'] ]['ID']; 1494 if ( empty( $nav_menu_item['title'] ) ) { 1495 $original_object = get_post( $nav_menu_item['object_id'] ); 1496 $nav_menu_item['title'] = $original_object->post_title; 1497 } 1498 } else { 1499 continue; 1500 } 1501 } else { 1502 $nav_menu_item['object_id'] = 0; 1503 } 1504 1505 if ( empty( $changeset_data[ $nav_menu_item_setting_id ] ) || ! empty( $changeset_data[ $nav_menu_item_setting_id ]['starter_content'] ) ) { 1506 $this->set_post_value( $nav_menu_item_setting_id, $nav_menu_item ); 1507 $this->pending_starter_content_settings_ids[] = $nav_menu_item_setting_id; 1508 } 1509 } 1510 1511 $setting_id = sprintf( 'nav_menu_locations[%s]', $nav_menu_location ); 1512 if ( empty( $changeset_data[ $setting_id ] ) || ! empty( $changeset_data[ $setting_id ]['starter_content'] ) ) { 1513 $this->set_post_value( $setting_id, $nav_menu_term_id ); 1514 $this->pending_starter_content_settings_ids[] = $setting_id; 1515 } 1516 } 1517 1518 // Options. 1519 foreach ( $options as $name => $value ) { 1520 1521 // Serialize the value to check for post symbols. 1522 $value = maybe_serialize( $value ); 1523 1524 if ( is_serialized( $value ) ) { 1525 if ( preg_match( '/s:\d+:"{{(?P<symbol>.+)}}"/', $value, $matches ) ) { 1526 if ( isset( $posts[ $matches['symbol'] ] ) ) { 1527 $symbol_match = $posts[ $matches['symbol'] ]['ID']; 1528 } elseif ( isset( $attachment_ids[ $matches['symbol'] ] ) ) { 1529 $symbol_match = $attachment_ids[ $matches['symbol'] ]; 1530 } 1531 1532 // If we have any symbol matches, update the values. 1533 if ( isset( $symbol_match ) ) { 1534 // Replace found string matches with post IDs. 1535 $value = str_replace( $matches[0], "i:{$symbol_match}", $value ); 1536 } else { 1537 continue; 1538 } 1539 } 1540 } elseif ( preg_match( '/^{{(?P<symbol>.+)}}$/', $value, $matches ) ) { 1541 if ( isset( $posts[ $matches['symbol'] ] ) ) { 1542 $value = $posts[ $matches['symbol'] ]['ID']; 1543 } elseif ( isset( $attachment_ids[ $matches['symbol'] ] ) ) { 1544 $value = $attachment_ids[ $matches['symbol'] ]; 1545 } else { 1546 continue; 1547 } 1548 } 1549 1550 // Unserialize values after checking for post symbols, so they can be properly referenced. 1551 $value = maybe_unserialize( $value ); 1552 1553 if ( empty( $changeset_data[ $name ] ) || ! empty( $changeset_data[ $name ]['starter_content'] ) ) { 1554 $this->set_post_value( $name, $value ); 1555 $this->pending_starter_content_settings_ids[] = $name; 1556 } 1557 } 1558 1559 // Theme mods. 1560 foreach ( $theme_mods as $name => $value ) { 1561 1562 // Serialize the value to check for post symbols. 1563 $value = maybe_serialize( $value ); 1564 1565 // Check if value was serialized. 1566 if ( is_serialized( $value ) ) { 1567 if ( preg_match( '/s:\d+:"{{(?P<symbol>.+)}}"/', $value, $matches ) ) { 1568 if ( isset( $posts[ $matches['symbol'] ] ) ) { 1569 $symbol_match = $posts[ $matches['symbol'] ]['ID']; 1570 } elseif ( isset( $attachment_ids[ $matches['symbol'] ] ) ) { 1571 $symbol_match = $attachment_ids[ $matches['symbol'] ]; 1572 } 1573 1574 // If we have any symbol matches, update the values. 1575 if ( isset( $symbol_match ) ) { 1576 // Replace found string matches with post IDs. 1577 $value = str_replace( $matches[0], "i:{$symbol_match}", $value ); 1578 } else { 1579 continue; 1580 } 1581 } 1582 } elseif ( preg_match( '/^{{(?P<symbol>.+)}}$/', $value, $matches ) ) { 1583 if ( isset( $posts[ $matches['symbol'] ] ) ) { 1584 $value = $posts[ $matches['symbol'] ]['ID']; 1585 } elseif ( isset( $attachment_ids[ $matches['symbol'] ] ) ) { 1586 $value = $attachment_ids[ $matches['symbol'] ]; 1587 } else { 1588 continue; 1589 } 1590 } 1591 1592 // Unserialize values after checking for post symbols, so they can be properly referenced. 1593 $value = maybe_unserialize( $value ); 1594 1595 // Handle header image as special case since setting has a legacy format. 1596 if ( 'header_image' === $name ) { 1597 $name = 'header_image_data'; 1598 $metadata = wp_get_attachment_metadata( $value ); 1599 if ( empty( $metadata ) ) { 1600 continue; 1601 } 1602 $value = array( 1603 'attachment_id' => $value, 1604 'url' => wp_get_attachment_url( $value ), 1605 'height' => $metadata['height'], 1606 'width' => $metadata['width'], 1607 ); 1608 } elseif ( 'background_image' === $name ) { 1609 $value = wp_get_attachment_url( $value ); 1610 } 1611 1612 if ( empty( $changeset_data[ $name ] ) || ! empty( $changeset_data[ $name ]['starter_content'] ) ) { 1613 $this->set_post_value( $name, $value ); 1614 $this->pending_starter_content_settings_ids[] = $name; 1615 } 1616 } 1617 1618 if ( ! empty( $this->pending_starter_content_settings_ids ) ) { 1619 if ( did_action( 'customize_register' ) ) { 1620 $this->_save_starter_content_changeset(); 1621 } else { 1622 add_action( 'customize_register', array( $this, '_save_starter_content_changeset' ), 1000 ); 1623 } 1624 } 1625 } 1626 1627 /** 1628 * Prepare starter content attachments. 1629 * 1630 * Ensure that the attachments are valid and that they have slugs and file name/path. 1631 * 1632 * @since 4.7.0 1633 * 1634 * @param array $attachments Attachments. 1635 * @return array Prepared attachments. 1636 */ 1637 protected function prepare_starter_content_attachments( $attachments ) { 1638 $prepared_attachments = array(); 1639 if ( empty( $attachments ) ) { 1640 return $prepared_attachments; 1641 } 1642 1643 // Such is The WordPress Way. 1644 require_once ABSPATH . 'wp-admin/includes/file.php'; 1645 require_once ABSPATH . 'wp-admin/includes/media.php'; 1646 require_once ABSPATH . 'wp-admin/includes/image.php'; 1647 1648 foreach ( $attachments as $symbol => $attachment ) { 1649 1650 // A file is required and URLs to files are not currently allowed. 1651 if ( empty( $attachment['file'] ) || preg_match( '#^https?://$#', $attachment['file'] ) ) { 1652 continue; 1653 } 1654 1655 $file_path = null; 1656 if ( file_exists( $attachment['file'] ) ) { 1657 $file_path = $attachment['file']; // Could be absolute path to file in plugin. 1658 } elseif ( is_child_theme() && file_exists( get_stylesheet_directory() . '/' . $attachment['file'] ) ) { 1659 $file_path = get_stylesheet_directory() . '/' . $attachment['file']; 1660 } elseif ( file_exists( get_template_directory() . '/' . $attachment['file'] ) ) { 1661 $file_path = get_template_directory() . '/' . $attachment['file']; 1662 } else { 1663 continue; 1664 } 1665 $file_name = wp_basename( $attachment['file'] ); 1666 1667 // Skip file types that are not recognized. 1668 $checked_filetype = wp_check_filetype( $file_name ); 1669 if ( empty( $checked_filetype['type'] ) ) { 1670 continue; 1671 } 1672 1673 // Ensure post_name is set since not automatically derived from post_title for new auto-draft posts. 1674 if ( empty( $attachment['post_name'] ) ) { 1675 if ( ! empty( $attachment['post_title'] ) ) { 1676 $attachment['post_name'] = sanitize_title( $attachment['post_title'] ); 1677 } else { 1678 $attachment['post_name'] = sanitize_title( preg_replace( '/\.\w+$/', '', $file_name ) ); 1679 } 1680 } 1681 1682 $attachment['file_name'] = $file_name; 1683 $attachment['file_path'] = $file_path; 1684 $prepared_attachments[ $symbol ] = $attachment; 1685 } 1686 return $prepared_attachments; 1687 } 1688 1689 /** 1690 * Save starter content changeset. 1691 * 1692 * @since 4.7.0 1693 */ 1694 public function _save_starter_content_changeset() { 1695 1696 if ( empty( $this->pending_starter_content_settings_ids ) ) { 1697 return; 1698 } 1699 1700 $this->save_changeset_post( 1701 array( 1702 'data' => array_fill_keys( $this->pending_starter_content_settings_ids, array( 'starter_content' => true ) ), 1703 'starter_content' => true, 1704 ) 1705 ); 1706 $this->saved_starter_content_changeset = true; 1707 1708 $this->pending_starter_content_settings_ids = array(); 1709 } 1710 1711 /** 1712 * Get dirty pre-sanitized setting values in the current customized state. 1713 * 1714 * The returned array consists of a merge of three sources: 1715 * 1. If the theme is not currently active, then the base array is any stashed 1716 * theme mods that were modified previously but never published. 1717 * 2. The values from the current changeset, if it exists. 1718 * 3. If the user can customize, the values parsed from the incoming 1719 * `$_POST['customized']` JSON data. 1720 * 4. Any programmatically-set post values via `WP_Customize_Manager::set_post_value()`. 1721 * 1722 * The name "unsanitized_post_values" is a carry-over from when the customized 1723 * state was exclusively sourced from `$_POST['customized']`. Nevertheless, 1724 * the value returned will come from the current changeset post and from the 1725 * incoming post data. 1726 * 1727 * @since 4.1.1 1728 * @since 4.7.0 Added `$args` parameter and merging with changeset values and stashed theme mods. 1729 * 1730 * @param array $args { 1731 * Args. 1732 * 1733 * @type bool $exclude_changeset Whether the changeset values should also be excluded. Defaults to false. 1734 * @type bool $exclude_post_data Whether the post input values should also be excluded. Defaults to false when lacking the customize capability. 1735 * } 1736 * @return array 1737 */ 1738 public function unsanitized_post_values( $args = array() ) { 1739 $args = array_merge( 1740 array( 1741 'exclude_changeset' => false, 1742 'exclude_post_data' => ! current_user_can( 'customize' ), 1743 ), 1744 $args 1745 ); 1746 1747 $values = array(); 1748 1749 // Let default values be from the stashed theme mods if doing a theme switch and if no changeset is present. 1750 if ( ! $this->is_theme_active() ) { 1751 $stashed_theme_mods = get_option( 'customize_stashed_theme_mods' ); 1752 $stylesheet = $this->get_stylesheet(); 1753 if ( isset( $stashed_theme_mods[ $stylesheet ] ) ) { 1754 $values = array_merge( $values, wp_list_pluck( $stashed_theme_mods[ $stylesheet ], 'value' ) ); 1755 } 1756 } 1757 1758 if ( ! $args['exclude_changeset'] ) { 1759 foreach ( $this->changeset_data() as $setting_id => $setting_params ) { 1760 if ( ! array_key_exists( 'value', $setting_params ) ) { 1761 continue; 1762 } 1763 if ( isset( $setting_params['type'] ) && 'theme_mod' === $setting_params['type'] ) { 1764 1765 // Ensure that theme mods values are only used if they were saved under the current theme. 1766 $namespace_pattern = '/^(?P<stylesheet>.+?)::(?P<setting_id>.+)$/'; 1767 if ( preg_match( $namespace_pattern, $setting_id, $matches ) && $this->get_stylesheet() === $matches['stylesheet'] ) { 1768 $values[ $matches['setting_id'] ] = $setting_params['value']; 1769 } 1770 } else { 1771 $values[ $setting_id ] = $setting_params['value']; 1772 } 1773 } 1774 } 1775 1776 if ( ! $args['exclude_post_data'] ) { 1777 if ( ! isset( $this->_post_values ) ) { 1778 if ( isset( $_POST['customized'] ) ) { 1779 $post_values = json_decode( wp_unslash( $_POST['customized'] ), true ); 1780 } else { 1781 $post_values = array(); 1782 } 1783 if ( is_array( $post_values ) ) { 1784 $this->_post_values = $post_values; 1785 } else { 1786 $this->_post_values = array(); 1787 } 1788 } 1789 $values = array_merge( $values, $this->_post_values ); 1790 } 1791 return $values; 1792 } 1793 1794 /** 1795 * Returns the sanitized value for a given setting from the current customized state. 1796 * 1797 * The name "post_value" is a carry-over from when the customized state was exclusively 1798 * sourced from `$_POST['customized']`. Nevertheless, the value returned will come 1799 * from the current changeset post and from the incoming post data. 1800 * 1801 * @since 3.4.0 1802 * @since 4.1.1 Introduced the `$default` parameter. 1803 * @since 4.6.0 `$default` is now returned early when the setting post value is invalid. 1804 * 1805 * @see WP_REST_Server::dispatch() 1806 * @see WP_REST_Request::sanitize_params() 1807 * @see WP_REST_Request::has_valid_params() 1808 * 1809 * @param WP_Customize_Setting $setting A WP_Customize_Setting derived object. 1810 * @param mixed $default Value returned $setting has no post value (added in 4.2.0) 1811 * or the post value is invalid (added in 4.6.0). 1812 * @return string|mixed $post_value Sanitized value or the $default provided. 1813 */ 1814 public function post_value( $setting, $default = null ) { 1815 $post_values = $this->unsanitized_post_values(); 1816 if ( ! array_key_exists( $setting->id, $post_values ) ) { 1817 return $default; 1818 } 1819 $value = $post_values[ $setting->id ]; 1820 $valid = $setting->validate( $value ); 1821 if ( is_wp_error( $valid ) ) { 1822 return $default; 1823 } 1824 $value = $setting->sanitize( $value ); 1825 if ( is_null( $value ) || is_wp_error( $value ) ) { 1826 return $default; 1827 } 1828 return $value; 1829 } 1830 1831 /** 1832 * Override a setting's value in the current customized state. 1833 * 1834 * The name "post_value" is a carry-over from when the customized state was 1835 * exclusively sourced from `$_POST['customized']`. 1836 * 1837 * @since 4.2.0 1838 * 1839 * @param string $setting_id ID for the WP_Customize_Setting instance. 1840 * @param mixed $value Post value. 1841 */ 1842 public function set_post_value( $setting_id, $value ) { 1843 $this->unsanitized_post_values(); // Populate _post_values from $_POST['customized']. 1844 $this->_post_values[ $setting_id ] = $value; 1845 1846 /** 1847 * Announce when a specific setting's unsanitized post value has been set. 1848 * 1849 * Fires when the WP_Customize_Manager::set_post_value() method is called. 1850 * 1851 * The dynamic portion of the hook name, `$setting_id`, refers to the setting ID. 1852 * 1853 * @since 4.4.0 1854 * 1855 * @param mixed $value Unsanitized setting post value. 1856 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 1857 */ 1858 do_action( "customize_post_value_set_{$setting_id}", $value, $this ); 1859 1860 /** 1861 * Announce when any setting's unsanitized post value has been set. 1862 * 1863 * Fires when the WP_Customize_Manager::set_post_value() method is called. 1864 * 1865 * This is useful for `WP_Customize_Setting` instances to watch 1866 * in order to update a cached previewed value. 1867 * 1868 * @since 4.4.0 1869 * 1870 * @param string $setting_id Setting ID. 1871 * @param mixed $value Unsanitized setting post value. 1872 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 1873 */ 1874 do_action( 'customize_post_value_set', $setting_id, $value, $this ); 1875 } 1876 1877 /** 1878 * Print JavaScript settings. 1879 * 1880 * @since 3.4.0 1881 */ 1882 public function customize_preview_init() { 1883 1884 /* 1885 * Now that Customizer previews are loaded into iframes via GET requests 1886 * and natural URLs with transaction UUIDs added, we need to ensure that 1887 * the responses are never cached by proxies. In practice, this will not 1888 * be needed if the user is logged-in anyway. But if anonymous access is 1889 * allowed then the auth cookies would not be sent and WordPress would 1890 * not send no-cache headers by default. 