| [ Index ] |
PHP Cross Reference of WordPress Trunk (Updated Daily) |
[Summary view] [Print] [Text view]
1 <?php 2 /** 3 * WordPress Customize Manager classes 4 * 5 * @package WordPress 6 * @subpackage Customize 7 * @since 3.4.0 8 */ 9 10 /** 11 * Customize Manager class. 12 * 13 * Bootstraps the Customize experience on the server-side. 14 * 15 * Sets up the theme-switching process if a theme other than the active one is 16 * being previewed and customized. 17 * 18 * Serves as a factory for Customize Controls and Settings, and 19 * instantiates default Customize Controls and Settings. 20 * 21 * @since 3.4.0 22 */ 23 final class WP_Customize_Manager { 24 /** 25 * An instance of the theme being previewed. 26 * 27 * @since 3.4.0 28 * @var WP_Theme 29 */ 30 protected $theme; 31 32 /** 33 * The directory name of the previously active theme (within the theme_root). 34 * 35 * @since 3.4.0 36 * @var string 37 */ 38 protected $original_stylesheet; 39 40 /** 41 * Whether this is a Customizer pageload. 42 * 43 * @since 3.4.0 44 * @var bool 45 */ 46 protected $previewing = false; 47 48 /** 49 * Methods and properties dealing with managing widgets in the Customizer. 50 * 51 * @since 3.9.0 52 * @var WP_Customize_Widgets 53 */ 54 public $widgets; 55 56 /** 57 * Methods and properties dealing with managing nav menus in the Customizer. 58 * 59 * @since 4.3.0 60 * @var WP_Customize_Nav_Menus 61 */ 62 public $nav_menus; 63 64 /** 65 * Methods and properties dealing with selective refresh in the Customizer preview. 66 * 67 * @since 4.5.0 68 * @var WP_Customize_Selective_Refresh 69 */ 70 public $selective_refresh; 71 72 /** 73 * Registered instances of WP_Customize_Setting. 74 * 75 * @since 3.4.0 76 * @var array 77 */ 78 protected $settings = array(); 79 80 /** 81 * Sorted top-level instances of WP_Customize_Panel and WP_Customize_Section. 82 * 83 * @since 4.0.0 84 * @var array 85 */ 86 protected $containers = array(); 87 88 /** 89 * Registered instances of WP_Customize_Panel. 90 * 91 * @since 4.0.0 92 * @var array 93 */ 94 protected $panels = array(); 95 96 /** 97 * List of core components. 98 * 99 * @since 4.5.0 100 * @var array 101 */ 102 protected $components = array( 'widgets', 'nav_menus' ); 103 104 /** 105 * Registered instances of WP_Customize_Section. 106 * 107 * @since 3.4.0 108 * @var array 109 */ 110 protected $sections = array(); 111 112 /** 113 * Registered instances of WP_Customize_Control. 114 * 115 * @since 3.4.0 116 * @var array 117 */ 118 protected $controls = array(); 119 120 /** 121 * Panel types that may be rendered from JS templates. 122 * 123 * @since 4.3.0 124 * @var array 125 */ 126 protected $registered_panel_types = array(); 127 128 /** 129 * Section types that may be rendered from JS templates. 130 * 131 * @since 4.3.0 132 * @var array 133 */ 134 protected $registered_section_types = array(); 135 136 /** 137 * Control types that may be rendered from JS templates. 138 * 139 * @since 4.1.0 140 * @var array 141 */ 142 protected $registered_control_types = array(); 143 144 /** 145 * Initial URL being previewed. 146 * 147 * @since 4.4.0 148 * @var string 149 */ 150 protected $preview_url; 151 152 /** 153 * URL to link the user to when closing the Customizer. 154 * 155 * @since 4.4.0 156 * @var string 157 */ 158 protected $return_url; 159 160 /** 161 * Mapping of 'panel', 'section', 'control' to the ID which should be autofocused. 162 * 163 * @since 4.4.0 164 * @var array 165 */ 166 protected $autofocus = array(); 167 168 /** 169 * Messenger channel. 170 * 171 * @since 4.7.0 172 * @var string 173 */ 174 protected $messenger_channel; 175 176 /** 177 * Whether the autosave revision of the changeset should be loaded. 178 * 179 * @since 4.9.0 180 * @var bool 181 */ 182 protected $autosaved = false; 183 184 /** 185 * Whether the changeset branching is allowed. 186 * 187 * @since 4.9.0 188 * @var bool 189 */ 190 protected $branching = true; 191 192 /** 193 * Whether settings should be previewed. 194 * 195 * @since 4.9.0 196 * @var bool 197 */ 198 protected $settings_previewed = true; 199 200 /** 201 * Whether a starter content changeset was saved. 202 * 203 * @since 4.9.0 204 * @var bool 205 */ 206 protected $saved_starter_content_changeset = false; 207 208 /** 209 * Unsanitized values for Customize Settings parsed from $_POST['customized']. 210 * 211 * @var array 212 */ 213 private $_post_values; 214 215 /** 216 * Changeset UUID. 217 * 218 * @since 4.7.0 219 * @var string 220 */ 221 private $_changeset_uuid; 222 223 /** 224 * Changeset post ID. 225 * 226 * @since 4.7.0 227 * @var int|false 228 */ 229 private $_changeset_post_id; 230 231 /** 232 * Changeset data loaded from a customize_changeset post. 233 * 234 * @since 4.7.0 235 * @var array|null 236 */ 237 private $_changeset_data; 238 239 /** 240 * Constructor. 241 * 242 * @since 3.4.0 243 * @since 4.7.0 Added `$args` parameter. 244 * 245 * @param array $args { 246 * Args. 247 * 248 * @type null|string|false $changeset_uuid Changeset UUID, the `post_name` for the customize_changeset post containing the customized state. 249 * Defaults to `null` resulting in a UUID to be immediately generated. If `false` is provided, then 250 * then the changeset UUID will be determined during `after_setup_theme`: when the 251 * `customize_changeset_branching` filter returns false, then the default UUID will be that 252 * of the most recent `customize_changeset` post that has a status other than 'auto-draft', 253 * 'publish', or 'trash'. Otherwise, if changeset branching is enabled, then a random UUID will be used. 254 * @type string $theme Theme to be previewed (for theme switch). Defaults to customize_theme or theme query params. 255 * @type string $messenger_channel Messenger channel. Defaults to customize_messenger_channel query param. 256 * @type bool $settings_previewed If settings should be previewed. Defaults to true. 257 * @type bool $branching If changeset branching is allowed; otherwise, changesets are linear. Defaults to true. 258 * @type bool $autosaved If data from a changeset's autosaved revision should be loaded if it exists. Defaults to false. 259 * } 260 */ 261 public function __construct( $args = array() ) { 262 263 $args = array_merge( 264 array_fill_keys( array( 'changeset_uuid', 'theme', 'messenger_channel', 'settings_previewed', 'autosaved', 'branching' ), null ), 265 $args 266 ); 267 268 // Note that the UUID format will be validated in the setup_theme() method. 269 if ( ! isset( $args['changeset_uuid'] ) ) { 270 $args['changeset_uuid'] = wp_generate_uuid4(); 271 } 272 273 // The theme and messenger_channel should be supplied via $args, 274 // but they are also looked at in the $_REQUEST global here for back-compat. 275 if ( ! isset( $args['theme'] ) ) { 276 if ( isset( $_REQUEST['customize_theme'] ) ) { 277 $args['theme'] = wp_unslash( $_REQUEST['customize_theme'] ); 278 } elseif ( isset( $_REQUEST['theme'] ) ) { // Deprecated. 279 $args['theme'] = wp_unslash( $_REQUEST['theme'] ); 280 } 281 } 282 if ( ! isset( $args['messenger_channel'] ) && isset( $_REQUEST['customize_messenger_channel'] ) ) { 283 $args['messenger_channel'] = sanitize_key( wp_unslash( $_REQUEST['customize_messenger_channel'] ) ); 284 } 285 286 $this->original_stylesheet = get_stylesheet(); 287 $this->theme = wp_get_theme( 0 === validate_file( $args['theme'] ) ? $args['theme'] : null ); 288 $this->messenger_channel = $args['messenger_channel']; 289 $this->_changeset_uuid = $args['changeset_uuid']; 290 291 foreach ( array( 'settings_previewed', 'autosaved', 'branching' ) as $key ) { 292 if ( isset( $args[ $key ] ) ) { 293 $this->$key = (bool) $args[ $key ]; 294 } 295 } 296 297 require_once ABSPATH . WPINC . '/class-wp-customize-setting.php'; 298 require_once ABSPATH . WPINC . '/class-wp-customize-panel.php'; 299 require_once ABSPATH . WPINC . '/class-wp-customize-section.php'; 300 require_once ABSPATH . WPINC . '/class-wp-customize-control.php'; 301 302 require_once ABSPATH . WPINC . '/customize/class-wp-customize-color-control.php'; 303 require_once ABSPATH . WPINC . '/customize/class-wp-customize-media-control.php'; 304 require_once ABSPATH . WPINC . '/customize/class-wp-customize-upload-control.php'; 305 require_once ABSPATH . WPINC . '/customize/class-wp-customize-image-control.php'; 306 require_once ABSPATH . WPINC . '/customize/class-wp-customize-background-image-control.php'; 307 require_once ABSPATH . WPINC . '/customize/class-wp-customize-background-position-control.php'; 308 require_once ABSPATH . WPINC . '/customize/class-wp-customize-cropped-image-control.php'; 309 require_once ABSPATH . WPINC . '/customize/class-wp-customize-site-icon-control.php'; 310 require_once ABSPATH . WPINC . '/customize/class-wp-customize-header-image-control.php'; 311 require_once ABSPATH . WPINC . '/customize/class-wp-customize-theme-control.php'; 312 require_once ABSPATH . WPINC . '/customize/class-wp-customize-code-editor-control.php'; 313 require_once ABSPATH . WPINC . '/customize/class-wp-widget-area-customize-control.php'; 314 require_once ABSPATH . WPINC . '/customize/class-wp-widget-form-customize-control.php'; 315 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-control.php'; 316 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-item-control.php'; 317 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-location-control.php'; 318 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-name-control.php'; 319 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-locations-control.php'; 320 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-auto-add-control.php'; 321 322 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menus-panel.php'; 323 324 require_once ABSPATH . WPINC . '/customize/class-wp-customize-themes-panel.php'; 325 require_once ABSPATH . WPINC . '/customize/class-wp-customize-themes-section.php'; 326 require_once ABSPATH . WPINC . '/customize/class-wp-customize-sidebar-section.php'; 327 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-section.php'; 328 329 require_once ABSPATH . WPINC . '/customize/class-wp-customize-custom-css-setting.php'; 330 require_once ABSPATH . WPINC . '/customize/class-wp-customize-filter-setting.php'; 331 require_once ABSPATH . WPINC . '/customize/class-wp-customize-header-image-setting.php'; 332 require_once ABSPATH . WPINC . '/customize/class-wp-customize-background-image-setting.php'; 333 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-item-setting.php'; 334 require_once ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-setting.php'; 335 336 /** 337 * Filters the core Customizer components to load. 338 * 339 * This allows Core components to be excluded from being instantiated by 340 * filtering them out of the array. Note that this filter generally runs 341 * during the {@see 'plugins_loaded'} action, so it cannot be added 342 * in a theme. 343 * 344 * @since 4.4.0 345 * 346 * @see WP_Customize_Manager::__construct() 347 * 348 * @param string[] $components Array of core components to load. 349 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 350 */ 351 $components = apply_filters( 'customize_loaded_components', $this->components, $this ); 352 353 require_once ABSPATH . WPINC . '/customize/class-wp-customize-selective-refresh.php'; 354 $this->selective_refresh = new WP_Customize_Selective_Refresh( $this ); 355 356 if ( in_array( 'widgets', $components, true ) ) { 357 require_once ABSPATH . WPINC . '/class-wp-customize-widgets.php'; 358 $this->widgets = new WP_Customize_Widgets( $this ); 359 } 360 361 if ( in_array( 'nav_menus', $components, true ) ) { 362 require_once ABSPATH . WPINC . '/class-wp-customize-nav-menus.php'; 363 $this->nav_menus = new WP_Customize_Nav_Menus( $this ); 364 } 365 366 add_action( 'setup_theme', array( $this, 'setup_theme' ) ); 367 add_action( 'wp_loaded', array( $this, 'wp_loaded' ) ); 368 369 // Do not spawn cron (especially the alternate cron) while running the Customizer. 370 remove_action( 'init', 'wp_cron' ); 371 372 // Do not run update checks when rendering the controls. 373 remove_action( 'admin_init', '_maybe_update_core' ); 374 remove_action( 'admin_init', '_maybe_update_plugins' ); 375 remove_action( 'admin_init', '_maybe_update_themes' ); 376 377 add_action( 'wp_ajax_customize_save', array( $this, 'save' ) ); 378 add_action( 'wp_ajax_customize_trash', array( $this, 'handle_changeset_trash_request' ) ); 379 add_action( 'wp_ajax_customize_refresh_nonces', array( $this, 'refresh_nonces' ) ); 380 add_action( 'wp_ajax_customize_load_themes', array( $this, 'handle_load_themes_request' ) ); 381 add_filter( 'heartbeat_settings', array( $this, 'add_customize_screen_to_heartbeat_settings' ) ); 382 add_filter( 'heartbeat_received', array( $this, 'check_changeset_lock_with_heartbeat' ), 10, 3 ); 383 add_action( 'wp_ajax_customize_override_changeset_lock', array( $this, 'handle_override_changeset_lock_request' ) ); 384 add_action( 'wp_ajax_customize_dismiss_autosave_or_lock', array( $this, 'handle_dismiss_autosave_or_lock_request' ) ); 385 386 add_action( 'customize_register', array( $this, 'register_controls' ) ); 387 add_action( 'customize_register', array( $this, 'register_dynamic_settings' ), 11 ); // Allow code to create settings first. 388 add_action( 'customize_controls_init', array( $this, 'prepare_controls' ) ); 389 add_action( 'customize_controls_enqueue_scripts', array( $this, 'enqueue_control_scripts' ) ); 390 391 // Render Common, Panel, Section, and Control templates. 392 add_action( 'customize_controls_print_footer_scripts', array( $this, 'render_panel_templates' ), 1 ); 393 add_action( 'customize_controls_print_footer_scripts', array( $this, 'render_section_templates' ), 1 ); 394 add_action( 'customize_controls_print_footer_scripts', array( $this, 'render_control_templates' ), 1 ); 395 396 // Export header video settings with the partial response. 397 add_filter( 'customize_render_partials_response', array( $this, 'export_header_video_settings' ), 10, 3 ); 398 399 // Export the settings to JS via the _wpCustomizeSettings variable. 400 add_action( 'customize_controls_print_footer_scripts', array( $this, 'customize_pane_settings' ), 1000 ); 401 402 // Add theme update notices. 403 if ( current_user_can( 'install_themes' ) || current_user_can( 'update_themes' ) ) { 404 require_once ABSPATH . 'wp-admin/includes/update.php'; 405 add_action( 'customize_controls_print_footer_scripts', 'wp_print_admin_notice_templates' ); 406 } 407 } 408 409 /** 410 * Return true if it's an Ajax request. 411 * 412 * @since 3.4.0 413 * @since 4.2.0 Added `$action` param. 414 * 415 * @param string|null $action Whether the supplied Ajax action is being run. 416 * @return bool True if it's an Ajax request, false otherwise. 417 */ 418 public function doing_ajax( $action = null ) { 419 if ( ! wp_doing_ajax() ) { 420 return false; 421 } 422 423 if ( ! $action ) { 424 return true; 425 } else { 426 /* 427 * Note: we can't just use doing_action( "wp_ajax_{$action}" ) because we need 428 * to check before admin-ajax.php gets to that point. 429 */ 430 return isset( $_REQUEST['action'] ) && wp_unslash( $_REQUEST['action'] ) === $action; 431 } 432 } 433 434 /** 435 * Custom wp_die wrapper. Returns either the standard message for UI 436 * or the Ajax message. 437 * 438 * @since 3.4.0 439 * 440 * @param string|WP_Error $ajax_message Ajax return. 441 * @param string $message Optional. UI message. 442 */ 443 protected function wp_die( $ajax_message, $message = null ) { 444 if ( $this->doing_ajax() ) { 445 wp_die( $ajax_message ); 446 } 447 448 if ( ! $message ) { 449 $message = __( 'Something went wrong.' ); 450 } 451 452 if ( $this->messenger_channel ) { 453 ob_start(); 454 wp_enqueue_scripts(); 455 wp_print_scripts( array( 'customize-base' ) ); 456 457 $settings = array( 458 'messengerArgs' => array( 459 'channel' => $this->messenger_channel, 460 'url' => wp_customize_url(), 461 ), 462 'error' => $ajax_message, 463 ); 464 ?> 465 <script> 466 ( function( api, settings ) { 467 var preview = new api.Messenger( settings.messengerArgs ); 468 preview.send( 'iframe-loading-error', settings.error ); 469 } )( wp.customize, <?php echo wp_json_encode( $settings ); ?> ); 470 </script> 471 <?php 472 $message .= ob_get_clean(); 473 } 474 475 wp_die( $message ); 476 } 477 478 /** 479 * Return the Ajax wp_die() handler if it's a customized request. 480 * 481 * @since 3.4.0 482 * @deprecated 4.7.0 483 * 484 * @return callable Die handler. 485 */ 486 public function wp_die_handler() { 487 _deprecated_function( __METHOD__, '4.7.0' ); 488 489 if ( $this->doing_ajax() || isset( $_POST['customized'] ) ) { 490 return '_ajax_wp_die_handler'; 491 } 492 493 return '_default_wp_die_handler'; 494 } 495 496 /** 497 * Start preview and customize theme. 498 * 499 * Check if customize query variable exist. Init filters to filter the current theme. 500 * 501 * @since 3.4.0 502 * 503 * @global string $pagenow 504 */ 505 public function setup_theme() { 506 global $pagenow; 507 508 // Check permissions for customize.php access since this method is called before customize.php can run any code. 509 if ( 'customize.php' === $pagenow && ! current_user_can( 'customize' ) ) { 510 if ( ! is_user_logged_in() ) { 511 auth_redirect(); 512 } else { 513 wp_die( 514 '<h1>' . __( 'You need a higher level of permission.' ) . '</h1>' . 515 '<p>' . __( 'Sorry, you are not allowed to customize this site.' ) . '</p>', 516 403 517 ); 518 } 519 return; 520 } 521 522 // If a changeset was provided is invalid. 523 if ( isset( $this->_changeset_uuid ) && false !== $this->_changeset_uuid && ! wp_is_uuid( $this->_changeset_uuid ) ) { 524 $this->wp_die( -1, __( 'Invalid changeset UUID' ) ); 525 } 526 527 /* 528 * Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer 529 * application will inject the customize_preview_nonce query parameter into all Ajax requests. 530 * For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out 531 * a user when a valid nonce isn't present. 532 */ 533 $has_post_data_nonce = ( 534 check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false ) 535 || 536 check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false ) 537 || 538 check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false ) 539 ); 540 if ( ! current_user_can( 'customize' ) || ! $has_post_data_nonce ) { 541 unset( $_POST['customized'] ); 542 unset( $_REQUEST['customized'] ); 543 } 544 545 /* 546 * If unauthenticated then require a valid changeset UUID to load the preview. 547 * In this way, the UUID serves as a secret key. If the messenger channel is present, 548 * then send unauthenticated code to prompt re-auth. 549 */ 550 if ( ! current_user_can( 'customize' ) && ! $this->changeset_post_id() ) { 551 $this->wp_die( $this->messenger_channel ? 0 : -1, __( 'Non-existent changeset UUID.' ) ); 552 } 553 554 if ( ! headers_sent() ) { 555 send_origin_headers(); 556 } 557 558 // Hide the admin bar if we're embedded in the customizer iframe. 559 if ( $this->messenger_channel ) { 560 show_admin_bar( false ); 561 } 562 563 if ( $this->is_theme_active() ) { 564 // Once the theme is loaded, we'll validate it. 565 add_action( 'after_setup_theme', array( $this, 'after_setup_theme' ) ); 566 } else { 567 // If the requested theme is not the active theme and the user doesn't have 568 // the switch_themes cap, bail. 569 if ( ! current_user_can( 'switch_themes' ) ) { 570 $this->wp_die( -1, __( 'Sorry, you are not allowed to edit theme options on this site.' ) ); 571 } 572 573 // If the theme has errors while loading, bail. 574 if ( $this->theme()->errors() ) { 575 $this->wp_die( -1, $this->theme()->errors()->get_error_message() ); 576 } 577 578 // If the theme isn't allowed per multisite settings, bail. 579 if ( ! $this->theme()->is_allowed() ) { 580 $this->wp_die( -1, __( 'The requested theme does not exist.' ) ); 581 } 582 } 583 584 // Make sure changeset UUID is established immediately after the theme is loaded. 585 add_action( 'after_setup_theme', array( $this, 'establish_loaded_changeset' ), 5 ); 586 587 /* 588 * Import theme starter content for fresh installations when landing in the customizer. 589 * Import starter content at after_setup_theme:100 so that any 590 * add_theme_support( 'starter-content' ) calls will have been made. 591 */ 592 if ( get_option( 'fresh_site' ) && 'customize.php' === $pagenow ) { 593 add_action( 'after_setup_theme', array( $this, 'import_theme_starter_content' ), 100 ); 594 } 595 596 $this->start_previewing_theme(); 597 } 598 599 /** 600 * Establish the loaded changeset. 