1891 */ 1892 if ( ! headers_sent() ) { 1893 nocache_headers(); 1894 header( 'X-Robots: noindex, nofollow, noarchive' ); 1895 } 1896 add_action( 'wp_head', 'wp_no_robots' ); 1897 add_filter( 'wp_headers', array( $this, 'filter_iframe_security_headers' ) ); 1898 1899 /* 1900 * If preview is being served inside the customizer preview iframe, and 1901 * if the user doesn't have customize capability, then it is assumed 1902 * that the user's session has expired and they need to re-authenticate. 1903 */ 1904 if ( $this->messenger_channel && ! current_user_can( 'customize' ) ) { 1905 $this->wp_die( -1, __( 'Unauthorized. You may remove the customize_messenger_channel param to preview as frontend.' ) ); 1906 return; 1907 } 1908 1909 $this->prepare_controls(); 1910 1911 add_filter( 'wp_redirect', array( $this, 'add_state_query_params' ) ); 1912 1913 wp_enqueue_script( 'customize-preview' ); 1914 wp_enqueue_style( 'customize-preview' ); 1915 add_action( 'wp_head', array( $this, 'customize_preview_loading_style' ) ); 1916 add_action( 'wp_head', array( $this, 'remove_frameless_preview_messenger_channel' ) ); 1917 add_action( 'wp_footer', array( $this, 'customize_preview_settings' ), 20 ); 1918 add_filter( 'get_edit_post_link', '__return_empty_string' ); 1919 1920 /** 1921 * Fires once the Customizer preview has initialized and JavaScript 1922 * settings have been printed. 1923 * 1924 * @since 3.4.0 1925 * 1926 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 1927 */ 1928 do_action( 'customize_preview_init', $this ); 1929 } 1930 1931 /** 1932 * Filter the X-Frame-Options and Content-Security-Policy headers to ensure frontend can load in customizer. 1933 * 1934 * @since 4.7.0 1935 * 1936 * @param array $headers Headers. 1937 * @return array Headers. 1938 */ 1939 public function filter_iframe_security_headers( $headers ) { 1940 $headers['X-Frame-Options'] = 'SAMEORIGIN'; 1941 $headers['Content-Security-Policy'] = "frame-ancestors 'self'"; 1942 return $headers; 1943 } 1944 1945 /** 1946 * Add customize state query params to a given URL if preview is allowed. 1947 * 1948 * @since 4.7.0 1949 * @see wp_redirect() 1950 * @see WP_Customize_Manager::get_allowed_url() 1951 * 1952 * @param string $url URL. 1953 * @return string URL. 1954 */ 1955 public function add_state_query_params( $url ) { 1956 $parsed_original_url = wp_parse_url( $url ); 1957 $is_allowed = false; 1958 foreach ( $this->get_allowed_urls() as $allowed_url ) { 1959 $parsed_allowed_url = wp_parse_url( $allowed_url ); 1960 $is_allowed = ( 1961 $parsed_allowed_url['scheme'] === $parsed_original_url['scheme'] 1962 && 1963 $parsed_allowed_url['host'] === $parsed_original_url['host'] 1964 && 1965 0 === strpos( $parsed_original_url['path'], $parsed_allowed_url['path'] ) 1966 ); 1967 if ( $is_allowed ) { 1968 break; 1969 } 1970 } 1971 1972 if ( $is_allowed ) { 1973 $query_params = array( 1974 'customize_changeset_uuid' => $this->changeset_uuid(), 1975 ); 1976 if ( ! $this->is_theme_active() ) { 1977 $query_params['customize_theme'] = $this->get_stylesheet(); 1978 } 1979 if ( $this->messenger_channel ) { 1980 $query_params['customize_messenger_channel'] = $this->messenger_channel; 1981 } 1982 $url = add_query_arg( $query_params, $url ); 1983 } 1984 1985 return $url; 1986 } 1987 1988 /** 1989 * Prevent sending a 404 status when returning the response for the customize 1990 * preview, since it causes the jQuery Ajax to fail. Send 200 instead. 1991 * 1992 * @since 4.0.0 1993 * @deprecated 4.7.0 1994 */ 1995 public function customize_preview_override_404_status() { 1996 _deprecated_function( __METHOD__, '4.7.0' ); 1997 } 1998 1999 /** 2000 * Print base element for preview frame. 2001 * 2002 * @since 3.4.0 2003 * @deprecated 4.7.0 2004 */ 2005 public function customize_preview_base() { 2006 _deprecated_function( __METHOD__, '4.7.0' ); 2007 } 2008 2009 /** 2010 * Print a workaround to handle HTML5 tags in IE < 9. 2011 * 2012 * @since 3.4.0 2013 * @deprecated 4.7.0 Customizer no longer supports IE8, so all supported browsers recognize HTML5. 2014 */ 2015 public function customize_preview_html5() { 2016 _deprecated_function( __FUNCTION__, '4.7.0' ); 2017 } 2018 2019 /** 2020 * Print CSS for loading indicators for the Customizer preview. 2021 * 2022 * @since 4.2.0 2023 */ 2024 public function customize_preview_loading_style() { 2025 ?> 2026 <style> 2027 body.wp-customizer-unloading { 2028 opacity: 0.25; 2029 cursor: progress !important; 2030 -webkit-transition: opacity 0.5s; 2031 transition: opacity 0.5s; 2032 } 2033 body.wp-customizer-unloading * { 2034 pointer-events: none !important; 2035 } 2036 form.customize-unpreviewable, 2037 form.customize-unpreviewable input, 2038 form.customize-unpreviewable select, 2039 form.customize-unpreviewable button, 2040 a.customize-unpreviewable, 2041 area.customize-unpreviewable { 2042 cursor: not-allowed !important; 2043 } 2044 </style> 2045 <?php 2046 } 2047 2048 /** 2049 * Remove customize_messenger_channel query parameter from the preview window when it is not in an iframe. 2050 * 2051 * This ensures that the admin bar will be shown. It also ensures that link navigation will 2052 * work as expected since the parent frame is not being sent the URL to navigate to. 2053 * 2054 * @since 4.7.0 2055 */ 2056 public function remove_frameless_preview_messenger_channel() { 2057 if ( ! $this->messenger_channel ) { 2058 return; 2059 } 2060 ?> 2061 <script> 2062 ( function() { 2063 var urlParser, oldQueryParams, newQueryParams, i; 2064 if ( parent !== window ) { 2065 return; 2066 } 2067 urlParser = document.createElement( 'a' ); 2068 urlParser.href = location.href; 2069 oldQueryParams = urlParser.search.substr( 1 ).split( /&/ ); 2070 newQueryParams = []; 2071 for ( i = 0; i < oldQueryParams.length; i += 1 ) { 2072 if ( ! /^customize_messenger_channel=/.test( oldQueryParams[ i ] ) ) { 2073 newQueryParams.push( oldQueryParams[ i ] ); 2074 } 2075 } 2076 urlParser.search = newQueryParams.join( '&' ); 2077 if ( urlParser.search !== location.search ) { 2078 location.replace( urlParser.href ); 2079 } 2080 } )(); 2081 </script> 2082 <?php 2083 } 2084 2085 /** 2086 * Print JavaScript settings for preview frame. 2087 * 2088 * @since 3.4.0 2089 */ 2090 public function customize_preview_settings() { 2091 $post_values = $this->unsanitized_post_values( array( 'exclude_changeset' => true ) ); 2092 $setting_validities = $this->validate_setting_values( $post_values ); 2093 $exported_setting_validities = array_map( array( $this, 'prepare_setting_validity_for_js' ), $setting_validities ); 2094 2095 // Note that the REQUEST_URI is not passed into home_url() since this breaks subdirectory installations. 2096 $self_url = empty( $_SERVER['REQUEST_URI'] ) ? home_url( '/' ) : esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) ); 2097 $state_query_params = array( 2098 'customize_theme', 2099 'customize_changeset_uuid', 2100 'customize_messenger_channel', 2101 ); 2102 $self_url = remove_query_arg( $state_query_params, $self_url ); 2103 2104 $allowed_urls = $this->get_allowed_urls(); 2105 $allowed_hosts = array(); 2106 foreach ( $allowed_urls as $allowed_url ) { 2107 $parsed = wp_parse_url( $allowed_url ); 2108 if ( empty( $parsed['host'] ) ) { 2109 continue; 2110 } 2111 $host = $parsed['host']; 2112 if ( ! empty( $parsed['port'] ) ) { 2113 $host .= ':' . $parsed['port']; 2114 } 2115 $allowed_hosts[] = $host; 2116 } 2117 2118 $switched_locale = switch_to_locale( get_user_locale() ); 2119 $l10n = array( 2120 'shiftClickToEdit' => __( 'Shift-click to edit this element.' ), 2121 'linkUnpreviewable' => __( 'This link is not live-previewable.' ), 2122 'formUnpreviewable' => __( 'This form is not live-previewable.' ), 2123 ); 2124 if ( $switched_locale ) { 2125 restore_previous_locale(); 2126 } 2127 2128 $settings = array( 2129 'changeset' => array( 2130 'uuid' => $this->changeset_uuid(), 2131 'autosaved' => $this->autosaved(), 2132 ), 2133 'timeouts' => array( 2134 'selectiveRefresh' => 250, 2135 'keepAliveSend' => 1000, 2136 ), 2137 'theme' => array( 2138 'stylesheet' => $this->get_stylesheet(), 2139 'active' => $this->is_theme_active(), 2140 ), 2141 'url' => array( 2142 'self' => $self_url, 2143 'allowed' => array_map( 'esc_url_raw', $this->get_allowed_urls() ), 2144 'allowedHosts' => array_unique( $allowed_hosts ), 2145 'isCrossDomain' => $this->is_cross_domain(), 2146 ), 2147 'channel' => $this->messenger_channel, 2148 'activePanels' => array(), 2149 'activeSections' => array(), 2150 'activeControls' => array(), 2151 'settingValidities' => $exported_setting_validities, 2152 'nonce' => current_user_can( 'customize' ) ? $this->get_nonces() : array(), 2153 'l10n' => $l10n, 2154 '_dirty' => array_keys( $post_values ), 2155 ); 2156 2157 foreach ( $this->panels as $panel_id => $panel ) { 2158 if ( $panel->check_capabilities() ) { 2159 $settings['activePanels'][ $panel_id ] = $panel->active(); 2160 foreach ( $panel->sections as $section_id => $section ) { 2161 if ( $section->check_capabilities() ) { 2162 $settings['activeSections'][ $section_id ] = $section->active(); 2163 } 2164 } 2165 } 2166 } 2167 foreach ( $this->sections as $id => $section ) { 2168 if ( $section->check_capabilities() ) { 2169 $settings['activeSections'][ $id ] = $section->active(); 2170 } 2171 } 2172 foreach ( $this->controls as $id => $control ) { 2173 if ( $control->check_capabilities() ) { 2174 $settings['activeControls'][ $id ] = $control->active(); 2175 } 2176 } 2177 2178 ?> 2179 <script type="text/javascript"> 2180 var _wpCustomizeSettings = <?php echo wp_json_encode( $settings ); ?>; 2181 _wpCustomizeSettings.values = {}; 2182 (function( v ) { 2183 <?php 2184 /* 2185 * Serialize settings separately from the initial _wpCustomizeSettings 2186 * serialization in order to avoid a peak memory usage spike. 2187 * @todo We may not even need to export the values at all since the pane syncs them anyway. 2188 */ 2189 foreach ( $this->settings as $id => $setting ) { 2190 if ( $setting->check_capabilities() ) { 2191 printf( 2192 "v[%s] = %s;\n", 2193 wp_json_encode( $id ), 2194 wp_json_encode( $setting->js_value() ) 2195 ); 2196 } 2197 } 2198 ?> 2199 })( _wpCustomizeSettings.values ); 2200 </script> 2201 <?php 2202 } 2203 2204 /** 2205 * Prints a signature so we can ensure the Customizer was properly executed. 2206 * 2207 * @since 3.4.0 2208 * @deprecated 4.7.0 2209 */ 2210 public function customize_preview_signature() { 2211 _deprecated_function( __METHOD__, '4.7.0' ); 2212 } 2213 2214 /** 2215 * Removes the signature in case we experience a case where the Customizer was not properly executed. 2216 * 2217 * @since 3.4.0 2218 * @deprecated 4.7.0 2219 * 2220 * @param mixed $return Value passed through for {@see 'wp_die_handler'} filter. 2221 * @return mixed Value passed through for {@see 'wp_die_handler'} filter. 2222 */ 2223 public function remove_preview_signature( $return = null ) { 2224 _deprecated_function( __METHOD__, '4.7.0' ); 2225 2226 return $return; 2227 } 2228 2229 /** 2230 * Is it a theme preview? 2231 * 2232 * @since 3.4.0 2233 * 2234 * @return bool True if it's a preview, false if not. 2235 */ 2236 public function is_preview() { 2237 return (bool) $this->previewing; 2238 } 2239 2240 /** 2241 * Retrieve the template name of the previewed theme. 2242 * 2243 * @since 3.4.0 2244 * 2245 * @return string Template name. 2246 */ 2247 public function get_template() { 2248 return $this->theme()->get_template(); 2249 } 2250 2251 /** 2252 * Retrieve the stylesheet name of the previewed theme. 2253 * 2254 * @since 3.4.0 2255 * 2256 * @return string Stylesheet name. 2257 */ 2258 public function get_stylesheet() { 2259 return $this->theme()->get_stylesheet(); 2260 } 2261 2262 /** 2263 * Retrieve the template root of the previewed theme. 2264 * 2265 * @since 3.4.0 2266 * 2267 * @return string Theme root. 2268 */ 2269 public function get_template_root() { 2270 return get_raw_theme_root( $this->get_template(), true ); 2271 } 2272 2273 /** 2274 * Retrieve the stylesheet root of the previewed theme. 2275 * 2276 * @since 3.4.0 2277 * 2278 * @return string Theme root. 2279 */ 2280 public function get_stylesheet_root() { 2281 return get_raw_theme_root( $this->get_stylesheet(), true ); 2282 } 2283 2284 /** 2285 * Filters the current theme and return the name of the previewed theme. 2286 * 2287 * @since 3.4.0 2288 * 2289 * @param $current_theme {@internal Parameter is not used} 2290 * @return string Theme name. 2291 */ 2292 public function current_theme( $current_theme ) { 2293 return $this->theme()->display( 'Name' ); 2294 } 2295 2296 /** 2297 * Validates setting values. 2298 * 2299 * Validation is skipped for unregistered settings or for values that are 2300 * already null since they will be skipped anyway. Sanitization is applied 2301 * to values that pass validation, and values that become null or `WP_Error` 2302 * after sanitizing are marked invalid. 2303 * 2304 * @since 4.6.0 2305 * 2306 * @see WP_REST_Request::has_valid_params() 2307 * @see WP_Customize_Setting::validate() 2308 * 2309 * @param array $setting_values Mapping of setting IDs to values to validate and sanitize. 2310 * @param array $options { 2311 * Options. 2312 * 2313 * @type bool $validate_existence Whether a setting's existence will be checked. 2314 * @type bool $validate_capability Whether the setting capability will be checked. 2315 * } 2316 * @return array Mapping of setting IDs to return value of validate method calls, either `true` or `WP_Error`. 2317 */ 2318 public function validate_setting_values( $setting_values, $options = array() ) { 2319 $options = wp_parse_args( 2320 $options, 2321 array( 2322 'validate_capability' => false, 2323 'validate_existence' => false, 2324 ) 2325 ); 2326 2327 $validities = array(); 2328 foreach ( $setting_values as $setting_id => $unsanitized_value ) { 2329 $setting = $this->get_setting( $setting_id ); 2330 if ( ! $setting ) { 2331 if ( $options['validate_existence'] ) { 2332 $validities[ $setting_id ] = new WP_Error( 'unrecognized', __( 'Setting does not exist or is unrecognized.' ) ); 2333 } 2334 continue; 2335 } 2336 if ( $options['validate_capability'] && ! current_user_can( $setting->capability ) ) { 2337 $validity = new WP_Error( 'unauthorized', __( 'Unauthorized to modify setting due to capability.' ) ); 2338 } else { 2339 if ( is_null( $unsanitized_value ) ) { 2340 continue; 2341 } 2342 $validity = $setting->validate( $unsanitized_value ); 2343 } 2344 if ( ! is_wp_error( $validity ) ) { 2345 /** This filter is documented in wp-includes/class-wp-customize-setting.php */ 2346 $late_validity = apply_filters( "customize_validate_{$setting->id}", new WP_Error(), $unsanitized_value, $setting ); 2347 if ( is_wp_error( $late_validity ) && $late_validity->has_errors() ) { 2348 $validity = $late_validity; 2349 } 2350 } 2351 if ( ! is_wp_error( $validity ) ) { 2352 $value = $setting->sanitize( $unsanitized_value ); 2353 if ( is_null( $value ) ) { 2354 $validity = false; 2355 } elseif ( is_wp_error( $value ) ) { 2356 $validity = $value; 2357 } 2358 } 2359 if ( false === $validity ) { 2360 $validity = new WP_Error( 'invalid_value', __( 'Invalid value.' ) ); 2361 } 2362 $validities[ $setting_id ] = $validity; 2363 } 2364 return $validities; 2365 } 2366 2367 /** 2368 * Prepares setting validity for exporting to the client (JS). 