601 * 602 * This method runs right at after_setup_theme and applies the 'customize_changeset_branching' filter to determine 603 * whether concurrent changesets are allowed. Then if the Customizer is not initialized with a `changeset_uuid` param, 604 * this method will determine which UUID should be used. If changeset branching is disabled, then the most saved 605 * changeset will be loaded by default. Otherwise, if there are no existing saved changesets or if changeset branching is 606 * enabled, then a new UUID will be generated. 607 * 608 * @since 4.9.0 609 * 610 * @global string $pagenow 611 */ 612 public function establish_loaded_changeset() { 613 global $pagenow; 614 615 if ( empty( $this->_changeset_uuid ) ) { 616 $changeset_uuid = null; 617 618 if ( ! $this->branching() && $this->is_theme_active() ) { 619 $unpublished_changeset_posts = $this->get_changeset_posts( 620 array( 621 'post_status' => array_diff( get_post_stati(), array( 'auto-draft', 'publish', 'trash', 'inherit', 'private' ) ), 622 'exclude_restore_dismissed' => false, 623 'author' => 'any', 624 'posts_per_page' => 1, 625 'order' => 'DESC', 626 'orderby' => 'date', 627 ) 628 ); 629 $unpublished_changeset_post = array_shift( $unpublished_changeset_posts ); 630 if ( ! empty( $unpublished_changeset_post ) && wp_is_uuid( $unpublished_changeset_post->post_name ) ) { 631 $changeset_uuid = $unpublished_changeset_post->post_name; 632 } 633 } 634 635 // If no changeset UUID has been set yet, then generate a new one. 636 if ( empty( $changeset_uuid ) ) { 637 $changeset_uuid = wp_generate_uuid4(); 638 } 639 640 $this->_changeset_uuid = $changeset_uuid; 641 } 642 643 if ( is_admin() && 'customize.php' === $pagenow ) { 644 $this->set_changeset_lock( $this->changeset_post_id() ); 645 } 646 } 647 648 /** 649 * Callback to validate a theme once it is loaded 650 * 651 * @since 3.4.0 652 */ 653 public function after_setup_theme() { 654 $doing_ajax_or_is_customized = ( $this->doing_ajax() || isset( $_POST['customized'] ) ); 655 if ( ! $doing_ajax_or_is_customized && ! validate_current_theme() ) { 656 wp_redirect( 'themes.php?broken=true' ); 657 exit; 658 } 659 } 660 661 /** 662 * If the theme to be previewed isn't the active theme, add filter callbacks 663 * to swap it out at runtime. 664 * 665 * @since 3.4.0 666 */ 667 public function start_previewing_theme() { 668 // Bail if we're already previewing. 669 if ( $this->is_preview() ) { 670 return; 671 } 672 673 $this->previewing = true; 674 675 if ( ! $this->is_theme_active() ) { 676 add_filter( 'template', array( $this, 'get_template' ) ); 677 add_filter( 'stylesheet', array( $this, 'get_stylesheet' ) ); 678 add_filter( 'pre_option_current_theme', array( $this, 'current_theme' ) ); 679 680 // @link: https://core.trac.wordpress.org/ticket/20027 681 add_filter( 'pre_option_stylesheet', array( $this, 'get_stylesheet' ) ); 682 add_filter( 'pre_option_template', array( $this, 'get_template' ) ); 683 684 // Handle custom theme roots. 685 add_filter( 'pre_option_stylesheet_root', array( $this, 'get_stylesheet_root' ) ); 686 add_filter( 'pre_option_template_root', array( $this, 'get_template_root' ) ); 687 } 688 689 /** 690 * Fires once the Customizer theme preview has started. 691 * 692 * @since 3.4.0 693 * 694 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 695 */ 696 do_action( 'start_previewing_theme', $this ); 697 } 698 699 /** 700 * Stop previewing the selected theme. 701 * 702 * Removes filters to change the current theme. 703 * 704 * @since 3.4.0 705 */ 706 public function stop_previewing_theme() { 707 if ( ! $this->is_preview() ) { 708 return; 709 } 710 711 $this->previewing = false; 712 713 if ( ! $this->is_theme_active() ) { 714 remove_filter( 'template', array( $this, 'get_template' ) ); 715 remove_filter( 'stylesheet', array( $this, 'get_stylesheet' ) ); 716 remove_filter( 'pre_option_current_theme', array( $this, 'current_theme' ) ); 717 718 // @link: https://core.trac.wordpress.org/ticket/20027 719 remove_filter( 'pre_option_stylesheet', array( $this, 'get_stylesheet' ) ); 720 remove_filter( 'pre_option_template', array( $this, 'get_template' ) ); 721 722 // Handle custom theme roots. 723 remove_filter( 'pre_option_stylesheet_root', array( $this, 'get_stylesheet_root' ) ); 724 remove_filter( 'pre_option_template_root', array( $this, 'get_template_root' ) ); 725 } 726 727 /** 728 * Fires once the Customizer theme preview has stopped. 729 * 730 * @since 3.4.0 731 * 732 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 733 */ 734 do_action( 'stop_previewing_theme', $this ); 735 } 736 737 /** 738 * Gets whether settings are or will be previewed. 739 * 740 * @since 4.9.0 741 * 742 * @see WP_Customize_Setting::preview() 743 * 744 * @return bool 745 */ 746 public function settings_previewed() { 747 return $this->settings_previewed; 748 } 749 750 /** 751 * Gets whether data from a changeset's autosaved revision should be loaded if it exists. 752 * 753 * @since 4.9.0 754 * 755 * @see WP_Customize_Manager::changeset_data() 756 * 757 * @return bool Is using autosaved changeset revision. 758 */ 759 public function autosaved() { 760 return $this->autosaved; 761 } 762 763 /** 764 * Whether the changeset branching is allowed. 765 * 766 * @since 4.9.0 767 * 768 * @see WP_Customize_Manager::establish_loaded_changeset() 769 * 770 * @return bool Is changeset branching. 771 */ 772 public function branching() { 773 774 /** 775 * Filters whether or not changeset branching is allowed. 776 * 777 * By default in core, when changeset branching is not allowed, changesets will operate 778 * linearly in that only one saved changeset will exist at a time (with a 'draft' or 779 * 'future' status). This makes the Customizer operate in a way that is similar to going to 780 * "edit" to one existing post: all users will be making changes to the same post, and autosave 781 * revisions will be made for that post. 782 * 783 * By contrast, when changeset branching is allowed, then the model is like users going 784 * to "add new" for a page and each user makes changes independently of each other since 785 * they are all operating on their own separate pages, each getting their own separate 786 * initial auto-drafts and then once initially saved, autosave revisions on top of that 787 * user's specific post. 788 * 789 * Since linear changesets are deemed to be more suitable for the majority of WordPress users, 790 * they are the default. For WordPress sites that have heavy site management in the Customizer 791 * by multiple users then branching changesets should be enabled by means of this filter. 792 * 793 * @since 4.9.0 794 * 795 * @param bool $allow_branching Whether branching is allowed. If `false`, the default, 796 * then only one saved changeset exists at a time. 797 * @param WP_Customize_Manager $wp_customize Manager instance. 798 */ 799 $this->branching = apply_filters( 'customize_changeset_branching', $this->branching, $this ); 800 801 return $this->branching; 802 } 803 804 /** 805 * Get the changeset UUID. 806 * 807 * @since 4.7.0 808 * 809 * @see WP_Customize_Manager::establish_loaded_changeset() 810 * 811 * @return string UUID. 812 */ 813 public function changeset_uuid() { 814 if ( empty( $this->_changeset_uuid ) ) { 815 $this->establish_loaded_changeset(); 816 } 817 return $this->_changeset_uuid; 818 } 819 820 /** 821 * Get the theme being customized. 822 * 823 * @since 3.4.0 824 * 825 * @return WP_Theme 826 */ 827 public function theme() { 828 if ( ! $this->theme ) { 829 $this->theme = wp_get_theme(); 830 } 831 return $this->theme; 832 } 833 834 /** 835 * Get the registered settings. 836 * 837 * @since 3.4.0 838 * 839 * @return array 840 */ 841 public function settings() { 842 return $this->settings; 843 } 844 845 /** 846 * Get the registered controls. 847 * 848 * @since 3.4.0 849 * 850 * @return array 851 */ 852 public function controls() { 853 return $this->controls; 854 } 855 856 /** 857 * Get the registered containers. 858 * 859 * @since 4.0.0 860 * 861 * @return array 862 */ 863 public function containers() { 864 return $this->containers; 865 } 866 867 /** 868 * Get the registered sections. 869 * 870 * @since 3.4.0 871 * 872 * @return array 873 */ 874 public function sections() { 875 return $this->sections; 876 } 877 878 /** 879 * Get the registered panels. 880 * 881 * @since 4.0.0 882 * 883 * @return array Panels. 884 */ 885 public function panels() { 886 return $this->panels; 887 } 888 889 /** 890 * Checks if the current theme is active. 891 * 892 * @since 3.4.0 893 * 894 * @return bool 895 */ 896 public function is_theme_active() { 897 return $this->get_stylesheet() === $this->original_stylesheet; 898 } 899 900 /** 901 * Register styles/scripts and initialize the preview of each setting 902 * 903 * @since 3.4.0 904 */ 905 public function wp_loaded() { 906 907 // Unconditionally register core types for panels, sections, and controls 908 // in case plugin unhooks all customize_register actions. 909 $this->register_panel_type( 'WP_Customize_Panel' ); 910 $this->register_panel_type( 'WP_Customize_Themes_Panel' ); 911 $this->register_section_type( 'WP_Customize_Section' ); 912 $this->register_section_type( 'WP_Customize_Sidebar_Section' ); 913 $this->register_section_type( 'WP_Customize_Themes_Section' ); 914 $this->register_control_type( 'WP_Customize_Color_Control' ); 915 $this->register_control_type( 'WP_Customize_Media_Control' ); 916 $this->register_control_type( 'WP_Customize_Upload_Control' ); 917 $this->register_control_type( 'WP_Customize_Image_Control' ); 918 $this->register_control_type( 'WP_Customize_Background_Image_Control' ); 919 $this->register_control_type( 'WP_Customize_Background_Position_Control' ); 920 $this->register_control_type( 'WP_Customize_Cropped_Image_Control' ); 921 $this->register_control_type( 'WP_Customize_Site_Icon_Control' ); 922 $this->register_control_type( 'WP_Customize_Theme_Control' ); 923 $this->register_control_type( 'WP_Customize_Code_Editor_Control' ); 924 $this->register_control_type( 'WP_Customize_Date_Time_Control' ); 925 926 /** 927 * Fires once WordPress has loaded, allowing scripts and styles to be initialized. 928 * 929 * @since 3.4.0 930 * 931 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 932 */ 933 do_action( 'customize_register', $this ); 934 935 if ( $this->settings_previewed() ) { 936 foreach ( $this->settings as $setting ) { 937 $setting->preview(); 938 } 939 } 940 941 if ( $this->is_preview() && ! is_admin() ) { 942 $this->customize_preview_init(); 943 } 944 } 945 946 /** 947 * Prevents Ajax requests from following redirects when previewing a theme 948 * by issuing a 200 response instead of a 30x. 949 * 950 * Instead, the JS will sniff out the location header. 951 * 952 * @since 3.4.0 953 * @deprecated 4.7.0 954 * 955 * @param int $status Status. 956 * @return int 957 */ 958 public function wp_redirect_status( $status ) { 959 _deprecated_function( __FUNCTION__, '4.7.0' ); 960 961 if ( $this->is_preview() && ! is_admin() ) { 962 return 200; 963 } 964 965 return $status; 966 } 967 968 /** 969 * Find the changeset post ID for a given changeset UUID. 970 * 971 * @since 4.7.0 972 * 973 * @param string $uuid Changeset UUID. 974 * @return int|null Returns post ID on success and null on failure. 975 */ 976 public function find_changeset_post_id( $uuid ) { 977 $cache_group = 'customize_changeset_post'; 978 $changeset_post_id = wp_cache_get( $uuid, $cache_group ); 979 if ( $changeset_post_id && 'customize_changeset' === get_post_type( $changeset_post_id ) ) { 980 return $changeset_post_id; 981 } 982 983 $changeset_post_query = new WP_Query( 984 array( 985 'post_type' => 'customize_changeset', 986 'post_status' => get_post_stati(), 987 'name' => $uuid, 988 'posts_per_page' => 1, 989 'no_found_rows' => true, 990 'cache_results' => true, 991 'update_post_meta_cache' => false, 992 'update_post_term_cache' => false, 993 'lazy_load_term_meta' => false, 994 ) 995 ); 996 if ( ! empty( $changeset_post_query->posts ) ) { 997 // Note: 'fields'=>'ids' is not being used in order to cache the post object as it will be needed. 998 $changeset_post_id = $changeset_post_query->posts[0]->ID; 999 wp_cache_set( $uuid, $changeset_post_id, $cache_group ); 1000 return $changeset_post_id; 1001 } 1002 1003 return null; 1004 } 1005 1006 /** 1007 * Get changeset posts. 1008 * 1009 * @since 4.9.0 1010 * 1011 * @param array $args { 1012 * Args to pass into `get_posts()` to query changesets. 1013 * 1014 * @type int $posts_per_page Number of posts to return. Defaults to -1 (all posts). 1015 * @type int $author Post author. Defaults to current user. 1016 * @type string $post_status Status of changeset. Defaults to 'auto-draft'. 1017 * @type bool $exclude_restore_dismissed Whether to exclude changeset auto-drafts that have been dismissed. Defaults to true. 1018 * } 1019 * @return WP_Post[] Auto-draft changesets. 1020 */ 1021 protected function get_changeset_posts( $args = array() ) { 1022 $default_args = array( 1023 'exclude_restore_dismissed' => true, 1024 'posts_per_page' => -1, 1025 'post_type' => 'customize_changeset', 1026 'post_status' => 'auto-draft', 1027 'order' => 'DESC', 1028 'orderby' => 'date', 1029 'no_found_rows' => true, 1030 'cache_results' => true, 1031 'update_post_meta_cache' => false, 1032 'update_post_term_cache' => false, 1033 'lazy_load_term_meta' => false, 1034 ); 1035 if ( get_current_user_id() ) { 1036 $default_args['author'] = get_current_user_id(); 1037 } 1038 $args = array_merge( $default_args, $args ); 1039 1040 if ( ! empty( $args['exclude_restore_dismissed'] ) ) { 1041 unset( $args['exclude_restore_dismissed'] ); 1042 $args['meta_query'] = array( 1043 array( 1044 'key' => '_customize_restore_dismissed', 1045 'compare' => 'NOT EXISTS', 1046 ), 1047 ); 1048 } 1049 1050 return get_posts( $args ); 1051 } 1052 1053 /** 1054 * Dismiss all of the current user's auto-drafts (other than the present one). 1055 * 1056 * @since 4.9.0 1057 * @return int The number of auto-drafts that were dismissed. 1058 */ 1059 protected function dismiss_user_auto_draft_changesets() { 1060 $changeset_autodraft_posts = $this->get_changeset_posts( 1061 array( 1062 'post_status' => 'auto-draft', 1063 'exclude_restore_dismissed' => true, 1064 'posts_per_page' => -1, 1065 ) 1066 ); 1067 $dismissed = 0; 1068 foreach ( $changeset_autodraft_posts as $autosave_autodraft_post ) { 1069 if ( $autosave_autodraft_post->ID === $this->changeset_post_id() ) { 1070 continue; 1071 } 1072 if ( update_post_meta( $autosave_autodraft_post->ID, '_customize_restore_dismissed', true ) ) { 1073 $dismissed++; 1074 } 1075 } 1076 return $dismissed; 1077 } 1078 1079 /** 1080 * Get the changeset post ID for the loaded changeset. 1081 * 1082 * @since 4.7.0 1083 * 1084 * @return int|null Post ID on success or null if there is no post yet saved. 1085 */ 1086 public function changeset_post_id() { 1087 if ( ! isset( $this->_changeset_post_id ) ) { 1088 $post_id = $this->find_changeset_post_id( $this->changeset_uuid() ); 1089 if ( ! $post_id ) { 1090 $post_id = false; 1091 } 1092 $this->_changeset_post_id = $post_id; 1093 } 1094 if ( false === $this->_changeset_post_id ) { 1095 return null; 1096 } 1097 return $this->_changeset_post_id; 1098 } 1099 1100 /** 1101 * Get the data stored in a changeset post. 1102 * 1103 * @since 4.7.0 1104 * 1105 * @param int $post_id Changeset post ID. 1106 * @return array|WP_Error Changeset data or WP_Error on error. 1107 */ 1108 protected function get_changeset_post_data( $post_id ) { 1109 if ( ! $post_id ) { 1110 return new WP_Error( 'empty_post_id' ); 1111 } 1112 $changeset_post = get_post( $post_id ); 1113 if ( ! $changeset_post ) { 1114 return new WP_Error( 'missing_post' ); 1115 } 1116 if ( 'revision' === $changeset_post->post_type ) { 1117 if ( 'customize_changeset' !== get_post_type( $changeset_post->post_parent ) ) { 1118 return new WP_Error( 'wrong_post_type' ); 1119 } 1120 } elseif ( 'customize_changeset' !== $changeset_post->post_type ) { 1121 return new WP_Error( 'wrong_post_type' ); 1122 } 1123 $changeset_data = json_decode( $changeset_post->post_content, true ); 1124 $last_error = json_last_error(); 1125 if ( $last_error ) { 1126 return new WP_Error( 'json_parse_error', '', $last_error ); 1127 } 1128 if ( ! is_array( $changeset_data ) ) { 1129 return new WP_Error( 'expected_array' ); 1130 } 1131 return $changeset_data; 1132 } 1133 1134 /** 1135 * Get changeset data. 1136 * 1137 * @since 4.7.0 1138 * @since 4.9.0 This will return the changeset's data with a user's autosave revision merged on top, if one exists and $autosaved is true. 1139 * 1140 * @return array Changeset data. 1141 */ 1142 public function changeset_data() { 1143 if ( isset( $this->_changeset_data ) ) { 1144 return $this->_changeset_data; 1145 } 1146 $changeset_post_id = $this->changeset_post_id(); 1147 if ( ! $changeset_post_id ) { 1148 $this->_changeset_data = array(); 1149 } else { 1150 if ( $this->autosaved() && is_user_logged_in() ) { 1151 $autosave_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() ); 1152 if ( $autosave_post ) { 1153 $data = $this->get_changeset_post_data( $autosave_post->ID ); 1154 if ( ! is_wp_error( $data ) ) { 1155 $this->_changeset_data = $data; 1156 } 1157 } 1158 } 1159 1160 // Load data from the changeset if it was not loaded from an autosave. 1161 if ( ! isset( $this->_changeset_data ) ) { 1162 $data = $this->get_changeset_post_data( $changeset_post_id ); 1163 if ( ! is_wp_error( $data ) ) { 1164 $this->_changeset_data = $data; 1165 } else { 1166 $this->_changeset_data = array(); 1167 } 1168 } 1169 } 1170 return $this->_changeset_data; 1171 } 1172 1173 /** 1174 * Starter content setting IDs. 1175 * 1176 * @since 4.7.0 1177 * @var array 1178 */ 1179 protected $pending_starter_content_settings_ids = array(); 1180 1181 /** 1182 * Import theme starter content into the customized state. 1183 * 1184 * @since 4.7.0 1185 * 1186 * @param array $starter_content Starter content. Defaults to `get_theme_starter_content()`. 1187 */ 1188 function import_theme_starter_content( $starter_content = array() ) { 1189 if ( empty( $starter_content ) ) { 1190 $starter_content = get_theme_starter_content(); 1191 } 1192 1193 $changeset_data = array(); 1194 if ( $this->changeset_post_id() ) { 1195 /* 1196 * Don't re-import starter content into a changeset saved persistently. 1197 * This will need to be revisited in the future once theme switching 1198 * is allowed with drafted/scheduled changesets, since switching to 1199 * another theme could result in more starter content being applied. 1200 * However, when doing an explicit save it is currently possible for 1201 * nav menus and nav menu items specifically to lose their starter_content 1202 * flags, thus resulting in duplicates being created since they fail 1203 * to get re-used. See #40146. 1204 */ 1205 if ( 'auto-draft' !== get_post_status( $this->changeset_post_id() ) ) { 1206 return; 1207 } 1208 1209 $changeset_data = $this->get_changeset_post_data( $this->changeset_post_id() ); 1210 } 1211 1212 $sidebars_widgets = isset( $starter_content['widgets'] ) && ! empty( $this->widgets ) ? $starter_content['widgets'] : array(); 1213 $attachments = isset( $starter_content['attachments'] ) && ! empty( $this->nav_menus ) ? $starter_content['attachments'] : array(); 1214 $posts = isset( $starter_content['posts'] ) && ! empty( $this->nav_menus ) ? $starter_content['posts'] : array(); 1215 $options = isset( $starter_content['options'] ) ? $starter_content['options'] : array(); 1216 $nav_menus = isset( $starter_content['nav_menus'] ) && ! empty( $this->nav_menus ) ? $starter_content['nav_menus'] : array(); 1217 $theme_mods = isset( $starter_content['theme_mods'] ) ? $starter_content['theme_mods'] : array(); 1218 1219 // Widgets. 1220 $max_widget_numbers = array(); 1221 foreach ( $sidebars_widgets as $sidebar_id => $widgets ) { 1222 $sidebar_widget_ids = array(); 1223 foreach ( $widgets as $widget ) { 1224 list( $id_base, $instance ) = $widget; 1225 1226 if ( ! isset( $max_widget_numbers[ $id_base ] ) ) { 1227 1228 // When $settings is an array-like object, get an intrinsic array for use with array_keys(). 1229 $settings = get_option( "widget_{$id_base}", array() ); 1230 if ( $settings instanceof ArrayObject || $settings instanceof ArrayIterator ) { 1231 $settings = $settings->getArrayCopy(); 1232 } 1233 1234 unset( $settings['_multiwidget'] ); 1235 1236 // Find the max widget number for this type. 1237 $widget_numbers = array_keys( $settings ); 1238 if ( count( $widget_numbers ) > 0 ) { 1239 $widget_numbers[] = 1; 1240 $max_widget_numbers[ $id_base ] = max( ...