2369 * 2370 * Converts `WP_Error` instance into array suitable for passing into the 2371 * `wp.customize.Notification` JS model. 2372 * 2373 * @since 4.6.0 2374 * 2375 * @param true|WP_Error $validity Setting validity. 2376 * @return true|array If `$validity` was a WP_Error, the error codes will be array-mapped 2377 * to their respective `message` and `data` to pass into the 2378 * `wp.customize.Notification` JS model. 2379 */ 2380 public function prepare_setting_validity_for_js( $validity ) { 2381 if ( is_wp_error( $validity ) ) { 2382 $notification = array(); 2383 foreach ( $validity->errors as $error_code => $error_messages ) { 2384 $notification[ $error_code ] = array( 2385 'message' => join( ' ', $error_messages ), 2386 'data' => $validity->get_error_data( $error_code ), 2387 ); 2388 } 2389 return $notification; 2390 } else { 2391 return true; 2392 } 2393 } 2394 2395 /** 2396 * Handle customize_save WP Ajax request to save/update a changeset. 2397 * 2398 * @since 3.4.0 2399 * @since 4.7.0 The semantics of this method have changed to update a changeset, optionally to also change the status and other attributes. 2400 */ 2401 public function save() { 2402 if ( ! is_user_logged_in() ) { 2403 wp_send_json_error( 'unauthenticated' ); 2404 } 2405 2406 if ( ! $this->is_preview() ) { 2407 wp_send_json_error( 'not_preview' ); 2408 } 2409 2410 $action = 'save-customize_' . $this->get_stylesheet(); 2411 if ( ! check_ajax_referer( $action, 'nonce', false ) ) { 2412 wp_send_json_error( 'invalid_nonce' ); 2413 } 2414 2415 $changeset_post_id = $this->changeset_post_id(); 2416 $is_new_changeset = empty( $changeset_post_id ); 2417 if ( $is_new_changeset ) { 2418 if ( ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->create_posts ) ) { 2419 wp_send_json_error( 'cannot_create_changeset_post' ); 2420 } 2421 } else { 2422 if ( ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->edit_post, $changeset_post_id ) ) { 2423 wp_send_json_error( 'cannot_edit_changeset_post' ); 2424 } 2425 } 2426 2427 if ( ! empty( $_POST['customize_changeset_data'] ) ) { 2428 $input_changeset_data = json_decode( wp_unslash( $_POST['customize_changeset_data'] ), true ); 2429 if ( ! is_array( $input_changeset_data ) ) { 2430 wp_send_json_error( 'invalid_customize_changeset_data' ); 2431 } 2432 } else { 2433 $input_changeset_data = array(); 2434 } 2435 2436 // Validate title. 2437 $changeset_title = null; 2438 if ( isset( $_POST['customize_changeset_title'] ) ) { 2439 $changeset_title = sanitize_text_field( wp_unslash( $_POST['customize_changeset_title'] ) ); 2440 } 2441 2442 // Validate changeset status param. 2443 $is_publish = null; 2444 $changeset_status = null; 2445 if ( isset( $_POST['customize_changeset_status'] ) ) { 2446 $changeset_status = wp_unslash( $_POST['customize_changeset_status'] ); 2447 if ( ! get_post_status_object( $changeset_status ) || ! in_array( $changeset_status, array( 'draft', 'pending', 'publish', 'future' ), true ) ) { 2448 wp_send_json_error( 'bad_customize_changeset_status', 400 ); 2449 } 2450 $is_publish = ( 'publish' === $changeset_status || 'future' === $changeset_status ); 2451 if ( $is_publish && ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->publish_posts ) ) { 2452 wp_send_json_error( 'changeset_publish_unauthorized', 403 ); 2453 } 2454 } 2455 2456 /* 2457 * Validate changeset date param. Date is assumed to be in local time for 2458 * the WP if in MySQL format (YYYY-MM-DD HH:MM:SS). Otherwise, the date 2459 * is parsed with strtotime() so that ISO date format may be supplied 2460 * or a string like "+10 minutes". 2461 */ 2462 $changeset_date_gmt = null; 2463 if ( isset( $_POST['customize_changeset_date'] ) ) { 2464 $changeset_date = wp_unslash( $_POST['customize_changeset_date'] ); 2465 if ( preg_match( '/^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d$/', $changeset_date ) ) { 2466 $mm = substr( $changeset_date, 5, 2 ); 2467 $jj = substr( $changeset_date, 8, 2 ); 2468 $aa = substr( $changeset_date, 0, 4 ); 2469 $valid_date = wp_checkdate( $mm, $jj, $aa, $changeset_date ); 2470 if ( ! $valid_date ) { 2471 wp_send_json_error( 'bad_customize_changeset_date', 400 ); 2472 } 2473 $changeset_date_gmt = get_gmt_from_date( $changeset_date ); 2474 } else { 2475 $timestamp = strtotime( $changeset_date ); 2476 if ( ! $timestamp ) { 2477 wp_send_json_error( 'bad_customize_changeset_date', 400 ); 2478 } 2479 $changeset_date_gmt = gmdate( 'Y-m-d H:i:s', $timestamp ); 2480 } 2481 } 2482 2483 $lock_user_id = null; 2484 $autosave = ! empty( $_POST['customize_changeset_autosave'] ); 2485 if ( ! $is_new_changeset ) { 2486 $lock_user_id = wp_check_post_lock( $this->changeset_post_id() ); 2487 } 2488 2489 // Force request to autosave when changeset is locked. 2490 if ( $lock_user_id && ! $autosave ) { 2491 $autosave = true; 2492 $changeset_status = null; 2493 $changeset_date_gmt = null; 2494 } 2495 2496 if ( $autosave && ! defined( 'DOING_AUTOSAVE' ) ) { // Back-compat. 2497 define( 'DOING_AUTOSAVE', true ); 2498 } 2499 2500 $autosaved = false; 2501 $r = $this->save_changeset_post( 2502 array( 2503 'status' => $changeset_status, 2504 'title' => $changeset_title, 2505 'date_gmt' => $changeset_date_gmt, 2506 'data' => $input_changeset_data, 2507 'autosave' => $autosave, 2508 ) 2509 ); 2510 if ( $autosave && ! is_wp_error( $r ) ) { 2511 $autosaved = true; 2512 } 2513 2514 // If the changeset was locked and an autosave request wasn't itself an error, then now explicitly return with a failure. 2515 if ( $lock_user_id && ! is_wp_error( $r ) ) { 2516 $r = new WP_Error( 2517 'changeset_locked', 2518 __( 'Changeset is being edited by other user.' ), 2519 array( 2520 'lock_user' => $this->get_lock_user_data( $lock_user_id ), 2521 ) 2522 ); 2523 } 2524 2525 if ( is_wp_error( $r ) ) { 2526 $response = array( 2527 'message' => $r->get_error_message(), 2528 'code' => $r->get_error_code(), 2529 ); 2530 if ( is_array( $r->get_error_data() ) ) { 2531 $response = array_merge( $response, $r->get_error_data() ); 2532 } else { 2533 $response['data'] = $r->get_error_data(); 2534 } 2535 } else { 2536 $response = $r; 2537 $changeset_post = get_post( $this->changeset_post_id() ); 2538 2539 // Dismiss all other auto-draft changeset posts for this user (they serve like autosave revisions), as there should only be one. 2540 if ( $is_new_changeset ) { 2541 $this->dismiss_user_auto_draft_changesets(); 2542 } 2543 2544 // Note that if the changeset status was publish, then it will get set to Trash if revisions are not supported. 2545 $response['changeset_status'] = $changeset_post->post_status; 2546 if ( $is_publish && 'trash' === $response['changeset_status'] ) { 2547 $response['changeset_status'] = 'publish'; 2548 } 2549 2550 if ( 'publish' !== $response['changeset_status'] ) { 2551 $this->set_changeset_lock( $changeset_post->ID ); 2552 } 2553 2554 if ( 'future' === $response['changeset_status'] ) { 2555 $response['changeset_date'] = $changeset_post->post_date; 2556 } 2557 2558 if ( 'publish' === $response['changeset_status'] || 'trash' === $response['changeset_status'] ) { 2559 $response['next_changeset_uuid'] = wp_generate_uuid4(); 2560 } 2561 } 2562 2563 if ( $autosave ) { 2564 $response['autosaved'] = $autosaved; 2565 } 2566 2567 if ( isset( $response['setting_validities'] ) ) { 2568 $response['setting_validities'] = array_map( array( $this, 'prepare_setting_validity_for_js' ), $response['setting_validities'] ); 2569 } 2570 2571 /** 2572 * Filters response data for a successful customize_save Ajax request. 2573 * 2574 * This filter does not apply if there was a nonce or authentication failure. 2575 * 2576 * @since 4.2.0 2577 * 2578 * @param array $response Additional information passed back to the 'saved' 2579 * event on `wp.customize`. 2580 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 2581 */ 2582 $response = apply_filters( 'customize_save_response', $response, $this ); 2583 2584 if ( is_wp_error( $r ) ) { 2585 wp_send_json_error( $response ); 2586 } else { 2587 wp_send_json_success( $response ); 2588 } 2589 } 2590 2591 /** 2592 * Save the post for the loaded changeset. 2593 * 2594 * @since 4.7.0 2595 * 2596 * @param array $args { 2597 * Args for changeset post. 2598 * 2599 * @type array $data Optional additional changeset data. Values will be merged on top of any existing post values. 2600 * @type string $status Post status. Optional. If supplied, the save will be transactional and a post revision will be allowed. 2601 * @type string $title Post title. Optional. 2602 * @type string $date_gmt Date in GMT. Optional. 2603 * @type int $user_id ID for user who is saving the changeset. Optional, defaults to the current user ID. 2604 * @type bool $starter_content Whether the data is starter content. If false (default), then $starter_content will be cleared for any $data being saved. 2605 * @type bool $autosave Whether this is a request to create an autosave revision. 2606 * } 2607 * 2608 * @return array|WP_Error Returns array on success and WP_Error with array data on error. 2609 */ 2610 function save_changeset_post( $args = array() ) { 2611 2612 $args = array_merge( 2613 array( 2614 'status' => null, 2615 'title' => null, 2616 'data' => array(), 2617 'date_gmt' => null, 2618 'user_id' => get_current_user_id(), 2619 'starter_content' => false, 2620 'autosave' => false, 2621 ), 2622 $args 2623 ); 2624 2625 $changeset_post_id = $this->changeset_post_id(); 2626 $existing_changeset_data = array(); 2627 if ( $changeset_post_id ) { 2628 $existing_status = get_post_status( $changeset_post_id ); 2629 if ( 'publish' === $existing_status || 'trash' === $existing_status ) { 2630 return new WP_Error( 2631 'changeset_already_published', 2632 __( 'The previous set of changes has already been published. Please try saving your current set of changes again.' ), 2633 array( 2634 'next_changeset_uuid' => wp_generate_uuid4(), 2635 ) 2636 ); 2637 } 2638 2639 $existing_changeset_data = $this->get_changeset_post_data( $changeset_post_id ); 2640 if ( is_wp_error( $existing_changeset_data ) ) { 2641 return $existing_changeset_data; 2642 } 2643 } 2644 2645 // Fail if attempting to publish but publish hook is missing. 2646 if ( 'publish' === $args['status'] && false === has_action( 'transition_post_status', '_wp_customize_publish_changeset' ) ) { 2647 return new WP_Error( 'missing_publish_callback' ); 2648 } 2649 2650 // Validate date. 2651 $now = gmdate( 'Y-m-d H:i:59' ); 2652 if ( $args['date_gmt'] ) { 2653 $is_future_dated = ( mysql2date( 'U', $args['date_gmt'], false ) > mysql2date( 'U', $now, false ) ); 2654 if ( ! $is_future_dated ) { 2655 return new WP_Error( 'not_future_date', __( 'You must supply a future date to schedule.' ) ); // Only future dates are allowed. 2656 } 2657 2658 if ( ! $this->is_theme_active() && ( 'future' === $args['status'] || $is_future_dated ) ) { 2659 return new WP_Error( 'cannot_schedule_theme_switches' ); // This should be allowed in the future, when theme is a regular setting. 2660 } 2661 $will_remain_auto_draft = ( ! $args['status'] && ( ! $changeset_post_id || 'auto-draft' === get_post_status( $changeset_post_id ) ) ); 2662 if ( $will_remain_auto_draft ) { 2663 return new WP_Error( 'cannot_supply_date_for_auto_draft_changeset' ); 2664 } 2665 } elseif ( $changeset_post_id && 'future' === $args['status'] ) { 2666 2667 // Fail if the new status is future but the existing post's date is not in the future. 2668 $changeset_post = get_post( $changeset_post_id ); 2669 if ( mysql2date( 'U', $changeset_post->post_date_gmt, false ) <= mysql2date( 'U', $now, false ) ) { 2670 return new WP_Error( 'not_future_date', __( 'You must supply a future date to schedule.' ) ); 2671 } 2672 } 2673 2674 if ( ! empty( $is_future_dated ) && 'publish' === $args['status'] ) { 2675 $args['status'] = 'future'; 2676 } 2677 2678 // Validate autosave param. See _wp_post_revision_fields() for why these fields are disallowed. 2679 if ( $args['autosave'] ) { 2680 if ( $args['date_gmt'] ) { 2681 return new WP_Error( 'illegal_autosave_with_date_gmt' ); 2682 } elseif ( $args['status'] ) { 2683 return new WP_Error( 'illegal_autosave_with_status' ); 2684 } elseif ( $args['user_id'] && get_current_user_id() !== $args['user_id'] ) { 2685 return new WP_Error( 'illegal_autosave_with_non_current_user' ); 2686 } 2687 } 2688 2689 // The request was made via wp.customize.previewer.save(). 2690 $update_transactionally = (bool) $args['status']; 2691 $allow_revision = (bool) $args['status']; 2692 2693 // Amend post values with any supplied data. 2694 foreach ( $args['data'] as $setting_id => $setting_params ) { 2695 if ( is_array( $setting_params ) && array_key_exists( 'value', $setting_params ) ) { 2696 $this->set_post_value( $setting_id, $setting_params['value'] ); // Add to post values so that they can be validated and sanitized. 2697 } 2698 } 2699 2700 // Note that in addition to post data, this will include any stashed theme mods. 2701 $post_values = $this->unsanitized_post_values( 2702 array( 2703 'exclude_changeset' => true, 2704 'exclude_post_data' => false, 2705 ) 2706 ); 2707 $this->add_dynamic_settings( array_keys( $post_values ) ); // Ensure settings get created even if they lack an input value. 2708 2709 /* 2710 * Get list of IDs for settings that have values different from what is currently 2711 * saved in the changeset. By skipping any values that are already the same, the 2712 * subset of changed settings can be passed into validate_setting_values to prevent 2713 * an underprivileged modifying a single setting for which they have the capability 2714 * from being blocked from saving. This also prevents a user from touching of the 2715 * previous saved settings and overriding the associated user_id if they made no change. 2716 */ 2717 $changed_setting_ids = array(); 2718 foreach ( $post_values as $setting_id => $setting_value ) { 2719 $setting = $this->get_setting( $setting_id ); 2720 2721 if ( $setting && 'theme_mod' === $setting->type ) { 2722 $prefixed_setting_id = $this->get_stylesheet() . '::' . $setting->id; 2723 } else { 2724 $prefixed_setting_id = $setting_id; 2725 } 2726 2727 $is_value_changed = ( 2728 ! isset( $existing_changeset_data[ $prefixed_setting_id ] ) 2729 || 2730 ! array_key_exists( 'value', $existing_changeset_data[ $prefixed_setting_id ] ) 2731 || 2732 $existing_changeset_data[ $prefixed_setting_id ]['value'] !== $setting_value 2733 ); 2734 if ( $is_value_changed ) { 2735 $changed_setting_ids[] = $setting_id; 2736 } 2737 } 2738 2739 /** 2740 * Fires before save validation happens. 2741 * 2742 * Plugins can add just-in-time {@see 'customize_validate_{$this->ID}'} filters 2743 * at this point to catch any settings registered after `customize_register`. 2744 * The dynamic portion of the hook name, `$this->ID` refers to the setting ID. 2745 * 2746 * @since 4.6.0 2747 * 2748 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 2749 */ 2750 do_action( 'customize_save_validation_before', $this ); 2751 2752 // Validate settings. 2753 $validated_values = array_merge( 2754 array_fill_keys( array_keys( $args['data'] ), null ), // Make sure existence/capability checks are done on value-less setting updates. 2755 $post_values 2756 ); 2757 $setting_validities = $this->validate_setting_values( 2758 $validated_values, 2759 array( 2760 'validate_capability' => true, 2761 'validate_existence' => true, 2762 ) 2763 ); 2764 $invalid_setting_count = count( array_filter( $setting_validities, 'is_wp_error' ) ); 2765 2766 /* 2767 * Short-circuit if there are invalid settings the update is transactional. 2768 * A changeset update is transactional when a status is supplied in the request. 2769 */ 2770 if ( $update_transactionally && $invalid_setting_count > 0 ) { 2771 $response = array( 2772 'setting_validities' => $setting_validities, 2773 /* translators: %s: Number of invalid settings. */ 2774 'message' => sprintf( _n( 'Unable to save due to %s invalid setting.', 'Unable to save due to %s invalid settings.', $invalid_setting_count ), number_format_i18n( $invalid_setting_count ) ), 2775 ); 2776 return new WP_Error( 'transaction_fail', '', $response ); 2777 } 2778 2779 // Obtain/merge data for changeset. 2780 $original_changeset_data = $this->get_changeset_post_data( $changeset_post_id ); 2781 $data = $original_changeset_data; 2782 if ( is_wp_error( $data ) ) { 2783 $data = array(); 2784 } 2785 2786 // Ensure that all post values are included in the changeset data. 2787 foreach ( $post_values as $setting_id => $post_value ) { 2788 if ( ! isset( $args['data'][ $setting_id ] ) ) { 2789 $args['data'][ $setting_id ] = array(); 2790 } 2791 if ( ! isset( $args['data'][ $setting_id ]['value'] ) ) { 2792 $args['data'][ $setting_id ]['value'] = $post_value; 2793 } 2794 } 2795 2796 foreach ( $args['data'] as $setting_id => $setting_params ) { 2797 $setting = $this->get_setting( $setting_id ); 2798 if ( ! $setting || ! $setting->check_capabilities() ) { 2799 continue; 2800 } 2801 2802 // Skip updating changeset for invalid setting values. 2803 if ( isset( $setting_validities[ $setting_id ] ) && is_wp_error( $setting_validities[ $setting_id ] ) ) { 2804 continue; 2805 } 2806 2807 $changeset_setting_id = $setting_id; 2808 if ( 'theme_mod' === $setting->type ) { 2809 $changeset_setting_id = sprintf( '%s::%s', $this->get_stylesheet(), $setting_id ); 2810 } 2811 2812 if ( null === $setting_params ) { 2813 // Remove setting from changeset entirely. 2814 unset( $data[ $changeset_setting_id ] ); 2815 } else { 2816 2817 if ( ! isset( $data[ $changeset_setting_id ] ) ) { 2818 $data[ $changeset_setting_id ] = array(); 2819 } 2820 2821 // Merge any additional setting params that have been supplied with the existing params. 2822 $merged_setting_params = array_merge( $data[ $changeset_setting_id ], $setting_params ); 2823 2824 // Skip updating setting params if unchanged (ensuring the user_id is not overwritten). 2825 if ( $data[ $changeset_setting_id ] === $merged_setting_params ) { 2826 continue; 2827 } 2828 2829 $data[ $changeset_setting_id ] = array_merge( 2830 $merged_setting_params, 2831 array( 2832 'type' => $setting->type, 2833 'user_id' => $args['user_id'], 2834 'date_modified_gmt' => current_time( 'mysql', true ), 2835 ) 2836 ); 2837 2838 // Clear starter_content flag in data if changeset is not explicitly being updated for starter content. 2839 if ( empty( $args['starter_content'] ) ) { 2840 unset( $data[ $changeset_setting_id ]['starter_content'] ); 2841 } 2842 } 2843 } 2844 2845 $filter_context = array( 2846 'uuid' => $this->changeset_uuid(), 2847 'title' => $args['title'], 2848 'status' => $args['status'], 2849 'date_gmt' => $args['date_gmt'], 2850 'post_id' => $changeset_post_id, 2851 'previous_data' => is_wp_error( $original_changeset_data ) ? array() : $original_changeset_data, 2852 'manager' => $this, 2853 ); 2854 2855 /** 2856 * Filters the settings' data that will be persisted into the changeset. 2857 * 2858 * Plugins may amend additional data (such as additional meta for settings) into the changeset with this filter. 2859 * 2860 * @since 4.7.0 2861 * 2862 * @param array $data Updated changeset data, mapping setting IDs to arrays containing a $value item and optionally other metadata. 2863 * @param array $context { 2864 * Filter context. 2865 * 2866 * @type string $uuid Changeset UUID. 2867 * @type string $title Requested title for the changeset post. 2868 * @type string $status Requested status for the changeset post. 2869 * @type string $date_gmt Requested date for the changeset post in MySQL format and GMT timezone. 2870 * @type int|false $post_id Post ID for the changeset, or false if it doesn't exist yet. 2871 * @type array $previous_data Previous data contained in the changeset. 2872 * @type WP_Customize_Manager $manager Manager instance. 2873 * } 2874 */ 2875 $data = apply_filters( 'customize_changeset_save_data', $data, $filter_context ); 2876 2877 // Switch theme if publishing changes now. 2878 if ( 'publish' === $args['status'] && ! $this->is_theme_active() ) { 2879 // Temporarily stop previewing the theme to allow switch_themes() to operate properly. 2880 $this->stop_previewing_theme(); 2881 switch_theme( $this->get_stylesheet() ); 2882 update_option( 'theme_switched_via_customizer', true ); 2883 $this->start_previewing_theme(); 2884 } 2885 2886 // Gather the data for wp_insert_post()/wp_update_post(). 2887 $post_array = array( 2888 // JSON_UNESCAPED_SLASHES is only to improve readability as slashes needn't be escaped in storage. 2889 'post_content' => wp_json_encode( $data, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT ), 2890 ); 2891 if ( $args['title'] ) { 2892 $post_array['post_title'] = $args['title']; 2893 } 2894 if ( $changeset_post_id ) { 2895 $post_array['ID'] = $changeset_post_id; 2896 } else { 2897 $post_array['post_type'] = 'customize_changeset'; 2898 $post_array['post_name'] = $this->changeset_uuid(); 2899 $post_array['post_status'] = 'auto-draft'; 2900 } 2901 if ( $args['status'] ) { 2902 $post_array['post_status'] = $args['status']; 2903 } 2904 2905 // Reset post date to now if we are publishing, otherwise pass post_date_gmt and translate for post_date. 2906 if ( 'publish' === $args['status'] ) { 2907 $post_array['post_date_gmt'] = '0000-00-00 00:00:00'; 2908 $post_array['post_date'] = '0000-00-00 00:00:00'; 2909 } elseif ( $args['date_gmt'] ) { 2910 $post_array['post_date_gmt'] = $args['date_gmt']; 2911 $post_array['post_date'] = get_date_from_gmt( $args['date_gmt'] ); 2912 } elseif ( $changeset_post_id && 'auto-draft' === get_post_status( $changeset_post_id ) ) { 2913 /* 2914 * Keep bumping the date for the auto-draft whenever it is modified; 2915 * this extends its life, preserving it from garbage-collection via 2916 * wp_delete_auto_drafts(). 2917 */ 2918 $post_array['post_date'] = current_time( 'mysql' ); 2919 $post_array['post_date_gmt'] = ''; 2920 } 2921 2922 $this->store_changeset_revision = $allow_revision; 2923 add_filter( 'wp_save_post_revision_post_has_changed', array( $this, '_filter_revision_post_has_changed' ), 5, 3 ); 2924 2925 /* 2926 * Update the changeset post. The publish_customize_changeset action 2927 * will cause the settings in the changeset to be saved via 2928 * WP_Customize_Setting::save(). 2929 */ 2930 2931 // Prevent content filters from corrupting JSON in post_content. 2932 $has_kses = ( false !== has_filter( 'content_save_pre', 'wp_filter_post_kses' ) ); 2933 if ( $has_kses ) { 2934 kses_remove_filters(); 2935 } 2936 $has_targeted_link_rel_filters = ( false !== has_filter( 'content_save_pre', 'wp_targeted_link_rel' ) ); 2937 if ( $has_targeted_link_rel_filters ) { 2938 wp_remove_targeted_link_rel_filters(); 2939 } 2940 2941 // Note that updating a post with publish status will trigger WP_Customize_Manager::publish_changeset_values(). 2942 if ( $changeset_post_id ) { 2943 if ( $args['autosave'] && 'auto-draft' !== get_post_status( $changeset_post_id ) ) { 2944 // See _wp_translate_postdata() for why this is required as it will use the edit_post meta capability. 2945 add_filter( 'map_meta_cap', array( $this, 'grant_edit_post_capability_for_changeset' ), 10, 4 ); 2946 2947 $post_array['post_ID'] = $post_array['ID']; 2948 $post_array['post_type'] = 'customize_changeset'; 2949 2950 $r = wp_create_post_autosave( wp_slash( $post_array ) ); 2951 2952 remove_filter( 'map_meta_cap', array( $this, 'grant_edit_post_capability_for_changeset' ), 10 ); 2953 } else { 2954 $post_array['edit_date'] = true; // Prevent date clearing. 2955 2956 $r = wp_update_post( wp_slash( $post_array ), true ); 2957 2958 // Delete autosave revision for user when the changeset is updated. 2959 if ( ! empty( $args['user_id'] ) ) { 2960 $autosave_draft = wp_get_post_autosave( $changeset_post_id, $args['user_id'] ); 2961 if ( $autosave_draft ) { 2962 wp_delete_post( $autosave_draft->ID, true ); 2963 } 2964 } 2965 } 2966 } else { 2967 $r = wp_insert_post( wp_slash( $post_array ), true ); 2968 if ( ! is_wp_error( $r ) ) { 2969 $this->_changeset_post_id = $r; // Update cached post ID for the loaded changeset. 2970 } 2971 } 2972 2973 // Restore removed content filters. 2974 if ( $has_kses ) { 2975 kses_init_filters(); 2976 } 2977 if ( $has_targeted_link_rel_filters ) { 2978 wp_init_targeted_link_rel_filters(); 2979 } 2980 2981 $this->_changeset_data = null; // Reset so WP_Customize_Manager::changeset_data() will re-populate with updated contents. 2982 2983 remove_filter( 'wp_save_post_revision_post_has_changed', array( $this, '_filter_revision_post_has_changed' ) ); 2984 2985 $response = array( 2986 'setting_validities' => $setting_validities, 2987 ); 2988 2989 if ( is_wp_error( $r ) ) { 2990 $response['changeset_post_save_failure'] = $r->get_error_code(); 2991 return new WP_Error( 'changeset_post_save_failure', '', $response ); 2992 } 2993 2994 return $response; 2995 } 2996 2997 /** 2998 * Trash or delete a changeset post. 2999 * 3000 * The following re-formulates the logic from `wp_trash_post()` as done in 3001 * `wp_publish_post()`. The reason for bypassing `wp_trash_post()` is that it 3002 * will mutate the the `post_content` and the `post_name` when they should be 3003 * untouched. 3004 * 3005 * @since 4.9.0 3006 * @global wpdb $wpdb WordPress database abstraction object. 3007 * @see wp_trash_post() 3008 * 3009 * @param int|WP_Post $post The changeset post. 3010 * @return mixed A WP_Post object for the trashed post or an empty value on failure. 3011 */ 3012 public function trash_changeset_post( $post ) { 3013 global $wpdb; 3014 3015 $post = get_post( $post ); 3016 3017 if ( ! ( $post instanceof WP_Post ) ) { 3018 return $post; 3019 } 3020 $post_id = $post->ID; 3021 3022 if ( ! EMPTY_TRASH_DAYS ) { 3023 return wp_delete_post( $post_id, true ); 3024 } 3025 3026 if ( 'trash' === get_post_status( $post ) ) { 3027 return false; 3028 } 3029 3030 /** This filter is documented in wp-includes/post.php */ 3031 $check = apply_filters( 'pre_trash_post', null, $post ); 3032 if ( null !== $check ) { 3033 return $check; 3034 } 3035 3036 /** This action is documented in wp-includes/post.php */ 3037 do_action( 'wp_trash_post', $post_id ); 3038 3039 add_post_meta( $post_id, '_wp_trash_meta_status', $post->post_status ); 3040 add_post_meta( $post_id, '_wp_trash_meta_time', time() ); 3041 3042 $old_status = $post->post_status; 3043 $new_status = 'trash'; 3044 $wpdb->update( $wpdb->posts, array( 'post_status' => $new_status ), array( 'ID' => $post->ID ) ); 3045 clean_post_cache( $post->ID ); 3046 3047 $post->post_status = $new_status; 3048 wp_transition_post_status( $new_status, $old_status, $post ); 3049 3050 /** This action is documented in wp-includes/post.php */ 3051 do_action( "edit_post_{$post->post_type}", $post->ID, $post ); 3052 3053 /** This action is documented in wp-includes/post.php */ 3054 do_action( 'edit_post', $post->ID, $post ); 3055 3056 /** This action is documented in wp-includes/post.php */ 3057 do_action( "save_post_{$post->post_type}", $post->ID, $post, true ); 3058 3059 /** This action is documented in wp-includes/post.php */ 3060 do_action( 'save_post', $post->ID, $post, true ); 3061 3062 /** This action is documented in wp-includes/post.php */ 3063 do_action( 'wp_insert_post', $post->ID, $post, true ); 3064 3065 wp_trash_post_comments( $post_id ); 3066 3067 /** This action is documented in wp-includes/post.php */ 3068 do_action( 'trashed_post', $post_id ); 3069 3070 return $post; 3071 } 3072 3073 /** 3074 * Handle request to trash a changeset. 3075 * 3076 * @since 4.9.0 3077 */ 3078 public function handle_changeset_trash_request() { 3079 if ( ! is_user_logged_in() ) { 3080 wp_send_json_error( 'unauthenticated' ); 3081 } 3082 3083 if ( ! $this->is_preview() ) { 3084 wp_send_json_error( 'not_preview' ); 3085 } 3086 3087 if ( ! check_ajax_referer( 'trash_customize_changeset', 'nonce', false ) ) { 3088 wp_send_json_error( 3089 array( 3090 'code' => 'invalid_nonce', 3091 'message' => __( 'There was an authentication problem. Please reload and try again.' ), 3092 ) 3093 ); 3094 } 3095 3096 $changeset_post_id = $this->changeset_post_id(); 3097 3098 if ( ! $changeset_post_id ) { 3099 wp_send_json_error( 3100 array( 3101 'message' => __( 'No changes saved yet, so there is nothing to trash.' ), 3102 'code' => 'non_existent_changeset', 3103 ) 3104 ); 3105 return; 3106 } 3107 3108 if ( $changeset_post_id && ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->delete_post, $changeset_post_id ) ) { 3109 wp_send_json_error( 3110 array( 3111 'code' => 'changeset_trash_unauthorized', 3112 'message' => __( 'Unable to trash changes.' ), 3113 ) 3114 ); 3115 } 3116 3117 if ( 'trash' === get_post_status( $changeset_post_id ) ) { 3118 wp_send_json_error( 3119 array( 3120 'message' => __( 'Changes have already been trashed.' ), 3121 'code' => 'changeset_already_trashed', 3122 ) 3123 ); 3124 return; 3125 } 3126 3127 $r = $this->trash_changeset_post( $changeset_post_id ); 3128 if ( ! ( $r instanceof WP_Post ) ) { 3129 wp_send_json_error( 3130 array( 3131 'code' => 'changeset_trash_failure', 3132 'message' => __( 'Unable to trash changes.' ), 3133 ) 3134 ); 3135 } 3136 3137 wp_send_json_success( 3138 array( 3139 'message' => __( 'Changes trashed successfully.' ), 3140 ) 3141 ); 3142 } 3143 3144 /** 3145 * Re-map 'edit_post' meta cap for a customize_changeset post to be the same as 'customize' maps. 3146 * 3147 * There is essentially a "meta meta" cap in play here, where 'edit_post' meta cap maps to 3148 * the 'customize' meta cap which then maps to 'edit_theme_options'. This is currently 3149 * required in core for `wp_create_post_autosave()` because it will call 3150 * `_wp_translate_postdata()` which in turn will check if a user can 'edit_post', but the 3151 * the caps for the customize_changeset post type are all mapping to the meta capability. 