$widget_numbers ); 1241 } else { 1242 $max_widget_numbers[ $id_base ] = 1; 1243 } 1244 } 1245 $max_widget_numbers[ $id_base ] += 1; 1246 1247 $widget_id = sprintf( '%s-%d', $id_base, $max_widget_numbers[ $id_base ] ); 1248 $setting_id = sprintf( 'widget_%s[%d]', $id_base, $max_widget_numbers[ $id_base ] ); 1249 1250 $setting_value = $this->widgets->sanitize_widget_js_instance( $instance ); 1251 if ( empty( $changeset_data[ $setting_id ] ) || ! empty( $changeset_data[ $setting_id ]['starter_content'] ) ) { 1252 $this->set_post_value( $setting_id, $setting_value ); 1253 $this->pending_starter_content_settings_ids[] = $setting_id; 1254 } 1255 $sidebar_widget_ids[] = $widget_id; 1256 } 1257 1258 $setting_id = sprintf( 'sidebars_widgets[%s]', $sidebar_id ); 1259 if ( empty( $changeset_data[ $setting_id ] ) || ! empty( $changeset_data[ $setting_id ]['starter_content'] ) ) { 1260 $this->set_post_value( $setting_id, $sidebar_widget_ids ); 1261 $this->pending_starter_content_settings_ids[] = $setting_id; 1262 } 1263 } 1264 1265 $starter_content_auto_draft_post_ids = array(); 1266 if ( ! empty( $changeset_data['nav_menus_created_posts']['value'] ) ) { 1267 $starter_content_auto_draft_post_ids = array_merge( $starter_content_auto_draft_post_ids, $changeset_data['nav_menus_created_posts']['value'] ); 1268 } 1269 1270 // Make an index of all the posts needed and what their slugs are. 1271 $needed_posts = array(); 1272 $attachments = $this->prepare_starter_content_attachments( $attachments ); 1273 foreach ( $attachments as $attachment ) { 1274 $key = 'attachment:' . $attachment['post_name']; 1275 $needed_posts[ $key ] = true; 1276 } 1277 foreach ( array_keys( $posts ) as $post_symbol ) { 1278 if ( empty( $posts[ $post_symbol ]['post_name'] ) && empty( $posts[ $post_symbol ]['post_title'] ) ) { 1279 unset( $posts[ $post_symbol ] ); 1280 continue; 1281 } 1282 if ( empty( $posts[ $post_symbol ]['post_name'] ) ) { 1283 $posts[ $post_symbol ]['post_name'] = sanitize_title( $posts[ $post_symbol ]['post_title'] ); 1284 } 1285 if ( empty( $posts[ $post_symbol ]['post_type'] ) ) { 1286 $posts[ $post_symbol ]['post_type'] = 'post'; 1287 } 1288 $needed_posts[ $posts[ $post_symbol ]['post_type'] . ':' . $posts[ $post_symbol ]['post_name'] ] = true; 1289 } 1290 $all_post_slugs = array_merge( 1291 wp_list_pluck( $attachments, 'post_name' ), 1292 wp_list_pluck( $posts, 'post_name' ) 1293 ); 1294 1295 /* 1296 * Obtain all post types referenced in starter content to use in query. 1297 * This is needed because 'any' will not account for post types not yet registered. 1298 */ 1299 $post_types = array_filter( array_merge( array( 'attachment' ), wp_list_pluck( $posts, 'post_type' ) ) ); 1300 1301 // Re-use auto-draft starter content posts referenced in the current customized state. 1302 $existing_starter_content_posts = array(); 1303 if ( ! empty( $starter_content_auto_draft_post_ids ) ) { 1304 $existing_posts_query = new WP_Query( 1305 array( 1306 'post__in' => $starter_content_auto_draft_post_ids, 1307 'post_status' => 'auto-draft', 1308 'post_type' => $post_types, 1309 'posts_per_page' => -1, 1310 ) 1311 ); 1312 foreach ( $existing_posts_query->posts as $existing_post ) { 1313 $post_name = $existing_post->post_name; 1314 if ( empty( $post_name ) ) { 1315 $post_name = get_post_meta( $existing_post->ID, '_customize_draft_post_name', true ); 1316 } 1317 $existing_starter_content_posts[ $existing_post->post_type . ':' . $post_name ] = $existing_post; 1318 } 1319 } 1320 1321 // Re-use non-auto-draft posts. 1322 if ( ! empty( $all_post_slugs ) ) { 1323 $existing_posts_query = new WP_Query( 1324 array( 1325 'post_name__in' => $all_post_slugs, 1326 'post_status' => array_diff( get_post_stati(), array( 'auto-draft' ) ), 1327 'post_type' => 'any', 1328 'posts_per_page' => -1, 1329 ) 1330 ); 1331 foreach ( $existing_posts_query->posts as $existing_post ) { 1332 $key = $existing_post->post_type . ':' . $existing_post->post_name; 1333 if ( isset( $needed_posts[ $key ] ) && ! isset( $existing_starter_content_posts[ $key ] ) ) { 1334 $existing_starter_content_posts[ $key ] = $existing_post; 1335 } 1336 } 1337 } 1338 1339 // Attachments are technically posts but handled differently. 1340 if ( ! empty( $attachments ) ) { 1341 1342 $attachment_ids = array(); 1343 1344 foreach ( $attachments as $symbol => $attachment ) { 1345 $file_array = array( 1346 'name' => $attachment['file_name'], 1347 ); 1348 $file_path = $attachment['file_path']; 1349 $attachment_id = null; 1350 $attached_file = null; 1351 if ( isset( $existing_starter_content_posts[ 'attachment:' . $attachment['post_name'] ] ) ) { 1352 $attachment_post = $existing_starter_content_posts[ 'attachment:' . $attachment['post_name'] ]; 1353 $attachment_id = $attachment_post->ID; 1354 $attached_file = get_attached_file( $attachment_id ); 1355 if ( empty( $attached_file ) || ! file_exists( $attached_file ) ) { 1356 $attachment_id = null; 1357 $attached_file = null; 1358 } elseif ( $this->get_stylesheet() !== get_post_meta( $attachment_post->ID, '_starter_content_theme', true ) ) { 1359 1360 // Re-generate attachment metadata since it was previously generated for a different theme. 1361 $metadata = wp_generate_attachment_metadata( $attachment_post->ID, $attached_file ); 1362 wp_update_attachment_metadata( $attachment_id, $metadata ); 1363 update_post_meta( $attachment_id, '_starter_content_theme', $this->get_stylesheet() ); 1364 } 1365 } 1366 1367 // Insert the attachment auto-draft because it doesn't yet exist or the attached file is gone. 1368 if ( ! $attachment_id ) { 1369 1370 // Copy file to temp location so that original file won't get deleted from theme after sideloading. 1371 $temp_file_name = wp_tempnam( wp_basename( $file_path ) ); 1372 if ( $temp_file_name && copy( $file_path, $temp_file_name ) ) { 1373 $file_array['tmp_name'] = $temp_file_name; 1374 } 1375 if ( empty( $file_array['tmp_name'] ) ) { 1376 continue; 1377 } 1378 1379 $attachment_post_data = array_merge( 1380 wp_array_slice_assoc( $attachment, array( 'post_title', 'post_content', 'post_excerpt' ) ), 1381 array( 1382 'post_status' => 'auto-draft', // So attachment will be garbage collected in a week if changeset is never published. 1383 ) 1384 ); 1385 1386 $attachment_id = media_handle_sideload( $file_array, 0, null, $attachment_post_data ); 1387 if ( is_wp_error( $attachment_id ) ) { 1388 continue; 1389 } 1390 update_post_meta( $attachment_id, '_starter_content_theme', $this->get_stylesheet() ); 1391 update_post_meta( $attachment_id, '_customize_draft_post_name', $attachment['post_name'] ); 1392 } 1393 1394 $attachment_ids[ $symbol ] = $attachment_id; 1395 } 1396 $starter_content_auto_draft_post_ids = array_merge( $starter_content_auto_draft_post_ids, array_values( $attachment_ids ) ); 1397 } 1398 1399 // Posts & pages. 1400 if ( ! empty( $posts ) ) { 1401 foreach ( array_keys( $posts ) as $post_symbol ) { 1402 if ( empty( $posts[ $post_symbol ]['post_type'] ) || empty( $posts[ $post_symbol ]['post_name'] ) ) { 1403 continue; 1404 } 1405 $post_type = $posts[ $post_symbol ]['post_type']; 1406 if ( ! empty( $posts[ $post_symbol ]['post_name'] ) ) { 1407 $post_name = $posts[ $post_symbol ]['post_name']; 1408 } elseif ( ! empty( $posts[ $post_symbol ]['post_title'] ) ) { 1409 $post_name = sanitize_title( $posts[ $post_symbol ]['post_title'] ); 1410 } else { 1411 continue; 1412 } 1413 1414 // Use existing auto-draft post if one already exists with the same type and name. 1415 if ( isset( $existing_starter_content_posts[ $post_type . ':' . $post_name ] ) ) { 1416 $posts[ $post_symbol ]['ID'] = $existing_starter_content_posts[ $post_type . ':' . $post_name ]->ID; 1417 continue; 1418 } 1419 1420 // Translate the featured image symbol. 1421 if ( ! empty( $posts[ $post_symbol ]['thumbnail'] ) 1422 && preg_match( '/^{{(?P<symbol>.+)}}$/', $posts[ $post_symbol ]['thumbnail'], $matches ) 1423 && isset( $attachment_ids[ $matches['symbol'] ] ) ) { 1424 $posts[ $post_symbol ]['meta_input']['_thumbnail_id'] = $attachment_ids[ $matches['symbol'] ]; 1425 } 1426 1427 if ( ! empty( $posts[ $post_symbol ]['template'] ) ) { 1428 $posts[ $post_symbol ]['meta_input']['_wp_page_template'] = $posts[ $post_symbol ]['template']; 1429 } 1430 1431 $r = $this->nav_menus->insert_auto_draft_post( $posts[ $post_symbol ] ); 1432 if ( $r instanceof WP_Post ) { 1433 $posts[ $post_symbol ]['ID'] = $r->ID; 1434 } 1435 } 1436 1437 $starter_content_auto_draft_post_ids = array_merge( $starter_content_auto_draft_post_ids, wp_list_pluck( $posts, 'ID' ) ); 1438 } 1439 1440 // The nav_menus_created_posts setting is why nav_menus component is dependency for adding posts. 1441 if ( ! empty( $this->nav_menus ) && ! empty( $starter_content_auto_draft_post_ids ) ) { 1442 $setting_id = 'nav_menus_created_posts'; 1443 $this->set_post_value( $setting_id, array_unique( array_values( $starter_content_auto_draft_post_ids ) ) ); 1444 $this->pending_starter_content_settings_ids[] = $setting_id; 1445 } 1446 1447 // Nav menus. 1448 $placeholder_id = -1; 1449 $reused_nav_menu_setting_ids = array(); 1450 foreach ( $nav_menus as $nav_menu_location => $nav_menu ) { 1451 1452 $nav_menu_term_id = null; 1453 $nav_menu_setting_id = null; 1454 $matches = array(); 1455 1456 // Look for an existing placeholder menu with starter content to re-use. 1457 foreach ( $changeset_data as $setting_id => $setting_params ) { 1458 $can_reuse = ( 1459 ! empty( $setting_params['starter_content'] ) 1460 && 1461 ! in_array( $setting_id, $reused_nav_menu_setting_ids, true ) 1462 && 1463 preg_match( '#^nav_menu\[(?P<nav_menu_id>-?\d+)\]$#', $setting_id, $matches ) 1464 ); 1465 if ( $can_reuse ) { 1466 $nav_menu_term_id = (int) $matches['nav_menu_id']; 1467 $nav_menu_setting_id = $setting_id; 1468 $reused_nav_menu_setting_ids[] = $setting_id; 1469 break; 1470 } 1471 } 1472 1473 if ( ! $nav_menu_term_id ) { 1474 while ( isset( $changeset_data[ sprintf( 'nav_menu[%d]', $placeholder_id ) ] ) ) { 1475 $placeholder_id--; 1476 } 1477 $nav_menu_term_id = $placeholder_id; 1478 $nav_menu_setting_id = sprintf( 'nav_menu[%d]', $placeholder_id ); 1479 } 1480 1481 $this->set_post_value( 1482 $nav_menu_setting_id, 1483 array( 1484 'name' => isset( $nav_menu['name'] ) ? $nav_menu['name'] : $nav_menu_location, 1485 ) 1486 ); 1487 $this->pending_starter_content_settings_ids[] = $nav_menu_setting_id; 1488 1489 // @todo Add support for menu_item_parent. 