3152 * This should be able to be removed once #40922 is addressed in core. 3153 * 3154 * @since 4.9.0 3155 * @link https://core.trac.wordpress.org/ticket/40922 3156 * @see WP_Customize_Manager::save_changeset_post() 3157 * @see _wp_translate_postdata() 3158 * 3159 * @param string[] $caps Array of the user's capabilities. 3160 * @param string $cap Capability name. 3161 * @param int $user_id The user ID. 3162 * @param array $args Adds the context to the cap. Typically the object ID. 3163 * @return array Capabilities. 3164 */ 3165 public function grant_edit_post_capability_for_changeset( $caps, $cap, $user_id, $args ) { 3166 if ( 'edit_post' === $cap && ! empty( $args[0] ) && 'customize_changeset' === get_post_type( $args[0] ) ) { 3167 $post_type_obj = get_post_type_object( 'customize_changeset' ); 3168 $caps = map_meta_cap( $post_type_obj->cap->$cap, $user_id ); 3169 } 3170 return $caps; 3171 } 3172 3173 /** 3174 * Marks the changeset post as being currently edited by the current user. 3175 * 3176 * @since 4.9.0 3177 * 3178 * @param int $changeset_post_id Changeset post id. 3179 * @param bool $take_over Take over the changeset, default is false. 3180 */ 3181 public function set_changeset_lock( $changeset_post_id, $take_over = false ) { 3182 if ( $changeset_post_id ) { 3183 $can_override = ! (bool) get_post_meta( $changeset_post_id, '_edit_lock', true ); 3184 3185 if ( $take_over ) { 3186 $can_override = true; 3187 } 3188 3189 if ( $can_override ) { 3190 $lock = sprintf( '%s:%s', time(), get_current_user_id() ); 3191 update_post_meta( $changeset_post_id, '_edit_lock', $lock ); 3192 } else { 3193 $this->refresh_changeset_lock( $changeset_post_id ); 3194 } 3195 } 3196 } 3197 3198 /** 3199 * Refreshes changeset lock with the current time if current user edited the changeset before. 3200 * 3201 * @since 4.9.0 3202 * 3203 * @param int $changeset_post_id Changeset post id. 3204 */ 3205 public function refresh_changeset_lock( $changeset_post_id ) { 3206 if ( ! $changeset_post_id ) { 3207 return; 3208 } 3209 $lock = get_post_meta( $changeset_post_id, '_edit_lock', true ); 3210 $lock = explode( ':', $lock ); 3211 3212 if ( $lock && ! empty( $lock[1] ) ) { 3213 $user_id = intval( $lock[1] ); 3214 $current_user_id = get_current_user_id(); 3215 if ( $user_id === $current_user_id ) { 3216 $lock = sprintf( '%s:%s', time(), $user_id ); 3217 update_post_meta( $changeset_post_id, '_edit_lock', $lock ); 3218 } 3219 } 3220 } 3221 3222 /** 3223 * Filter heartbeat settings for the Customizer. 3224 * 3225 * @since 4.9.0 3226 * @param array $settings Current settings to filter. 3227 * @return array Heartbeat settings. 3228 */ 3229 public function add_customize_screen_to_heartbeat_settings( $settings ) { 3230 global $pagenow; 3231 if ( 'customize.php' === $pagenow ) { 3232 $settings['screenId'] = 'customize'; 3233 } 3234 return $settings; 3235 } 3236 3237 /** 3238 * Get lock user data. 3239 * 3240 * @since 4.9.0 3241 * 3242 * @param int $user_id User ID. 3243 * @return array|null User data formatted for client. 3244 */ 3245 protected function get_lock_user_data( $user_id ) { 3246 if ( ! $user_id ) { 3247 return null; 3248 } 3249 $lock_user = get_userdata( $user_id ); 3250 if ( ! $lock_user ) { 3251 return null; 3252 } 3253 return array( 3254 'id' => $lock_user->ID, 3255 'name' => $lock_user->display_name, 3256 'avatar' => get_avatar_url( $lock_user->ID, array( 'size' => 128 ) ), 3257 ); 3258 } 3259 3260 /** 3261 * Check locked changeset with heartbeat API. 3262 * 3263 * @since 4.9.0 3264 * 3265 * @param array $response The Heartbeat response. 3266 * @param array $data The $_POST data sent. 3267 * @param string $screen_id The screen id. 3268 * @return array The Heartbeat response. 3269 */ 3270 public function check_changeset_lock_with_heartbeat( $response, $data, $screen_id ) { 3271 if ( isset( $data['changeset_uuid'] ) ) { 3272 $changeset_post_id = $this->find_changeset_post_id( $data['changeset_uuid'] ); 3273 } else { 3274 $changeset_post_id = $this->changeset_post_id(); 3275 } 3276 3277 if ( 3278 array_key_exists( 'check_changeset_lock', $data ) 3279 && 'customize' === $screen_id 3280 && $changeset_post_id 3281 && current_user_can( get_post_type_object( 'customize_changeset' )->cap->edit_post, $changeset_post_id ) 3282 ) { 3283 $lock_user_id = wp_check_post_lock( $changeset_post_id ); 3284 3285 if ( $lock_user_id ) { 3286 $response['customize_changeset_lock_user'] = $this->get_lock_user_data( $lock_user_id ); 3287 } else { 3288 3289 // Refreshing time will ensure that the user is sitting on customizer and has not closed the customizer tab. 3290 $this->refresh_changeset_lock( $changeset_post_id ); 3291 } 3292 } 3293 3294 return $response; 3295 } 3296 3297 /** 3298 * Removes changeset lock when take over request is sent via Ajax. 3299 * 3300 * @since 4.9.0 3301 */ 3302 public function handle_override_changeset_lock_request() { 3303 if ( ! $this->is_preview() ) { 3304 wp_send_json_error( 'not_preview', 400 ); 3305 } 3306 3307 if ( ! check_ajax_referer( 'customize_override_changeset_lock', 'nonce', false ) ) { 3308 wp_send_json_error( 3309 array( 3310 'code' => 'invalid_nonce', 3311 'message' => __( 'Security check failed.' ), 3312 ) 3313 ); 3314 } 3315 3316 $changeset_post_id = $this->changeset_post_id(); 3317 3318 if ( empty( $changeset_post_id ) ) { 3319 wp_send_json_error( 3320 array( 3321 'code' => 'no_changeset_found_to_take_over', 3322 'message' => __( 'No changeset found to take over' ), 3323 ) 3324 ); 3325 } 3326 3327 if ( ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->edit_post, $changeset_post_id ) ) { 3328 wp_send_json_error( 3329 array( 3330 'code' => 'cannot_remove_changeset_lock', 3331 'message' => __( 'Sorry, you are not allowed to take over.' ), 3332 ) 3333 ); 3334 } 3335 3336 $this->set_changeset_lock( $changeset_post_id, true ); 3337 3338 wp_send_json_success( 'changeset_taken_over' ); 3339 } 3340 3341 /** 3342 * Whether a changeset revision should be made. 3343 * 3344 * @since 4.7.0 3345 * @var bool 3346 */ 3347 protected $store_changeset_revision; 3348 3349 /** 3350 * Filters whether a changeset has changed to create a new revision. 3351 * 3352 * Note that this will not be called while a changeset post remains in auto-draft status. 3353 * 3354 * @since 4.7.0 3355 * 3356 * @param bool $post_has_changed Whether the post has changed. 3357 * @param WP_Post $last_revision The last revision post object. 3358 * @param WP_Post $post The post object. 3359 * @return bool Whether a revision should be made. 3360 */ 3361 public function _filter_revision_post_has_changed( $post_has_changed, $last_revision, $post ) { 3362 unset( $last_revision ); 3363 if ( 'customize_changeset' === $post->post_type ) { 3364 $post_has_changed = $this->store_changeset_revision; 3365 } 3366 return $post_has_changed; 3367 } 3368 3369 /** 3370 * Publish changeset values. 3371 * 3372 * This will the values contained in a changeset, even changesets that do not 3373 * correspond to current manager instance. This is called by 3374 * `_wp_customize_publish_changeset()` when a customize_changeset post is 3375 * transitioned to the `publish` status. As such, this method should not be 3376 * called directly and instead `wp_publish_post()` should be used. 3377 * 3378 * Please note that if the settings in the changeset are for a non-activated 3379 * theme, the theme must first be switched to (via `switch_theme()`) before 3380 * invoking this method. 3381 * 3382 * @since 4.7.0 3383 * @see _wp_customize_publish_changeset() 3384 * @global wpdb $wpdb WordPress database abstraction object. 3385 * 3386 * @param int $changeset_post_id ID for customize_changeset post. Defaults to the changeset for the current manager instance. 3387 * @return true|WP_Error True or error info. 3388 */ 3389 public function _publish_changeset_values( $changeset_post_id ) { 3390 global $wpdb; 3391 3392 $publishing_changeset_data = $this->get_changeset_post_data( $changeset_post_id ); 3393 if ( is_wp_error( $publishing_changeset_data ) ) { 3394 return $publishing_changeset_data; 3395 } 3396 3397 $changeset_post = get_post( $changeset_post_id ); 3398 3399 /* 3400 * Temporarily override the changeset context so that it will be read 3401 * in calls to unsanitized_post_values() and so that it will be available 3402 * on the $wp_customize object passed to hooks during the save logic. 3403 */ 3404 $previous_changeset_post_id = $this->_changeset_post_id; 3405 $this->_changeset_post_id = $changeset_post_id; 3406 $previous_changeset_uuid = $this->_changeset_uuid; 3407 $this->_changeset_uuid = $changeset_post->post_name; 3408 $previous_changeset_data = $this->_changeset_data; 3409 $this->_changeset_data = $publishing_changeset_data; 3410 3411 // Parse changeset data to identify theme mod settings and user IDs associated with settings to be saved. 3412 $setting_user_ids = array(); 3413 $theme_mod_settings = array(); 3414 $namespace_pattern = '/^(?P<stylesheet>.+?)::(?P<setting_id>.+)$/'; 3415 $matches = array(); 3416 foreach ( $this->_changeset_data as $raw_setting_id => $setting_params ) { 3417 $actual_setting_id = null; 3418 $is_theme_mod_setting = ( 3419 isset( $setting_params['value'] ) 3420 && 3421 isset( $setting_params['type'] ) 3422 && 3423 'theme_mod' === $setting_params['type'] 3424 && 3425 preg_match( $namespace_pattern, $raw_setting_id, $matches ) 3426 ); 3427 if ( $is_theme_mod_setting ) { 3428 if ( ! isset( $theme_mod_settings[ $matches['stylesheet'] ] ) ) { 3429 $theme_mod_settings[ $matches['stylesheet'] ] = array(); 3430 } 3431 $theme_mod_settings[ $matches['stylesheet'] ][ $matches['setting_id'] ] = $setting_params; 3432 3433 if ( $this->get_stylesheet() === $matches['stylesheet'] ) { 3434 $actual_setting_id = $matches['setting_id']; 3435 } 3436 } else { 3437 $actual_setting_id = $raw_setting_id; 3438 } 3439 3440 // Keep track of the user IDs for settings actually for this theme. 3441 if ( $actual_setting_id && isset( $setting_params['user_id'] ) ) { 3442 $setting_user_ids[ $actual_setting_id ] = $setting_params['user_id']; 3443 } 3444 } 3445 3446 $changeset_setting_values = $this->unsanitized_post_values( 3447 array( 3448 'exclude_post_data' => true, 3449 'exclude_changeset' => false, 3450 ) 3451 ); 3452 $changeset_setting_ids = array_keys( $changeset_setting_values ); 3453 $this->add_dynamic_settings( $changeset_setting_ids ); 3454 3455 /** 3456 * Fires once the theme has switched in the Customizer, but before settings 3457 * have been saved. 3458 * 3459 * @since 3.4.0 3460 * 3461 * @param WP_Customize_Manager $manager WP_Customize_Manager instance. 3462 */ 3463 do_action( 'customize_save', $this ); 3464 3465 /* 3466 * Ensure that all settings will allow themselves to be saved. Note that 3467 * this is safe because the setting would have checked the capability 3468 * when the setting value was written into the changeset. So this is why 3469 * an additional capability check is not required here. 3470 */ 3471 $original_setting_capabilities = array(); 3472 foreach ( $changeset_setting_ids as $setting_id ) { 3473 $setting = $this->get_setting( $setting_id ); 3474 if ( $setting && ! isset( $setting_user_ids[ $setting_id ] ) ) { 3475 $original_setting_capabilities[ $setting->id ] = $setting->capability; 3476 $setting->capability = 'exist'; 3477 } 3478 } 3479 3480 $original_user_id = get_current_user_id(); 3481 foreach ( $changeset_setting_ids as $setting_id ) { 3482 $setting = $this->get_setting( $setting_id ); 3483 if ( $setting ) { 3484 /* 3485 * Set the current user to match the user who saved the value into 3486 * the changeset so that any filters that apply during the save 3487 * process will respect the original user's capabilities. This 3488 * will ensure, for example, that KSES won't strip unsafe HTML 3489 * when a scheduled changeset publishes via WP Cron. 3490 */ 3491 if ( isset( $setting_user_ids[ $setting_id ] ) ) { 3492 wp_set_current_user( $setting_user_ids[ $setting_id ] ); 3493 } else { 3494 wp_set_current_user( $original_user_id ); 3495 } 3496 3497 $setting->save(); 3498 } 3499 } 3500 wp_set_current_user( $original_user_id ); 3501 3502 // Update the stashed theme mod settings, removing the active theme's stashed settings, if activated. 3503 if ( did_action( 'switch_theme' ) ) { 3504 $other_theme_mod_settings = $theme_mod_settings; 3505 unset( $other_theme_mod_settings[ $this->get_stylesheet() ] ); 3506 $this->update_stashed_theme_mod_settings( $other_theme_mod_settings ); 3507 } 3508 3509 /** 3510 * Fires after Customize settings have been saved. 3511 * 3512 * @since 3.6.0 3513 * 3514 * @param WP_Customize_Manager $manager WP_Customize_Manager instance. 3515 */ 3516 do_action( 'customize_save_after', $this ); 3517 3518 // Restore original capabilities. 3519 foreach ( $original_setting_capabilities as $setting_id => $capability ) { 3520 $setting = $this->get_setting( $setting_id ); 3521 if ( $setting ) { 3522 $setting->capability = $capability; 3523 } 3524 } 3525 3526 // Restore original changeset data. 3527 $this->_changeset_data = $previous_changeset_data; 3528 $this->_changeset_post_id = $previous_changeset_post_id; 3529 $this->_changeset_uuid = $previous_changeset_uuid; 3530 3531 /* 3532 * Convert all autosave revisions into their own auto-drafts so that users can be prompted to 3533 * restore them when a changeset is published, but they had been locked out from including 3534 * their changes in the changeset. 3535 */ 3536 $revisions = wp_get_post_revisions( $changeset_post_id, array( 'check_enabled' => false ) ); 3537 foreach ( $revisions as $revision ) { 3538 if ( false !== strpos( $revision->post_name, "{$changeset_post_id}-autosave" ) ) { 3539 $wpdb->update( 3540 $wpdb->posts, 3541 array( 3542 'post_status' => 'auto-draft', 3543 'post_type' => 'customize_changeset', 3544 'post_name' => wp_generate_uuid4(), 3545 'post_parent' => 0, 3546 ), 3547 array( 3548 'ID' => $revision->ID, 3549 ) 3550 ); 3551 clean_post_cache( $revision->ID ); 3552 } 3553 } 3554 3555 return true; 3556 } 3557 3558 /** 3559 * Update stashed theme mod settings. 