1490 $position = 0; 1491 foreach ( $nav_menu['items'] as $nav_menu_item ) { 1492 $nav_menu_item_setting_id = sprintf( 'nav_menu_item[%d]', $placeholder_id-- ); 1493 if ( ! isset( $nav_menu_item['position'] ) ) { 1494 $nav_menu_item['position'] = $position++; 1495 } 1496 $nav_menu_item['nav_menu_term_id'] = $nav_menu_term_id; 1497 1498 if ( isset( $nav_menu_item['object_id'] ) ) { 1499 if ( 'post_type' === $nav_menu_item['type'] && preg_match( '/^{{(?P<symbol>.+)}}$/', $nav_menu_item['object_id'], $matches ) && isset( $posts[ $matches['symbol'] ] ) ) { 1500 $nav_menu_item['object_id'] = $posts[ $matches['symbol'] ]['ID']; 1501 if ( empty( $nav_menu_item['title'] ) ) { 1502 $original_object = get_post( $nav_menu_item['object_id'] ); 1503 $nav_menu_item['title'] = $original_object->post_title; 1504 } 1505 } else { 1506 continue; 1507 } 1508 } else { 1509 $nav_menu_item['object_id'] = 0; 1510 } 1511 1512 if ( empty( $changeset_data[ $nav_menu_item_setting_id ] ) || ! empty( $changeset_data[ $nav_menu_item_setting_id ]['starter_content'] ) ) { 1513 $this->set_post_value( $nav_menu_item_setting_id, $nav_menu_item ); 1514 $this->pending_starter_content_settings_ids[] = $nav_menu_item_setting_id; 1515 } 1516 } 1517 1518 $setting_id = sprintf( 'nav_menu_locations[%s]', $nav_menu_location ); 1519 if ( empty( $changeset_data[ $setting_id ] ) || ! empty( $changeset_data[ $setting_id ]['starter_content'] ) ) { 1520 $this->set_post_value( $setting_id, $nav_menu_term_id ); 1521 $this->pending_starter_content_settings_ids[] = $setting_id; 1522 } 1523 } 1524 1525 // Options. 1526 foreach ( $options as $name => $value ) { 1527 1528 // Serialize the value to check for post symbols. 1529 $value = maybe_serialize( $value ); 1530 1531 if ( is_serialized( $value ) ) { 1532 if ( preg_match( '/s:\d+:"{{(?P<symbol>.+)}}"/', $value, $matches ) ) { 1533 if ( isset( $posts[ $matches['symbol'] ] ) ) { 1534 $symbol_match = $posts[ $matches['symbol'] ]['ID']; 1535 } elseif ( isset( $attachment_ids[ $matches['symbol'] ] ) ) { 1536 $symbol_match = $attachment_ids[ $matches['symbol'] ]; 1537 } 1538 1539 // If we have any symbol matches, update the values. 1540 if ( isset( $symbol_match ) ) { 1541 // Replace found string matches with post IDs. 1542 $value = str_replace( $matches[0], "i:{$symbol_match}", $value ); 1543 } else { 1544 continue; 1545 } 1546 } 1547 } elseif ( preg_match( '/^{{(?P<symbol>.+)}}$/', $value, $matches ) ) { 1548 if ( isset( $posts[ $matches['symbol'] ] ) ) { 1549 $value = $posts[ $matches['symbol'] ]['ID']; 1550 } elseif ( isset( $attachment_ids[ $matches['symbol'] ] ) ) { 1551 $value = $attachment_ids[ $matches['symbol'] ]; 1552 } else { 1553 continue; 1554 } 1555 } 1556 1557 // Unserialize values after checking for post symbols, so they can be properly referenced. 1558 $value = maybe_unserialize( $value ); 1559 1560 if ( empty( $changeset_data[ $name ] ) || ! empty( $changeset_data[ $name ]['starter_content'] ) ) { 1561 $this->set_post_value( $name, $value ); 1562 $this->pending_starter_content_settings_ids[] = $name; 1563 } 1564 } 1565 1566 // Theme mods. 1567 foreach ( $theme_mods as $name => $value ) { 1568 1569 // Serialize the value to check for post symbols. 1570 $value = maybe_serialize( $value ); 1571 1572 // Check if value was serialized. 1573 if ( is_serialized( $value ) ) { 1574 if ( preg_match( '/s:\d+:"{{(?P<symbol>.+)}}"/', $value, $matches ) ) { 1575 if ( isset( $posts[ $matches['symbol'] ] ) ) { 1576 $symbol_match = $posts[ $matches['symbol'] ]['ID']; 1577 } elseif ( isset( $attachment_ids[ $matches['symbol'] ] ) ) { 1578 $symbol_match = $attachment_ids[ $matches['symbol'] ]; 1579 } 1580 1581 // If we have any symbol matches, update the values. 1582 if ( isset( $symbol_match ) ) { 1583 // Replace found string matches with post IDs. 1584 $value = str_replace( $matches[0], "i:{$symbol_match}", $value ); 1585 } else { 1586 continue; 1587 } 1588 } 1589 } elseif ( preg_match( '/^{{(?P<symbol>.+)}}$/', $value, $matches ) ) { 1590 if ( isset( $posts[ $matches['symbol'] ] ) ) { 1591 $value = $posts[ $matches['symbol'] ]['ID']; 1592 } elseif ( isset( $attachment_ids[ $matches['symbol'] ] ) ) { 1593 $value = $attachment_ids[ $matches['symbol'] ]; 1594 } else { 1595 continue; 1596 } 1597 } 1598 1599 // Unserialize values after checking for post symbols, so they can be properly referenced. 1600 $value = maybe_unserialize( $value ); 1601 1602 // Handle header image as special case since setting has a legacy format. 1603 if ( 'header_image' === $name ) { 1604 $name = 'header_image_data'; 1605 $metadata = wp_get_attachment_metadata( $value ); 1606 if ( empty( $metadata ) ) { 1607 continue; 1608 } 1609 $value = array( 1610 'attachment_id' => $value, 1611 'url' => wp_get_attachment_url( $value ), 1612 'height' => $metadata['height'], 1613 'width' => $metadata['width'], 1614 ); 1615 } elseif ( 'background_image' === $name ) { 1616 $value = wp_get_attachment_url( $value ); 1617 } 1618 1619 if ( empty( $changeset_data[ $name ] ) || ! empty( $changeset_data[ $name ]['starter_content'] ) ) { 1620 $this->set_post_value( $name, $value ); 1621 $this->pending_starter_content_settings_ids[] = $name; 1622 } 1623 } 1624 1625 if ( ! empty( $this->pending_starter_content_settings_ids ) ) { 1626 if ( did_action( 'customize_register' ) ) { 1627 $this->_save_starter_content_changeset(); 1628 } else { 1629 add_action( 'customize_register', array( $this, '_save_starter_content_changeset' ), 1000 ); 1630 } 1631 } 1632 } 1633 1634 /** 1635 * Prepare starter content attachments. 1636 * 1637 * Ensure that the attachments are valid and that they have slugs and file name/path. 1638 * 1639 * @since 4.7.0 1640 * 1641 * @param array $attachments Attachments. 1642 * @return array Prepared attachments. 1643 */ 1644 protected function prepare_starter_content_attachments( $attachments ) { 1645 $prepared_attachments = array(); 1646 if ( empty( $attachments ) ) { 1647 return $prepared_attachments; 1648 } 1649 1650 // Such is The WordPress Way. 1651 require_once ABSPATH . 'wp-admin/includes/file.php'; 1652 require_once ABSPATH . 'wp-admin/includes/media.php'; 1653 require_once ABSPATH . 'wp-admin/includes/image.php'; 1654 1655 foreach ( $attachments as $symbol => $attachment ) { 1656 1657 // A file is required and URLs to files are not currently allowed. 1658 if ( empty( $attachment['file'] ) || preg_match( '#^https?://$#', $attachment['file'] ) ) { 1659 continue; 1660 } 1661 1662 $file_path = null; 1663 if ( file_exists( $attachment['file'] ) ) { 1664 $file_path = $attachment['file']; // Could be absolute path to file in plugin. 1665 } elseif ( is_child_theme() && file_exists( get_stylesheet_directory() . '/' . $attachment['file'] ) ) { 1666 $file_path = get_stylesheet_directory() . '/' . $attachment['file']; 1667 } elseif ( file_exists( get_template_directory() . '/' . $attachment['file'] ) ) { 1668 $file_path = get_template_directory() . '/' . $attachment['file']; 1669 } else { 1670 continue; 1671 } 1672 $file_name = wp_basename( $attachment['file'] ); 1673 1674 // Skip file types that are not recognized. 1675 $checked_filetype = wp_check_filetype( $file_name ); 1676 if ( empty( $checked_filetype['type'] ) ) { 1677 continue; 1678 } 1679 1680 // Ensure post_name is set since not automatically derived from post_title for new auto-draft posts. 1681 if ( empty( $attachment['post_name'] ) ) { 1682 if ( ! empty( $attachment['post_title'] ) ) { 1683 $attachment['post_name'] = sanitize_title( $attachment['post_title'] ); 1684 } else { 1685 $attachment['post_name'] = sanitize_title( preg_replace( '/\.\w+$/', '', $file_name ) ); 1686 } 1687 } 1688 1689 $attachment['file_name'] = $file_name; 1690 $attachment['file_path'] = $file_path; 1691 $prepared_attachments[ $symbol ] = $attachment; 1692 } 1693 return $prepared_attachments; 1694 } 1695 1696 /** 1697 * Save starter content changeset. 1698 * 1699 * @since 4.7.0 1700 */ 1701 public function _save_starter_content_changeset() { 1702 1703 if ( empty( $this->pending_starter_content_settings_ids ) ) { 1704 return; 1705 } 1706 1707 $this->save_changeset_post( 1708 array( 1709 'data' => array_fill_keys( $this->pending_starter_content_settings_ids, array( 'starter_content' => true ) ), 1710 'starter_content' => true, 1711 ) 1712 ); 1713 $this->saved_starter_content_changeset = true; 1714 1715 $this->pending_starter_content_settings_ids = array(); 1716 } 1717 1718 /** 1719 * Get dirty pre-sanitized setting values in the current customized state. 1720 * 1721 * The returned array consists of a merge of three sources: 1722 * 1. If the theme is not currently active, then the base array is any stashed 1723 * theme mods that were modified previously but never published. 1724 * 2. The values from the current changeset, if it exists. 1725 * 3. If the user can customize, the values parsed from the incoming 1726 * `$_POST['customized']` JSON data. 1727 * 4. Any programmatically-set post values via `WP_Customize_Manager::set_post_value()`. 1728 * 1729 * The name "unsanitized_post_values" is a carry-over from when the customized 1730 * state was exclusively sourced from `$_POST['customized']`. Nevertheless, 1731 * the value returned will come from the current changeset post and from the 1732 * incoming post data. 1733 * 1734 * @since 4.1.1 1735 * @since 4.7.0 Added `$args` parameter and merging with changeset values and stashed theme mods. 1736 * 1737 * @param array $args { 1738 * Args. 1739 * 1740 * @type bool $exclude_changeset Whether the changeset values should also be excluded. Defaults to false. 1741 * @type bool $exclude_post_data Whether the post input values should also be excluded. Defaults to false when lacking the customize capability. 1742 * } 1743 * @return array 1744 */ 1745 public function unsanitized_post_values( $args = array() ) { 1746 $args = array_merge( 1747 array( 1748 'exclude_changeset' => false, 1749 'exclude_post_data' => ! current_user_can( 'customize' ), 1750 ), 1751 $args 1752 ); 1753 1754 $values = array(); 1755 1756 // Let default values be from the stashed theme mods if doing a theme switch and if no changeset is present. 