3560 * 3561 * @since 4.7.0 3562 * 3563 * @param array $inactive_theme_mod_settings Mapping of stylesheet to arrays of theme mod settings. 3564 * @return array|false Returns array of updated stashed theme mods or false if the update failed or there were no changes. 3565 */ 3566 protected function update_stashed_theme_mod_settings( $inactive_theme_mod_settings ) { 3567 $stashed_theme_mod_settings = get_option( 'customize_stashed_theme_mods' ); 3568 if ( empty( $stashed_theme_mod_settings ) ) { 3569 $stashed_theme_mod_settings = array(); 3570 } 3571 3572 // Delete any stashed theme mods for the active theme since they would have been loaded and saved upon activation. 3573 unset( $stashed_theme_mod_settings[ $this->get_stylesheet() ] ); 3574 3575 // Merge inactive theme mods with the stashed theme mod settings. 3576 foreach ( $inactive_theme_mod_settings as $stylesheet => $theme_mod_settings ) { 3577 if ( ! isset( $stashed_theme_mod_settings[ $stylesheet ] ) ) { 3578 $stashed_theme_mod_settings[ $stylesheet ] = array(); 3579 } 3580 3581 $stashed_theme_mod_settings[ $stylesheet ] = array_merge( 3582 $stashed_theme_mod_settings[ $stylesheet ], 3583 $theme_mod_settings 3584 ); 3585 } 3586 3587 $autoload = false; 3588 $result = update_option( 'customize_stashed_theme_mods', $stashed_theme_mod_settings, $autoload ); 3589 if ( ! $result ) { 3590 return false; 3591 } 3592 return $stashed_theme_mod_settings; 3593 } 3594 3595 /** 3596 * Refresh nonces for the current preview. 3597 * 3598 * @since 4.2.0 3599 */ 3600 public function refresh_nonces() { 3601 if ( ! $this->is_preview() ) { 3602 wp_send_json_error( 'not_preview' ); 3603 } 3604 3605 wp_send_json_success( $this->get_nonces() ); 3606 } 3607 3608 /** 3609 * Delete a given auto-draft changeset or the autosave revision for a given changeset or delete changeset lock. 3610 * 3611 * @since 4.9.0 3612 */ 3613 public function handle_dismiss_autosave_or_lock_request() { 3614 // Calls to dismiss_user_auto_draft_changesets() and wp_get_post_autosave() require non-zero get_current_user_id(). 3615 if ( ! is_user_logged_in() ) { 3616 wp_send_json_error( 'unauthenticated', 401 ); 3617 } 3618 3619 if ( ! $this->is_preview() ) { 3620 wp_send_json_error( 'not_preview', 400 ); 3621 } 3622 3623 if ( ! check_ajax_referer( 'customize_dismiss_autosave_or_lock', 'nonce', false ) ) { 3624 wp_send_json_error( 'invalid_nonce', 403 ); 3625 } 3626 3627 $changeset_post_id = $this->changeset_post_id(); 3628 $dismiss_lock = ! empty( $_POST['dismiss_lock'] ); 3629 $dismiss_autosave = ! empty( $_POST['dismiss_autosave'] ); 3630 3631 if ( $dismiss_lock ) { 3632 if ( empty( $changeset_post_id ) && ! $dismiss_autosave ) { 3633 wp_send_json_error( 'no_changeset_to_dismiss_lock', 404 ); 3634 } 3635 if ( ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->edit_post, $changeset_post_id ) && ! $dismiss_autosave ) { 3636 wp_send_json_error( 'cannot_remove_changeset_lock', 403 ); 3637 } 3638 3639 delete_post_meta( $changeset_post_id, '_edit_lock' ); 3640 3641 if ( ! $dismiss_autosave ) { 3642 wp_send_json_success( 'changeset_lock_dismissed' ); 3643 } 3644 } 3645 3646 if ( $dismiss_autosave ) { 3647 if ( empty( $changeset_post_id ) || 'auto-draft' === get_post_status( $changeset_post_id ) ) { 3648 $dismissed = $this->dismiss_user_auto_draft_changesets(); 3649 if ( $dismissed > 0 ) { 3650 wp_send_json_success( 'auto_draft_dismissed' ); 3651 } else { 3652 wp_send_json_error( 'no_auto_draft_to_delete', 404 ); 3653 } 3654 } else { 3655 $revision = wp_get_post_autosave( $changeset_post_id, get_current_user_id() ); 3656 3657 if ( $revision ) { 3658 if ( ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->delete_post, $changeset_post_id ) ) { 3659 wp_send_json_error( 'cannot_delete_autosave_revision', 403 ); 3660 } 3661 3662 if ( ! wp_delete_post( $revision->ID, true ) ) { 3663 wp_send_json_error( 'autosave_revision_deletion_failure', 500 ); 3664 } else { 3665 wp_send_json_success( 'autosave_revision_deleted' ); 3666 } 3667 } else { 3668 wp_send_json_error( 'no_autosave_revision_to_delete', 404 ); 3669 } 3670 } 3671 } 3672 3673 wp_send_json_error( 'unknown_error', 500 ); 3674 } 3675 3676 /** 3677 * Add a customize setting. 3678 * 3679 * @since 3.4.0 3680 * @since 4.5.0 Return added WP_Customize_Setting instance. 3681 * 3682 * @see WP_Customize_Setting::__construct() 3683 * @link https://developer.wordpress.org/themes/customize-api 3684 * 3685 * @param WP_Customize_Setting|string $id Customize Setting object, or ID. 3686 * @param array $args Optional. Array of properties for the new Setting object. 3687 * See WP_Customize_Setting::__construct() for information 3688 * on accepted arguments. Default empty array. 3689 * @return WP_Customize_Setting The instance of the setting that was added. 3690 */ 3691 public function add_setting( $id, $args = array() ) { 3692 if ( $id instanceof WP_Customize_Setting ) { 3693 $setting = $id; 3694 } else { 3695 $class = 'WP_Customize_Setting'; 3696 3697 /** This filter is documented in wp-includes/class-wp-customize-manager.php */ 3698 $args = apply_filters( 'customize_dynamic_setting_args', $args, $id ); 3699 3700 /** This filter is documented in wp-includes/class-wp-customize-manager.php */ 3701 $class = apply_filters( 'customize_dynamic_setting_class', $class, $id, $args ); 3702 3703 $setting = new $class( $this, $id, $args ); 3704 } 3705 3706 $this->settings[ $setting->id ] = $setting; 3707 return $setting; 3708 } 3709 3710 /** 3711 * Register any dynamically-created settings, such as those from $_POST['customized'] 3712 * that have no corresponding setting created. 3713 * 3714 * This is a mechanism to "wake up" settings that have been dynamically created 3715 * on the front end and have been sent to WordPress in `$_POST['customized']`. When WP 3716 * loads, the dynamically-created settings then will get created and previewed 3717 * even though they are not directly created statically with code. 3718 * 3719 * @since 4.2.0 3720 * 3721 * @param array $setting_ids The setting IDs to add. 3722 * @return array The WP_Customize_Setting objects added. 3723 */ 3724 public function add_dynamic_settings( $setting_ids ) { 3725 $new_settings = array(); 3726 foreach ( $setting_ids as $setting_id ) { 3727 // Skip settings already created. 3728 if ( $this->get_setting( $setting_id ) ) { 3729 continue; 3730 } 3731 3732 $setting_args = false; 3733 $setting_class = 'WP_Customize_Setting'; 3734 3735 /** 3736 * Filters a dynamic setting's constructor args. 3737 * 3738 * For a dynamic setting to be registered, this filter must be employed 3739 * to override the default false value with an array of args to pass to 3740 * the WP_Customize_Setting constructor. 3741 * 3742 * @since 4.2.0 3743 * 3744 * @param false|array $setting_args The arguments to the WP_Customize_Setting constructor. 3745 * @param string $setting_id ID for dynamic setting, usually coming from `$_POST['customized']`. 3746 */ 3747 $setting_args = apply_filters( 'customize_dynamic_setting_args', $setting_args, $setting_id ); 3748 if ( false === $setting_args ) { 3749 continue; 3750 } 3751 3752 /** 3753 * Allow non-statically created settings to be constructed with custom WP_Customize_Setting subclass. 3754 * 3755 * @since 4.2.0 3756 * 3757 * @param string $setting_class WP_Customize_Setting or a subclass. 3758 * @param string $setting_id ID for dynamic setting, usually coming from `$_POST['customized']`. 3759 * @param array $setting_args WP_Customize_Setting or a subclass. 3760 */ 3761 $setting_class = apply_filters( 'customize_dynamic_setting_class', $setting_class, $setting_id, $setting_args ); 3762 3763 $setting = new $setting_class( $this, $setting_id, $setting_args ); 3764 3765 $this->add_setting( $setting ); 3766 $new_settings[] = $setting; 3767 } 3768 return $new_settings; 3769 } 3770 3771 /** 3772 * Retrieve a customize setting. 3773 * 3774 * @since 3.4.0 3775 * 3776 * @param string $id Customize Setting ID. 3777 * @return WP_Customize_Setting|void The setting, if set. 3778 */ 3779 public function get_setting( $id ) { 3780 if ( isset( $this->settings[ $id ] ) ) { 3781 return $this->settings[ $id ]; 3782 } 3783 } 3784 3785 /** 3786 * Remove a customize setting. 3787 * 3788 * Note that removing the setting doesn't destroy the WP_Customize_Setting instance or remove its filters. 3789 * 3790 * @since 3.4.0 3791 * 3792 * @param string $id Customize Setting ID. 3793 */ 3794 public function remove_setting( $id ) { 3795 unset( $this->settings[ $id ] ); 3796 } 3797 3798 /** 3799 * Add a customize panel. 3800 * 3801 * @since 4.0.0 3802 * @since 4.5.0 Return added WP_Customize_Panel instance. 3803 * 3804 * @see WP_Customize_Panel::__construct() 3805 * 3806 * @param WP_Customize_Panel|string $id Customize Panel object, or ID. 3807 * @param array $args Optional. Array of properties for the new Panel object. 3808 * See WP_Customize_Panel::__construct() for information 3809 * on accepted arguments. Default empty array. 3810 * @return WP_Customize_Panel The instance of the panel that was added. 3811 */ 3812 public function add_panel( $id, $args = array() ) { 3813 if ( $id instanceof WP_Customize_Panel ) { 3814 $panel = $id; 3815 } else { 3816 $panel = new WP_Customize_Panel( $this, $id, $args ); 3817 } 3818 3819 $this->panels[ $panel->id ] = $panel; 3820 return $panel; 3821 } 3822 3823 /** 3824 * Retrieve a customize panel. 3825 * 3826 * @since 4.0.0 3827 * 3828 * @param string $id Panel ID to get. 3829 * @return WP_Customize_Panel|void Requested panel instance, if set. 3830 */ 3831 public function get_panel( $id ) { 3832 if ( isset( $this->panels[ $id ] ) ) { 3833 return $this->panels[ $id ]; 3834 } 3835 } 3836 3837 /** 3838 * Remove a customize panel. 3839 * 3840 * Note that removing the panel doesn't destroy the WP_Customize_Panel instance or remove its filters. 3841 * 3842 * @since 4.0.0 3843 * 3844 * @param string $id Panel ID to remove. 3845 */ 3846 public function remove_panel( $id ) { 3847 // Removing core components this way is _doing_it_wrong(). 3848 if ( in_array( $id, $this->components, true ) ) { 3849 $message = sprintf( 3850 /* translators: 1: Panel ID, 2: Link to 'customize_loaded_components' filter reference. */ 3851 __( 'Removing %1$s manually will cause PHP warnings. Use the %2$s filter instead.' ), 3852 $id, 3853 '<a href="' . esc_url( 'https://developer.wordpress.org/reference/hooks/customize_loaded_components/' ) . '"><code>customize_loaded_components</code></a>' 3854 ); 3855 3856 _doing_it_wrong( __METHOD__, $message, '4.5.0' ); 3857 } 3858 unset( $this->panels[ $id ] ); 3859 } 3860 3861 /** 3862 * Register a customize panel type. 3863 * 3864 * Registered types are eligible to be rendered via JS and created dynamically. 3865 * 3866 * @since 4.3.0 3867 * 3868 * @see WP_Customize_Panel 3869 * 3870 * @param string $panel Name of a custom panel which is a subclass of WP_Customize_Panel. 3871 */ 3872 public function register_panel_type( $panel ) { 3873 $this->registered_panel_types[] = $panel; 3874 } 3875 3876 /** 3877 * Render JS templates for all registered panel types. 3878 * 3879 * @since 4.3.0 3880 */ 3881 public function render_panel_templates() { 3882 foreach ( $this->registered_panel_types as $panel_type ) { 3883 $panel = new $panel_type( $this, 'temp', array() ); 3884 $panel->print_template(); 3885 } 3886 } 3887 3888 /** 3889 * Add a customize section. 3890 * 3891 * @since 3.4.0 3892 * @since 4.5.0 Return added WP_Customize_Section instance. 3893 * 3894 * @see WP_Customize_Section::__construct() 3895 * 3896 * @param WP_Customize_Section|string $id Customize Section object, or ID. 3897 * @param array $args Optional. Array of properties for the new Section object. 3898 * See WP_Customize_Section::__construct() for information 3899 * on accepted arguments. Default empty array. 3900 * @return WP_Customize_Section The instance of the section that was added. 3901 */ 3902 public function add_section( $id, $args = array() ) { 3903 if ( $id instanceof WP_Customize_Section ) { 3904 $section = $id; 3905 } else { 3906 $section = new WP_Customize_Section( $this, $id, $args ); 3907 } 3908 3909 $this->sections[ $section->id ] = $section; 3910 return $section; 3911 } 3912 3913 /** 3914 * Retrieve a customize section. 3915 * 3916 * @since 3.4.0 3917 * 3918 * @param string $id Section ID. 3919 * @return WP_Customize_Section|void The section, if set. 3920 */ 3921 public function get_section( $id ) { 3922 if ( isset( $this->sections[ $id ] ) ) { 3923 return $this->sections[ $id ]; 3924 } 3925 } 3926 3927 /** 3928 * Remove a customize section. 3929 * 3930 * Note that removing the section doesn't destroy the WP_Customize_Section instance or remove its filters. 3931 * 3932 * @since 3.4.0 3933 * 3934 * @param string $id Section ID. 3935 */ 3936 public function remove_section( $id ) { 3937 unset( $this->sections[ $id ] ); 3938 } 3939 3940 /** 3941 * Register a customize section type. 3942 * 3943 * Registered types are eligible to be rendered via JS and created dynamically. 3944 * 3945 * @since 4.3.0 3946 * 3947 * @see WP_Customize_Section 3948 * 3949 * @param string $section Name of a custom section which is a subclass of WP_Customize_Section. 3950 */ 3951 public function register_section_type( $section ) { 3952 $this->registered_section_types[] = $section; 3953 } 3954 3955 /** 3956 * Render JS templates for all registered section types. 3957 * 3958 * @since 4.3.0 3959 */ 3960 public function render_section_templates() { 3961 foreach ( $this->registered_section_types as $section_type ) { 3962 $section = new $section_type( $this, 'temp', array() ); 3963 $section->print_template(); 3964 } 3965 } 3966 3967 /** 3968 * Add a customize control. 3969 * 3970 * @since 3.4.0 3971 * @since 4.5.0 Return added WP_Customize_Control instance. 3972 * 3973 * @see WP_Customize_Control::__construct() 3974 * 3975 * @param WP_Customize_Control|string $id Customize Control object, or ID. 3976 * @param array $args Optional. Array of properties for the new Control object. 3977 * See WP_Customize_Control::__construct() for information 3978 * on accepted arguments. Default empty array. 3979 * @return WP_Customize_Control The instance of the control that was added. 3980 */ 3981 public function add_control( $id, $args = array() ) { 3982 if ( $id instanceof WP_Customize_Control ) { 3983 $control = $id; 3984 } else { 3985 $control = new WP_Customize_Control( $this, $id, $args ); 3986 } 3987 3988 $this->controls[ $control->id ] = $control; 3989 return $control; 3990 } 3991 3992 /** 3993 * Retrieve a customize control. 3994 * 3995 * @since 3.4.0 3996 * 3997 * @param string $id ID of the control. 