1757 if ( ! $this->is_theme_active() ) { 1758 $stashed_theme_mods = get_option( 'customize_stashed_theme_mods' ); 1759 $stylesheet = $this->get_stylesheet(); 1760 if ( isset( $stashed_theme_mods[ $stylesheet ] ) ) { 1761 $values = array_merge( $values, wp_list_pluck( $stashed_theme_mods[ $stylesheet ], 'value' ) ); 1762 } 1763 } 1764 1765 if ( ! $args['exclude_changeset'] ) { 1766 foreach ( $this->changeset_data() as $setting_id => $setting_params ) { 1767 if ( ! array_key_exists( 'value', $setting_params ) ) { 1768 continue; 1769 } 1770 if ( isset( $setting_params['type'] ) && 'theme_mod' === $setting_params['type'] ) { 1771 1772 // Ensure that theme mods values are only used if they were saved under the current theme. 1773 $namespace_pattern = '/^(?P<stylesheet>.+?)::(?P<setting_id>.+)$/'; 1774 if ( preg_match( $namespace_pattern, $setting_id, $matches ) && $this->get_stylesheet() === $matches['stylesheet'] ) { 1775 $values[ $matches['setting_id'] ] = $setting_params['value']; 1776 } 1777 } else { 1778 $values[ $setting_id ] = $setting_params['value']; 1779 } 1780 } 1781 } 1782 1783 if ( ! $args['exclude_post_data'] ) { 1784 if ( ! isset( $this->_post_values ) ) { 1785 if ( isset( $_POST['customized'] ) ) { 1786 $post_values = json_decode( wp_unslash( $_POST['customized'] ), true ); 1787 } else { 1788 $post_values = array(); 1789 } 1790 if ( is_array( $post_values ) ) { 1791 $this->_post_values = $post_values; 1792 } else { 1793 $this->_post_values = array(); 1794 } 1795 } 1796 $values = array_merge( $values, $this->_post_values ); 1797 } 1798 return $values; 1799 } 1800 1801 /** 1802 * Returns the sanitized value for a given setting from the current customized state. 1803 * 1804 * The name "post_value" is a carry-over from when the customized state was exclusively 1805 * sourced from `$_POST['customized']`. Nevertheless, the value returned will come 1806 * from the current changeset post and from the incoming post data. 1807 * 1808 * @since 3.4.0 1809 * @since 4.1.1 Introduced the `$default` parameter. 1810 * @since 4.6.0 `$default` is now returned early when the setting post value is invalid. 1811 * 1812 * @see WP_REST_Server::dispatch() 1813 * @see WP_REST_Request::sanitize_params() 1814 * @see WP_REST_Request::has_valid_params() 1815 * 1816 * @param WP_Customize_Setting $setting A WP_Customize_Setting derived object. 1817 * @param mixed $default Value returned $setting has no post value (added in 4.2.0) 1818 * or the post value is invalid (added in 4.6.0). 1819 * @return string|mixed Sanitized value or the $default provided. 1820 */ 1821 public function post_value( $setting, $default = null ) { 1822 $post_values = $this->unsanitized_post_values(); 1823 if ( ! array_key_exists( $setting->id, $post_values ) ) { 1824 return $default; 1825 } 1826 $value = $post_values[ $setting->id ]; 1827 $valid = $setting->validate( $value ); 1828 if ( is_wp_error( $valid ) ) { 1829 return $default; 1830 } 1831 $value = $setting->sanitize( $value ); 1832 if ( is_null( $value ) || is_wp_error( $value ) ) { 1833 return $default; 1834 } 1835 return $value; 1836 } 1837 1838 /** 1839 * Override a setting's value in the current customized state. 1840 * 1841 * The name "post_value" is a carry-over from when the customized state was 1842 * exclusively sourced from `$_POST['customized']`. 1843 * 1844 * @since 4.2.0 1845 * 1846 * @param string $setting_id ID for the WP_Customize_Setting instance. 1847 * @param mixed $value Post value. 1848 */ 1849 public function set_post_value( $setting_id, $value ) { 1850 $this->unsanitized_post_values(); // Populate _post_values from $_POST['customized']. 1851 $this->_post_values[ $setting_id ] = $value; 1852 1853 /** 1854 * Announce when a specific setting's unsanitized post value has been set. 1855 * 1856 * Fires when the WP_Customize_Manager::set_post_value() method is called. 1857 * 1858 * The dynamic portion of the hook name, `$setting_id`, refers to the setting ID. 1859 * 1860 * @since 4.4.0 1861 * 1862 * @param mixed $value Unsanitized setting post value. 1863 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 1864 */ 1865 do_action( "customize_post_value_set_{$setting_id}", $value, $this ); 1866 1867 /** 1868 * Announce when any setting's unsanitized post value has been set. 1869 * 1870 * Fires when the WP_Customize_Manager::set_post_value() method is called. 1871 * 1872 * This is useful for `WP_Customize_Setting` instances to watch 1873 * in order to update a cached previewed value. 1874 * 1875 * @since 4.4.0 1876 * 1877 * @param string $setting_id Setting ID. 1878 * @param mixed $value Unsanitized setting post value. 1879 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 1880 */ 1881 do_action( 'customize_post_value_set', $setting_id, $value, $this ); 1882 } 1883 1884 /** 1885 * Print JavaScript settings. 1886 * 1887 * @since 3.4.0 1888 */ 1889 public function customize_preview_init() { 1890 1891 /* 1892 * Now that Customizer previews are loaded into iframes via GET requests 1893 * and natural URLs with transaction UUIDs added, we need to ensure that 1894 * the responses are never cached by proxies. In practice, this will not 1895 * be needed if the user is logged-in anyway. But if anonymous access is 1896 * allowed then the auth cookies would not be sent and WordPress would 1897 * not send no-cache headers by default. 1898 */ 1899 if ( ! headers_sent() ) { 1900 nocache_headers(); 1901 header( 'X-Robots: noindex, nofollow, noarchive' ); 1902 } 1903 add_action( 'wp_head', 'wp_no_robots' ); 1904 add_filter( 'wp_headers', array( $this, 'filter_iframe_security_headers' ) ); 1905 1906 /* 1907 * If preview is being served inside the customizer preview iframe, and 1908 * if the user doesn't have customize capability, then it is assumed 1909 * that the user's session has expired and they need to re-authenticate. 1910 */ 1911 if ( $this->messenger_channel && ! current_user_can( 'customize' ) ) { 1912 $this->wp_die( 1913 -1, 1914 sprintf( 1915 /* translators: %s: customize_messenger_channel */ 1916 __( 'Unauthorized. You may remove the %s param to preview as frontend.' ), 1917 '<code>customize_messenger_channel<code>' 1918 ) 1919 ); 1920 return; 1921 } 1922 1923 $this->prepare_controls(); 1924 1925 add_filter( 'wp_redirect', array( $this, 'add_state_query_params' ) ); 1926 1927 wp_enqueue_script( 'customize-preview' ); 1928 wp_enqueue_style( 'customize-preview' ); 1929 add_action( 'wp_head', array( $this, 'customize_preview_loading_style' ) ); 1930 add_action( 'wp_head', array( $this, 'remove_frameless_preview_messenger_channel' ) ); 1931 add_action( 'wp_footer', array( $this, 'customize_preview_settings' ), 20 ); 1932 add_filter( 'get_edit_post_link', '__return_empty_string' ); 1933 1934 /** 1935 * Fires once the Customizer preview has initialized and JavaScript 1936 * settings have been printed. 1937 * 1938 * @since 3.4.0 1939 * 1940 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 1941 */ 1942 do_action( 'customize_preview_init', $this ); 1943 } 1944 1945 /** 1946 * Filters the X-Frame-Options and Content-Security-Policy headers to ensure frontend can load in customizer. 1947 * 1948 * @since 4.7.0 1949 * 1950 * @param array $headers Headers. 1951 * @return array Headers. 1952 */ 1953 public function filter_iframe_security_headers( $headers ) { 1954 $headers['X-Frame-Options'] = 'SAMEORIGIN'; 1955 $headers['Content-Security-Policy'] = "frame-ancestors 'self'"; 1956 return $headers; 1957 } 1958 1959 /** 1960 * Add customize state query params to a given URL if preview is allowed. 1961 * 1962 * @since 4.7.0 1963 * 1964 * @see wp_redirect() 1965 * @see WP_Customize_Manager::get_allowed_url() 1966 * 1967 * @param string $url URL. 1968 * @return string URL. 1969 */ 1970 public function add_state_query_params( $url ) { 1971 $parsed_original_url = wp_parse_url( $url ); 1972 $is_allowed = false; 1973 foreach ( $this->get_allowed_urls() as $allowed_url ) { 1974 $parsed_allowed_url = wp_parse_url( $allowed_url ); 1975 $is_allowed = ( 1976 $parsed_allowed_url['scheme'] === $parsed_original_url['scheme'] 1977 && 1978 $parsed_allowed_url['host'] === $parsed_original_url['host'] 1979 && 1980 0 === strpos( $parsed_original_url['path'], $parsed_allowed_url['path'] ) 1981 ); 1982 if ( $is_allowed ) { 1983 break; 1984 } 1985 } 1986 1987 if ( $is_allowed ) { 1988 $query_params = array( 1989 'customize_changeset_uuid' => $this->changeset_uuid(), 1990 ); 1991 if ( ! $this->is_theme_active() ) { 1992 $query_params['customize_theme'] = $this->get_stylesheet(); 1993 } 1994 if ( $this->messenger_channel ) { 1995 $query_params['customize_messenger_channel'] = $this->messenger_channel; 1996 } 1997 $url = add_query_arg( $query_params, $url ); 1998 } 1999 2000 return $url; 2001 } 2002 2003 /** 2004 * Prevent sending a 404 status when returning the response for the customize 2005 * preview, since it causes the jQuery Ajax to fail. Send 200 instead. 2006 * 2007 * @since 4.0.0 2008 * @deprecated 4.7.0 2009 */ 2010 public function customize_preview_override_404_status() { 2011 _deprecated_function( __METHOD__, '4.7.0' ); 2012 } 2013 2014 /** 2015 * Print base element for preview frame. 2016 * 2017 * @since 3.4.0 2018 * @deprecated 4.7.0 2019 */ 2020 public function customize_preview_base() { 2021 _deprecated_function( __METHOD__, '4.7.0' ); 2022 } 2023 2024 /** 2025 * Print a workaround to handle HTML5 tags in IE < 9. 2026 * 2027 * @since 3.4.0 2028 * @deprecated 4.7.0 Customizer no longer supports IE8, so all supported browsers recognize HTML5. 2029 */ 2030 public function customize_preview_html5() { 2031 _deprecated_function( __FUNCTION__, '4.7.0' ); 2032 } 2033 2034 /** 2035 * Print CSS for loading indicators for the Customizer preview. 2036 * 2037 * @since 4.2.0 2038 */ 2039 public function customize_preview_loading_style() { 2040 ?> 2041 <style> 2042 body.wp-customizer-unloading { 2043 opacity: 0.25; 2044 cursor: progress !important; 2045 -webkit-transition: opacity 0.5s; 2046 transition: opacity 0.5s; 2047 } 2048 body.wp-customizer-unloading * { 2049 pointer-events: none !important; 2050 } 2051 form.customize-unpreviewable, 2052 form.customize-unpreviewable input, 2053 form.customize-unpreviewable select, 2054 form.customize-unpreviewable button, 2055 a.customize-unpreviewable, 2056 area.customize-unpreviewable { 2057 cursor: not-allowed !important; 2058 } 2059 </style> 2060 <?php 2061 } 2062 2063 /** 2064 * Remove customize_messenger_channel query parameter from the preview window when it is not in an iframe. 