3998 * @return WP_Customize_Control|void The control object, if set. 3999 */ 4000 public function get_control( $id ) { 4001 if ( isset( $this->controls[ $id ] ) ) { 4002 return $this->controls[ $id ]; 4003 } 4004 } 4005 4006 /** 4007 * Remove a customize control. 4008 * 4009 * Note that removing the control doesn't destroy the WP_Customize_Control instance or remove its filters. 4010 * 4011 * @since 3.4.0 4012 * 4013 * @param string $id ID of the control. 4014 */ 4015 public function remove_control( $id ) { 4016 unset( $this->controls[ $id ] ); 4017 } 4018 4019 /** 4020 * Register a customize control type. 4021 * 4022 * Registered types are eligible to be rendered via JS and created dynamically. 4023 * 4024 * @since 4.1.0 4025 * 4026 * @param string $control Name of a custom control which is a subclass of 4027 * WP_Customize_Control. 4028 */ 4029 public function register_control_type( $control ) { 4030 $this->registered_control_types[] = $control; 4031 } 4032 4033 /** 4034 * Render JS templates for all registered control types. 4035 * 4036 * @since 4.1.0 4037 */ 4038 public function render_control_templates() { 4039 if ( $this->branching() ) { 4040 $l10n = array( 4041 /* translators: %s: User who is customizing the changeset in customizer. */ 4042 'locked' => __( '%s is already customizing this changeset. Please wait until they are done to try customizing. Your latest changes have been autosaved.' ), 4043 /* translators: %s: User who is customizing the changeset in customizer. */ 4044 'locked_allow_override' => __( '%s is already customizing this changeset. Do you want to take over?' ), 4045 ); 4046 } else { 4047 $l10n = array( 4048 /* translators: %s: User who is customizing the changeset in customizer. */ 4049 'locked' => __( '%s is already customizing this site. Please wait until they are done to try customizing. Your latest changes have been autosaved.' ), 4050 /* translators: %s: User who is customizing the changeset in customizer. */ 4051 'locked_allow_override' => __( '%s is already customizing this site. Do you want to take over?' ), 4052 ); 4053 } 4054 4055 foreach ( $this->registered_control_types as $control_type ) { 4056 $control = new $control_type( 4057 $this, 4058 'temp', 4059 array( 4060 'settings' => array(), 4061 ) 4062 ); 4063 $control->print_template(); 4064 } 4065 ?> 4066 4067 <script type="text/html" id="tmpl-customize-control-default-content"> 4068 <# 4069 var inputId = _.uniqueId( 'customize-control-default-input-' ); 4070 var descriptionId = _.uniqueId( 'customize-control-default-description-' ); 4071 var describedByAttr = data.description ? ' aria-describedby="' + descriptionId + '" ' : ''; 4072 #> 4073 <# switch ( data.type ) { 4074 case 'checkbox': #> 4075 <span class="customize-inside-control-row"> 4076 <input 4077 id="{{ inputId }}" 4078 {{{ describedByAttr }}} 4079 type="checkbox" 4080 value="{{ data.value }}" 4081 data-customize-setting-key-link="default" 4082 > 4083 <label for="{{ inputId }}"> 4084 {{ data.label }} 4085 </label> 4086 <# if ( data.description ) { #> 4087 <span id="{{ descriptionId }}" class="description customize-control-description">{{{ data.description }}}</span> 4088 <# } #> 4089 </span> 4090 <# 4091 break; 4092 case 'radio': 4093 if ( ! data.choices ) { 4094 return; 4095 } 4096 #> 4097 <# if ( data.label ) { #> 4098 <label for="{{ inputId }}" class="customize-control-title"> 4099 {{ data.label }} 4100 </label> 4101 <# } #> 4102 <# if ( data.description ) { #> 4103 <span id="{{ descriptionId }}" class="description customize-control-description">{{{ data.description }}}</span> 4104 <# } #> 4105 <# _.each( data.choices, function( val, key ) { #> 4106 <span class="customize-inside-control-row"> 4107 <# 4108 var value, text; 4109 if ( _.isObject( val ) ) { 4110 value = val.value; 4111 text = val.text; 4112 } else { 4113 value = key; 4114 text = val; 4115 } 4116 #> 4117 <input 4118 id="{{ inputId + '-' + value }}" 4119 type="radio" 4120 value="{{ value }}" 4121 name="{{ inputId }}" 4122 data-customize-setting-key-link="default" 4123 {{{ describedByAttr }}} 4124 > 4125 <label for="{{ inputId + '-' + value }}">{{ text }}</label> 4126 </span> 4127 <# } ); #> 4128 <# 4129 break; 4130 default: 4131 #> 4132 <# if ( data.label ) { #> 4133 <label for="{{ inputId }}" class="customize-control-title"> 4134 {{ data.label }} 4135 </label> 4136 <# } #> 4137 <# if ( data.description ) { #> 4138 <span id="{{ descriptionId }}" class="description customize-control-description">{{{ data.description }}}</span> 4139 <# } #> 4140 4141 <# 4142 var inputAttrs = { 4143 id: inputId, 4144 'data-customize-setting-key-link': 'default' 4145 }; 4146 if ( 'textarea' === data.type ) { 4147 inputAttrs.rows = '5'; 4148 } else if ( 'button' === data.type ) { 4149 inputAttrs['class'] = 'button button-secondary'; 4150 inputAttrs.type = 'button'; 4151 } else { 4152 inputAttrs.type = data.type; 4153 } 4154 if ( data.description ) { 4155 inputAttrs['aria-describedby'] = descriptionId; 4156 } 4157 _.extend( inputAttrs, data.input_attrs ); 4158 #> 4159 4160 <# if ( 'button' === data.type ) { #> 4161 <button 4162 <# _.each( _.extend( inputAttrs ), function( value, key ) { #> 4163 {{{ key }}}="{{ value }}" 4164 <# } ); #> 4165 >{{ inputAttrs.value }}</button> 4166 <# } else if ( 'textarea' === data.type ) { #> 4167 <textarea 4168 <# _.each( _.extend( inputAttrs ), function( value, key ) { #> 4169 {{{ key }}}="{{ value }}" 4170 <# }); #> 4171 >{{ inputAttrs.value }}</textarea> 4172 <# } else if ( 'select' === data.type ) { #> 4173 <# delete inputAttrs.type; #> 4174 <select 4175 <# _.each( _.extend( inputAttrs ), function( value, key ) { #> 4176 {{{ key }}}="{{ value }}" 4177 <# }); #> 4178 > 4179 <# _.each( data.choices, function( val, key ) { #> 4180 <# 4181 var value, text; 4182 if ( _.isObject( val ) ) { 4183 value = val.value; 4184 text = val.text; 4185 } else { 4186 value = key; 4187 text = val; 4188 } 4189 #> 4190 <option value="{{ value }}">{{ text }}</option> 4191 <# } ); #> 4192 </select> 4193 <# } else { #> 4194 <input 4195 <# _.each( _.extend( inputAttrs ), function( value, key ) { #> 4196 {{{ key }}}="{{ value }}" 4197 <# }); #> 4198 > 4199 <# } #> 4200 <# } #> 4201 </script> 4202 4203 <script type="text/html" id="tmpl-customize-notification"> 4204 <li class="notice notice-{{ data.type || 'info' }} {{ data.alt ? 'notice-alt' : '' }} {{ data.dismissible ? 'is-dismissible' : '' }} {{ data.containerClasses || '' }}" data-code="{{ data.code }}" data-type="{{ data.type }}"> 4205 <div class="notification-message">{{{ data.message || data.code }}}</div> 4206 <# if ( data.dismissible ) { #> 4207 <button type="button" class="notice-dismiss"><span class="screen-reader-text"><?php _e( 'Dismiss' ); ?></span></button> 4208 <# } #> 4209 </li> 4210 </script> 4211 4212 <script type="text/html" id="tmpl-customize-changeset-locked-notification"> 4213 <li class="notice notice-{{ data.type || 'info' }} {{ data.containerClasses || '' }}" data-code="{{ data.code }}" data-type="{{ data.type }}"> 4214 <div class="notification-message customize-changeset-locked-message"> 4215 <img class="customize-changeset-locked-avatar" src="{{ data.lockUser.avatar }}" alt="{{ data.lockUser.name }}"> 4216 <p class="currently-editing"> 4217 <# if ( data.message ) { #> 4218 {{{ data.message }}} 4219 <# } else if ( data.allowOverride ) { #> 4220 <?php 4221 echo esc_html( sprintf( $l10n['locked_allow_override'], '{{ data.lockUser.name }}' ) ); 4222 ?> 4223 <# } else { #> 4224 <?php 4225 echo esc_html( sprintf( $l10n['locked'], '{{ data.lockUser.name }}' ) ); 4226 ?> 4227 <# } #> 4228 </p> 4229 <p class="notice notice-error notice-alt" hidden></p> 4230 <p class="action-buttons"> 4231 <# if ( data.returnUrl !== data.previewUrl ) { #> 4232 <a class="button customize-notice-go-back-button" href="{{ data.returnUrl }}"><?php _e( 'Go back' ); ?></a> 4233 <# } #> 4234 <a class="button customize-notice-preview-button" href="{{ data.frontendPreviewUrl }}"><?php _e( 'Preview' ); ?></a> 4235 <# if ( data.allowOverride ) { #> 4236 <button class="button button-primary wp-tab-last customize-notice-take-over-button"><?php _e( 'Take over' ); ?></button> 4237 <# } #> 4238 </p> 4239 </div> 4240 </li> 4241 </script> 4242 4243 <script type="text/html" id="tmpl-customize-code-editor-lint-error-notification"> 4244 <li class="notice notice-{{ data.type || 'info' }} {{ data.alt ? 'notice-alt' : '' }} {{ data.dismissible ? 'is-dismissible' : '' }} {{ data.containerClasses || '' }}" data-code="{{ data.code }}" data-type="{{ data.type }}"> 4245 <div class="notification-message">{{{ data.message || data.code }}}</div> 4246 4247 <p> 4248 <# var elementId = 'el-' + String( Math.random() ); #> 4249 <input id="{{ elementId }}" type="checkbox"> 4250 <label for="{{ elementId }}"><?php _e( 'Update anyway, even though it might break your site?' ); ?></label> 4251 </p> 4252 </li> 4253 </script> 4254 4255 <?php 4256 /* The following template is obsolete in core but retained for plugins. */ 4257 ?> 4258 <script type="text/html" id="tmpl-customize-control-notifications"> 4259 <ul> 4260 <# _.each( data.notifications, function( notification ) { #> 4261 <li class="notice notice-{{ notification.type || 'info' }} {{ data.altNotice ? 'notice-alt' : '' }}" data-code="{{ notification.code }}" data-type="{{ notification.type }}">{{{ notification.message || notification.code }}}</li> 4262 <# } ); #> 4263 </ul> 4264 </script> 4265 4266 <script type="text/html" id="tmpl-customize-preview-link-control" > 4267 <# var elementPrefix = _.uniqueId( 'el' ) + '-' #> 4268 <p class="customize-control-title"> 4269 <?php esc_html_e( 'Share Preview Link' ); ?> 4270 </p> 4271 <p class="description customize-control-description"><?php esc_html_e( 'See how changes would look live on your website, and share the preview with people who can\'t access the Customizer.' ); ?></p> 4272 <div class="customize-control-notifications-container"></div> 4273 <div class="preview-link-wrapper"> 4274 <label for="{{ elementPrefix }}customize-preview-link-input" class="screen-reader-text"><?php esc_html_e( 'Preview Link' ); ?></label> 4275 <a href="" target=""> 4276 <span class="preview-control-element" data-component="url"></span> 4277 <span class="screen-reader-text"><?php _e( '(opens in a new tab)' ); ?></span> 4278 </a> 4279 <input id="{{ elementPrefix }}customize-preview-link-input" readonly tabindex="-1" class="preview-control-element" data-component="input"> 4280 <button class="customize-copy-preview-link preview-control-element button button-secondary" data-component="button" data-copy-text="<?php esc_attr_e( 'Copy' ); ?>" data-copied-text="<?php esc_attr_e( 'Copied' ); ?>" ><?php esc_html_e( 'Copy' ); ?></button> 4281 </div> 4282 </script> 4283 <script type="text/html" id="tmpl-customize-selected-changeset-status-control"> 4284 <# var inputId = _.uniqueId( 'customize-selected-changeset-status-control-input-' ); #> 4285 <# var descriptionId = _.uniqueId( 'customize-selected-changeset-status-control-description-' ); #> 4286 <# if ( data.label ) { #> 4287 <label for="{{ inputId }}" class="customize-control-title">{{ data.label }}</label> 4288 <# } #> 4289 <# if ( data.description ) { #> 4290 <span id="{{ descriptionId }}" class="description customize-control-description">{{{ data.description }}}</span> 4291 <# } #> 4292 <# _.each( data.choices, function( choice ) { #> 4293 <# var choiceId = inputId + '-' + choice.status; #> 4294 <span class="customize-inside-control-row"> 4295 <input id="{{ choiceId }}" type="radio" value="{{ choice.status }}" name="{{ inputId }}" data-customize-setting-key-link="default"> 4296 <label for="{{ choiceId }}">{{ choice.label }}</label> 4297 </span> 4298 <# } ); #> 4299 </script> 4300 <?php 4301 } 4302 4303 /** 4304 * Helper function to compare two objects by priority, ensuring sort stability via instance_number. 4305 * 4306 * @since 3.4.0 4307 * @deprecated 4.7.0 Use wp_list_sort() 4308 * 4309 * @param WP_Customize_Panel|WP_Customize_Section|WP_Customize_Control $a Object A. 4310 * @param WP_Customize_Panel|WP_Customize_Section|WP_Customize_Control $b Object B. 4311 * @return int 4312 */ 4313 protected function _cmp_priority( $a, $b ) { 4314 _deprecated_function( __METHOD__, '4.7.0', 'wp_list_sort' ); 4315 4316 if ( $a->priority === $b->priority ) { 4317 return $a->instance_number - $b->instance_number; 4318 } else { 4319 return $a->priority - $b->priority; 4320 } 4321 } 4322 4323 /** 4324 * Prepare panels, sections, and controls. 4325 * 4326 * For each, check if required related components exist, 4327 * whether the user has the necessary capabilities, 4328 * and sort by priority. 4329 * 4330 * @since 3.4.0 4331 */ 4332 public function prepare_controls() { 4333 4334 $controls = array(); 4335 $this->controls = wp_list_sort( 4336 $this->controls, 4337 array( 4338 'priority' => 'ASC', 4339 'instance_number' => 'ASC', 4340 ), 4341 'ASC', 4342 true 4343 ); 4344 4345 foreach ( $this->controls as $id => $control ) { 4346 if ( ! isset( $this->sections[ $control->section ] ) || ! $control->check_capabilities() ) { 4347 continue; 4348 } 4349 4350 $this->sections[ $control->section ]->controls[] = $control; 4351 $controls[ $id ] = $control; 4352 } 4353 $this->controls = $controls; 4354 4355 // Prepare sections. 4356 $this->sections = wp_list_sort( 4357 $this->sections, 4358 array( 4359 'priority' => 'ASC', 4360 'instance_number' => 'ASC', 4361 ), 4362 'ASC', 4363 true 4364 ); 4365 $sections = array(); 4366 4367 foreach ( $this->sections as $section ) { 4368 if ( ! $section->check_capabilities() ) { 4369 continue; 4370 } 4371 4372 $section->controls = wp_list_sort( 4373 $section->controls, 4374 array( 4375 'priority' => 'ASC', 4376 'instance_number' => 'ASC', 4377 ) 4378 ); 4379 4380 if ( ! $section->panel ) { 4381 // Top-level section. 4382 $sections[ $section->id ] = $section; 4383 } else { 4384 // This section belongs to a panel. 4385 if ( isset( $this->panels [ $section->panel ] ) ) { 4386 $this->panels[ $section->panel ]->sections[ $section->id ] = $section; 4387 } 4388 } 4389 } 4390 $this->sections = $sections; 4391 4392 // Prepare panels. 4393 $this->panels = wp_list_sort( 4394 $this->panels, 4395 array( 4396 'priority' => 'ASC', 4397 'instance_number' => 'ASC', 4398 ), 4399 'ASC', 4400 true 4401 ); 4402 $panels = array(); 4403 4404 foreach ( $this->panels as $panel ) { 4405 if ( ! $panel->check_capabilities() ) { 4406 continue; 4407 } 4408 4409 $panel->sections = wp_list_sort( 4410 $panel->sections, 4411 array( 4412 'priority' => 'ASC', 4413 'instance_number' => 'ASC', 4414 ), 4415 'ASC', 4416 true 4417 ); 4418 $panels[ $panel->id ] = $panel; 4419 } 4420 $this->panels = $panels; 4421 4422 // Sort panels and top-level sections together. 4423 $this->containers = array_merge( $this->panels, $this->sections ); 4424 $this->containers = wp_list_sort( 4425 $this->containers, 4426 array( 4427 'priority' => 'ASC', 4428 'instance_number' => 'ASC', 4429 ), 4430 'ASC', 4431 true 4432 ); 4433 } 4434 4435 /** 4436 * Enqueue scripts for customize controls. 4437 * 4438 * @since 3.4.0 4439 */ 4440 public function enqueue_control_scripts() { 4441 foreach ( $this->controls as $control ) { 4442 $control->enqueue(); 4443 } 4444 4445 if ( ! is_multisite() && ( current_user_can( 'install_themes' ) || current_user_can( 'update_themes' ) || current_user_can( 'delete_themes' ) ) ) { 4446 wp_enqueue_script( 'updates' ); 4447 wp_localize_script( 4448 'updates', 4449 '_wpUpdatesItemCounts', 4450 array( 4451 'totals' => wp_get_update_data(), 4452 ) 4453 ); 4454 } 4455 } 4456 4457 /** 4458 * Determine whether the user agent is iOS. 4459 * 4460 * @since 4.4.0 4461 * 4462 * @return bool Whether the user agent is iOS. 4463 */ 4464 public function is_ios() { 4465 return wp_is_mobile() && preg_match( '/iPad|iPod|iPhone/', $_SERVER['HTTP_USER_AGENT'] ); 4466 } 4467 4468 /** 4469 * Get the template string for the Customizer pane document title. 4470 * 4471 * @since 4.4.0 4472 * 4473 * @return string The template string for the document title. 4474 */ 4475 public function get_document_title_template() { 4476 if ( $this->is_theme_active() ) { 4477 /* translators: %s: Document title from the preview. */ 4478 $document_title_tmpl = __( 'Customize: %s' ); 4479 } else { 4480 /* translators: %s: Document title from the preview. */ 4481 $document_title_tmpl = __( 'Live Preview: %s' ); 4482 } 4483 $document_title_tmpl = html_entity_decode( $document_title_tmpl, ENT_QUOTES, 'UTF-8' ); // Because exported to JS and assigned to document.title. 4484 return $document_title_tmpl; 4485 } 4486 4487 /** 4488 * Set the initial URL to be previewed. 4489 * 4490 * URL is validated. 4491 * 4492 * @since 4.4.0 4493 * 4494 * @param string $preview_url URL to be previewed. 4495 */ 4496 public function set_preview_url( $preview_url ) { 4497 $preview_url = esc_url_raw( $preview_url ); 4498 $this->preview_url = wp_validate_redirect( $preview_url, home_url( '/' ) ); 4499 } 4500 4501 /** 4502 * Get the initial URL to be previewed. 4503 * 4504 * @since 4.4.0 4505 * 4506 * @return string URL being previewed. 4507 */ 4508 public function get_preview_url() { 4509 if ( empty( $this->preview_url ) ) { 4510 $preview_url = home_url( '/' ); 4511 } else { 4512 $preview_url = $this->preview_url; 4513 } 4514 return $preview_url; 4515 } 4516 4517 /** 4518 * Determines whether the admin and the frontend are on different domains. 4519 * 4520 * @since 4.7.0 4521 * 4522 * @return bool Whether cross-domain. 4523 */ 4524 public function is_cross_domain() { 4525 $admin_origin = wp_parse_url( admin_url() ); 4526 $home_origin = wp_parse_url( home_url() ); 4527 $cross_domain = ( strtolower( $admin_origin['host'] ) !== strtolower( $home_origin['host'] ) ); 4528 return $cross_domain; 4529 } 4530 4531 /** 4532 * Get URLs allowed to be previewed. 4533 * 4534 * If the front end and the admin are served from the same domain, load the 4535 * preview over ssl if the Customizer is being loaded over ssl. This avoids 4536 * insecure content warnings. This is not attempted if the admin and front end 4537 * are on different domains to avoid the case where the front end doesn't have 4538 * ssl certs. Domain mapping plugins can allow other urls in these conditions 4539 * using the customize_allowed_urls filter. 4540 * 4541 * @since 4.7.0 4542 * 4543 * @return array Allowed URLs. 4544 */ 4545 public function get_allowed_urls() { 4546 $allowed_urls = array( home_url( '/' ) ); 4547 4548 if ( is_ssl() && ! $this->is_cross_domain() ) { 4549 $allowed_urls[] = home_url( '/', 'https' ); 4550 } 4551 4552 /** 4553 * Filters the list of URLs allowed to be clicked and followed in the Customizer preview. 4554 * 4555 * @since 3.4.0 4556 * 4557 * @param string[] $allowed_urls An array of allowed URLs. 4558 */ 4559 $allowed_urls = array_unique( apply_filters( 'customize_allowed_urls', $allowed_urls ) ); 4560 4561 return $allowed_urls; 4562 } 4563 4564 /** 4565 * Get messenger channel. 4566 * 4567 * @since 4.7.0 4568 * 4569 * @return string Messenger channel. 4570 */ 4571 public function get_messenger_channel() { 4572 return $this->messenger_channel; 4573 } 4574 4575 /** 4576 * Set URL to link the user to when closing the Customizer. 4577 * 4578 * URL is validated. 4579 * 4580 * @since 4.4.0 4581 * 4582 * @param string $return_url URL for return link. 4583 */ 4584 public function set_return_url( $return_url ) { 4585 $return_url = esc_url_raw( $return_url ); 4586 $return_url = remove_query_arg( wp_removable_query_args(), $return_url ); 4587 $return_url = wp_validate_redirect( $return_url ); 4588 $this->return_url = $return_url; 4589 } 4590 4591 /** 4592 * Get URL to link the user to when closing the Customizer. 4593 * 4594 * @since 4.4.0 4595 * 4596 * @global array $_registered_pages 4597 * 4598 * @return string URL for link to close Customizer. 4599 */ 4600 public function get_return_url() { 4601 global $_registered_pages; 4602 4603 $referer = wp_get_referer(); 4604 $excluded_referer_basenames = array( 'customize.php', 'wp-login.php' ); 4605 4606 if ( $this->return_url ) { 4607 $return_url = $this->return_url; 4608 } elseif ( $referer && ! in_array( wp_basename( parse_url( $referer, PHP_URL_PATH ) ), $excluded_referer_basenames, true ) ) { 4609 $return_url = $referer; 4610 } elseif ( $this->preview_url ) { 4611 $return_url = $this->preview_url; 4612 } else { 4613 $return_url = home_url( '/' ); 4614 } 4615 4616 $return_url_basename = wp_basename( parse_url( $this->return_url, PHP_URL_PATH ) ); 4617 $return_url_query = parse_url( $this->return_url, PHP_URL_QUERY ); 4618 4619 if ( 'themes.php' === $return_url_basename && $return_url_query ) { 4620 parse_str( $return_url_query, $query_vars ); 4621 4622 /* 4623 * If the return URL is a page added by a theme to the Appearance menu via add_submenu_page(), 4624 * verify that belongs to the active theme, otherwise fall back to the Themes screen. 4625 */ 4626 if ( isset( $query_vars['page'] ) && ! isset( $_registered_pages[ "appearance_page_{$query_vars['page']}" ] ) ) { 4627 $return_url = admin_url( 'themes.php' ); 4628 } 4629 } 4630 4631 return $return_url; 4632 } 4633 4634 /** 4635 * Set the autofocused constructs. 4636 * 4637 * @since 4.4.0 4638 * 4639 * @param array $autofocus { 4640 * Mapping of 'panel', 'section', 'control' to the ID which should be autofocused. 4641 * 4642 * @type string [$control] ID for control to be autofocused. 4643 * @type string [$section] ID for section to be autofocused. 4644 * @type string [$panel] ID for panel to be autofocused. 4645 * } 4646 */ 4647 public function set_autofocus( $autofocus ) { 4648 $this->autofocus = array_filter( wp_array_slice_assoc( $autofocus, array( 'panel', 'section', 'control' ) ), 'is_string' ); 4649 } 4650 4651 /** 4652 * Get the autofocused constructs. 4653 * 4654 * @since 4.4.0 4655 * 4656 * @return array { 4657 * Mapping of 'panel', 'section', 'control' to the ID which should be autofocused. 4658 * 4659 * @type string [$control] ID for control to be autofocused. 4660 * @type string [$section] ID for section to be autofocused. 4661 * @type string [$panel] ID for panel to be autofocused. 4662 * } 4663 */ 4664 public function get_autofocus() { 4665 return $this->autofocus; 4666 } 4667 4668 /** 4669 * Get nonces for the Customizer. 4670 * 4671 * @since 4.5.0 4672 * 4673 * @return array Nonces. 4674 */ 4675 public function get_nonces() { 4676 $nonces = array( 4677 'save' => wp_create_nonce( 'save-customize_' . $this->get_stylesheet() ), 4678 'preview' => wp_create_nonce( 'preview-customize_' . $this->get_stylesheet() ), 4679 'switch_themes' => wp_create_nonce( 'switch_themes' ), 4680 'dismiss_autosave_or_lock' => wp_create_nonce( 'customize_dismiss_autosave_or_lock' ), 4681 'override_lock' => wp_create_nonce( 'customize_override_changeset_lock' ), 4682 'trash' => wp_create_nonce( 'trash_customize_changeset' ), 4683 ); 4684 4685 /** 4686 * Filters nonces for Customizer. 4687 * 4688 * @since 4.2.0 4689 * 4690 * @param string[] $nonces Array of refreshed nonces for save and 4691 * preview actions. 4692 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 4693 */ 4694 $nonces = apply_filters( 'customize_refresh_nonces', $nonces, $this ); 4695 4696 return $nonces; 4697 } 4698 4699 /** 4700 * Print JavaScript settings for parent window. 4701 * 4702 * @since 4.4.0 4703 */ 4704 public function customize_pane_settings() { 4705 4706 $login_url = add_query_arg( 4707 array( 4708 'interim-login' => 1, 4709 'customize-login' => 1, 4710 ), 4711 wp_login_url() 4712 ); 4713 4714 // Ensure dirty flags are set for modified settings. 4715 foreach ( array_keys( $this->unsanitized_post_values() ) as $setting_id ) { 4716 $setting = $this->get_setting( $setting_id ); 4717 if ( $setting ) { 4718 $setting->dirty = true; 4719 } 4720 } 4721 4722 $autosave_revision_post = null; 4723 $autosave_autodraft_post = null; 4724 $changeset_post_id = $this->changeset_post_id(); 4725 if ( ! $this->saved_starter_content_changeset && ! $this->autosaved() ) { 4726 if ( $changeset_post_id ) { 4727 if ( is_user_logged_in() ) { 4728 $autosave_revision_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() ); 4729 } 4730 } else { 4731 $autosave_autodraft_posts = $this->get_changeset_posts( 4732 array( 4733 'posts_per_page' => 1, 4734 'post_status' => 'auto-draft', 4735 'exclude_restore_dismissed' => true, 4736 ) 4737 ); 4738 if ( ! empty( $autosave_autodraft_posts ) ) { 4739 $autosave_autodraft_post = array_shift( $autosave_autodraft_posts ); 4740 } 4741 } 4742 } 4743 4744 $current_user_can_publish = current_user_can( get_post_type_object( 'customize_changeset' )->cap->publish_posts ); 4745 4746 // @todo Include all of the status labels here from script-loader.php, and then allow it to be filtered. 4747 $status_choices = array(); 4748 if ( $current_user_can_publish ) { 4749 $status_choices[] = array( 4750 'status' => 'publish', 4751 'label' => __( 'Publish' ), 4752 ); 4753 } 4754 $status_choices[] = array( 4755 'status' => 'draft', 4756 'label' => __( 'Save Draft' ), 4757 ); 4758 if ( $current_user_can_publish ) { 4759 $status_choices[] = array( 4760 'status' => 'future', 4761 'label' => _x( 'Schedule', 'customizer changeset action/button label' ), 4762 ); 4763 } 4764 4765 // Prepare Customizer settings to pass to JavaScript. 4766 $changeset_post = null; 4767 if ( $changeset_post_id ) { 4768 $changeset_post = get_post( $changeset_post_id ); 4769 } 4770 4771 // Determine initial date to be at present or future, not past. 4772 $current_time = current_time( 'mysql', false ); 4773 $initial_date = $current_time; 4774 if ( $changeset_post ) { 4775 $initial_date = get_the_time( 'Y-m-d H:i:s', $changeset_post->ID ); 4776 if ( $initial_date < $current_time ) { 4777 $initial_date = $current_time; 4778 } 4779 } 4780 4781 $lock_user_id = false; 4782 if ( $this->changeset_post_id() ) { 4783 $lock_user_id = wp_check_post_lock( $this->changeset_post_id() ); 4784 } 4785 4786 $settings = array( 4787 'changeset' => array( 4788 'uuid' => $this->changeset_uuid(), 4789 'branching' => $this->branching(), 4790 'autosaved' => $this->autosaved(), 4791 'hasAutosaveRevision' => ! empty( $autosave_revision_post ), 4792 'latestAutoDraftUuid' => $autosave_autodraft_post ? $autosave_autodraft_post->post_name : null, 4793 'status' => $changeset_post ? $changeset_post->post_status : '', 4794 'currentUserCanPublish' => $current_user_can_publish, 4795 'publishDate' => $initial_date, 4796 'statusChoices' => $status_choices, 4797 'lockUser' => $lock_user_id ? $this->get_lock_user_data( $lock_user_id ) : null, 4798 ), 4799 'initialServerDate' => $current_time, 4800 'dateFormat' => get_option( 'date_format' ), 4801 'timeFormat' => get_option( 'time_format' ), 4802 'initialServerTimestamp' => floor( microtime( true ) * 1000 ), 4803 'initialClientTimestamp' => -1, // To be set with JS below. 4804 'timeouts' => array( 4805 'windowRefresh' => 250, 4806 'changesetAutoSave' => AUTOSAVE_INTERVAL * 1000, 4807 'keepAliveCheck' => 2500, 4808 'reflowPaneContents' => 100, 4809 'previewFrameSensitivity' => 2000, 4810 ), 4811 'theme' => array( 4812 'stylesheet' => $this->get_stylesheet(), 4813 'active' => $this->is_theme_active(), 4814 '_canInstall' => current_user_can( 'install_themes' ), 4815 ), 4816 'url' => array( 4817 'preview' => esc_url_raw( $this->get_preview_url() ), 4818 'return' => esc_url_raw( $this->get_return_url() ), 4819 'parent' => esc_url_raw( admin_url() ), 4820 'activated' => esc_url_raw( home_url( '/' ) ), 4821 'ajax' => esc_url_raw( admin_url( 'admin-ajax.php', 'relative' ) ), 4822 'allowed' => array_map( 'esc_url_raw', $this->get_allowed_urls() ), 4823 'isCrossDomain' => $this->is_cross_domain(), 4824 'home' => esc_url_raw( home_url( '/' ) ), 4825 'login' => esc_url_raw( $login_url ), 4826 ), 4827 'browser' => array( 4828 'mobile' => wp_is_mobile(), 4829 'ios' => $this->is_ios(), 4830 ), 4831 'panels' => array(), 4832 'sections' => array(), 4833 'nonce' => $this->get_nonces(), 4834 'autofocus' => $this->get_autofocus(), 4835 'documentTitleTmpl' => $this->get_document_title_template(), 4836 'previewableDevices' => $this->get_previewable_devices(), 4837 'l10n' => array( 4838 'confirmDeleteTheme' => __( 'Are you sure you want to delete this theme?' ), 4839 /* translators: %d: Number of theme search results, which cannot currently consider singular vs. plural forms. */ 4840 'themeSearchResults' => __( '%d themes found' ), 4841 /* translators: %d: Number of themes being displayed, which cannot currently consider singular vs. plural forms. */ 4842 'announceThemeCount' => __( 'Displaying %d themes' ), 4843 /* translators: %s: Theme name. */ 4844 'announceThemeDetails' => __( 'Showing details for theme: %s' ), 4845 ), 4846 ); 4847 4848 // Temporarily disable installation in Customizer. See #42184. 4849 $filesystem_method = get_filesystem_method(); 4850 ob_start(); 4851 $filesystem_credentials_are_stored = request_filesystem_credentials( self_admin_url() ); 4852 ob_end_clean(); 4853 if ( 'direct' !== $filesystem_method && ! $filesystem_credentials_are_stored ) { 4854 $settings['theme']['_filesystemCredentialsNeeded'] = true; 4855 } 4856 4857 // Prepare Customize Section objects to pass to JavaScript. 4858 foreach ( $this->sections() as $id => $section ) { 4859 if ( $section->check_capabilities() ) { 4860 $settings['sections'][ $id ] = $section->json(); 4861 } 4862 } 4863 4864 // Prepare Customize Panel objects to pass to JavaScript. 4865 foreach ( $this->panels() as $panel_id => $panel ) { 4866 if ( $panel->check_capabilities() ) { 4867 $settings['panels'][ $panel_id ] = $panel->json(); 4868