2065 * 2066 * This ensures that the admin bar will be shown. It also ensures that link navigation will 2067 * work as expected since the parent frame is not being sent the URL to navigate to. 2068 * 2069 * @since 4.7.0 2070 */ 2071 public function remove_frameless_preview_messenger_channel() { 2072 if ( ! $this->messenger_channel ) { 2073 return; 2074 } 2075 ?> 2076 <script> 2077 ( function() { 2078 var urlParser, oldQueryParams, newQueryParams, i; 2079 if ( parent !== window ) { 2080 return; 2081 } 2082 urlParser = document.createElement( 'a' ); 2083 urlParser.href = location.href; 2084 oldQueryParams = urlParser.search.substr( 1 ).split( /&/ ); 2085 newQueryParams = []; 2086 for ( i = 0; i < oldQueryParams.length; i += 1 ) { 2087 if ( ! /^customize_messenger_channel=/.test( oldQueryParams[ i ] ) ) { 2088 newQueryParams.push( oldQueryParams[ i ] ); 2089 } 2090 } 2091 urlParser.search = newQueryParams.join( '&' ); 2092 if ( urlParser.search !== location.search ) { 2093 location.replace( urlParser.href ); 2094 } 2095 } )(); 2096 </script> 2097 <?php 2098 } 2099 2100 /** 2101 * Print JavaScript settings for preview frame. 2102 * 2103 * @since 3.4.0 2104 */ 2105 public function customize_preview_settings() { 2106 $post_values = $this->unsanitized_post_values( array( 'exclude_changeset' => true ) ); 2107 $setting_validities = $this->validate_setting_values( $post_values ); 2108 $exported_setting_validities = array_map( array( $this, 'prepare_setting_validity_for_js' ), $setting_validities ); 2109 2110 // Note that the REQUEST_URI is not passed into home_url() since this breaks subdirectory installations. 2111 $self_url = empty( $_SERVER['REQUEST_URI'] ) ? home_url( '/' ) : esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) ); 2112 $state_query_params = array( 2113 'customize_theme', 2114 'customize_changeset_uuid', 2115 'customize_messenger_channel', 2116 ); 2117 $self_url = remove_query_arg( $state_query_params, $self_url ); 2118 2119 $allowed_urls = $this->get_allowed_urls(); 2120 $allowed_hosts = array(); 2121 foreach ( $allowed_urls as $allowed_url ) { 2122 $parsed = wp_parse_url( $allowed_url ); 2123 if ( empty( $parsed['host'] ) ) { 2124 continue; 2125 } 2126 $host = $parsed['host']; 2127 if ( ! empty( $parsed['port'] ) ) { 2128 $host .= ':' . $parsed['port']; 2129 } 2130 $allowed_hosts[] = $host; 2131 } 2132 2133 $switched_locale = switch_to_locale( get_user_locale() ); 2134 $l10n = array( 2135 'shiftClickToEdit' => __( 'Shift-click to edit this element.' ), 2136 'linkUnpreviewable' => __( 'This link is not live-previewable.' ), 2137 'formUnpreviewable' => __( 'This form is not live-previewable.' ), 2138 ); 2139 if ( $switched_locale ) { 2140 restore_previous_locale(); 2141 } 2142 2143 $settings = array( 2144 'changeset' => array( 2145 'uuid' => $this->changeset_uuid(), 2146 'autosaved' => $this->autosaved(), 2147 ), 2148 'timeouts' => array( 2149 'selectiveRefresh' => 250, 2150 'keepAliveSend' => 1000, 2151 ), 2152 'theme' => array( 2153 'stylesheet' => $this->get_stylesheet(), 2154 'active' => $this->is_theme_active(), 2155 ), 2156 'url' => array( 2157 'self' => $self_url, 2158 'allowed' => array_map( 'esc_url_raw', $this->get_allowed_urls() ), 2159 'allowedHosts' => array_unique( $allowed_hosts ), 2160 'isCrossDomain' => $this->is_cross_domain(), 2161 ), 2162 'channel' => $this->messenger_channel, 2163 'activePanels' => array(), 2164 'activeSections' => array(), 2165 'activeControls' => array(), 2166 'settingValidities' => $exported_setting_validities, 2167 'nonce' => current_user_can( 'customize' ) ? $this->get_nonces() : array(), 2168 'l10n' => $l10n, 2169 '_dirty' => array_keys( $post_values ), 2170 ); 2171 2172 foreach ( $this->panels as $panel_id => $panel ) { 2173 if ( $panel->check_capabilities() ) { 2174 $settings['activePanels'][ $panel_id ] = $panel->active(); 2175 foreach ( $panel->sections as $section_id => $section ) { 2176 if ( $section->check_capabilities() ) { 2177 $settings['activeSections'][ $section_id ] = $section->active(); 2178 } 2179 } 2180 } 2181 } 2182 foreach ( $this->sections as $id => $section ) { 2183 if ( $section->check_capabilities() ) { 2184 $settings['activeSections'][ $id ] = $section->active(); 2185 } 2186 } 2187 foreach ( $this->controls as $id => $control ) { 2188 if ( $control->check_capabilities() ) { 2189 $settings['activeControls'][ $id ] = $control->active(); 2190 } 2191 } 2192 2193 ?> 2194 <script type="text/javascript"> 2195 var _wpCustomizeSettings = <?php echo wp_json_encode( $settings ); ?>; 2196 _wpCustomizeSettings.values = {}; 2197 (function( v ) { 2198 <?php 2199 /* 2200 * Serialize settings separately from the initial _wpCustomizeSettings 2201 * serialization in order to avoid a peak memory usage spike. 2202 * @todo We may not even need to export the values at all since the pane syncs them anyway. 2203 */ 2204 foreach ( $this->settings as $id => $setting ) { 2205 if ( $setting->check_capabilities() ) { 2206 printf( 2207 "v[%s] = %s;\n", 2208 wp_json_encode( $id ), 2209 wp_json_encode( $setting->js_value() ) 2210 ); 2211 } 2212 } 2213 ?> 2214 })( _wpCustomizeSettings.values ); 2215 </script> 2216 <?php 2217 } 2218 2219 /** 2220 * Prints a signature so we can ensure the Customizer was properly executed. 2221 * 2222 * @since 3.4.0 2223 * @deprecated 4.7.0 2224 */ 2225 public function customize_preview_signature() { 2226 _deprecated_function( __METHOD__, '4.7.0' ); 2227 } 2228 2229 /** 2230 * Removes the signature in case we experience a case where the Customizer was not properly executed. 2231 * 2232 * @since 3.4.0 2233 * @deprecated 4.7.0 2234 * 2235 * @param mixed $return Value passed through for {@see 'wp_die_handler'} filter. 2236 * @return mixed Value passed through for {@see 'wp_die_handler'} filter. 2237 */ 2238 public function remove_preview_signature( $return = null ) { 2239 _deprecated_function( __METHOD__, '4.7.0' ); 2240 2241 return $return; 2242 } 2243 2244 /** 2245 * Is it a theme preview? 2246 * 2247 * @since 3.4.0 2248 * 2249 * @return bool True if it's a preview, false if not. 2250 */ 2251 public function is_preview() { 2252 return (bool) $this->previewing; 2253 } 2254 2255 /** 2256 * Retrieve the template name of the previewed theme. 2257 * 2258 * @since 3.4.0 2259 * 2260 * @return string Template name. 2261 */ 2262 public function get_template() { 2263 return $this->theme()->get_template(); 2264 } 2265 2266 /** 2267 * Retrieve the stylesheet name of the previewed theme. 2268 * 2269 * @since 3.4.0 2270 * 2271 * @return string Stylesheet name. 2272 */ 2273 public function get_stylesheet() { 2274 return $this->theme()->get_stylesheet(); 2275 } 2276 2277 /** 2278 * Retrieve the template root of the previewed theme. 2279 * 2280 * @since 3.4.0 2281 * 2282 * @return string Theme root. 2283 */ 2284 public function get_template_root() { 2285 return get_raw_theme_root( $this->get_template(), true ); 2286 } 2287 2288 /** 2289 * Retrieve the stylesheet root of the previewed theme. 2290 * 2291 * @since 3.4.0 2292 * 2293 * @return string Theme root. 2294 */ 2295 public function get_stylesheet_root() { 2296 return get_raw_theme_root( $this->get_stylesheet(), true ); 2297 } 2298 2299 /** 2300 * Filters the current theme and return the name of the previewed theme. 2301 * 2302 * @since 3.4.0 2303 * 2304 * @param mixed $current_theme {@internal Parameter is not used} 2305 * @return string Theme name. 2306 */ 2307 public function current_theme( $current_theme ) { 2308 return $this->theme()->display( 'Name' ); 2309 } 2310 2311 /** 2312 * Validates setting values. 2313 * 2314 * Validation is skipped for unregistered settings or for values that are 2315 * already null since they will be skipped anyway. Sanitization is applied 2316 * to values that pass validation, and values that become null or `WP_Error` 2317 * after sanitizing are marked invalid. 2318 * 2319 * @since 4.6.0 2320 * 2321 * @see WP_REST_Request::has_valid_params() 2322 * @see WP_Customize_Setting::validate() 2323 * 2324 * @param array $setting_values Mapping of setting IDs to values to validate and sanitize. 2325 * @param array $options { 2326 * Options. 2327 * 2328 * @type bool $validate_existence Whether a setting's existence will be checked. 2329 * @type bool $validate_capability Whether the setting capability will be checked. 2330 * } 2331 * @return array Mapping of setting IDs to return value of validate method calls, either `true` or `WP_Error`. 2332 */ 2333 public function validate_setting_values( $setting_values, $options = array() ) { 2334 $options = wp_parse_args( 2335 $options, 2336 array( 2337 'validate_capability' => false, 2338 'validate_existence' => false, 2339 ) 2340 ); 2341 2342 $validities = array(); 2343 foreach ( $setting_values as $setting_id => $unsanitized_value ) { 2344 $setting = $this->get_setting( $setting_id ); 2345 if ( ! $setting ) { 2346 if ( $options['validate_existence'] ) { 2347 $validities[ $setting_id ] = new WP_Error( 'unrecognized', __( 'Setting does not exist or is unrecognized.' ) ); 2348 } 2349 continue; 2350 } 2351 if ( $options['validate_capability'] && ! current_user_can( $setting->capability ) ) { 2352 $validity = new WP_Error( 'unauthorized', __( 'Unauthorized to modify setting due to capability.' ) ); 2353 } else { 2354 if ( is_null( $unsanitized_value ) ) { 2355 continue; 2356 } 2357 $validity = $setting->validate( $unsanitized_value ); 2358 } 2359 if ( ! is_wp_error( $validity ) ) { 2360 /** This filter is documented in wp-includes/class-wp-customize-setting.php */ 2361 $late_validity = apply_filters( "customize_validate_{$setting->id}", new WP_Error(), $unsanitized_value, $setting ); 2362 if ( is_wp_error( $late_validity ) && $late_validity->has_errors() ) { 2363 $validity = $late_validity; 2364 } 2365 } 2366 if ( ! is_wp_error( $validity ) ) { 2367 $value = $setting->sanitize( $unsanitized_value ); 2368 if ( is_null( $value ) ) { 2369 $validity = false; 2370 } elseif ( is_wp_error( $value ) ) { 2371 $validity = $value; 2372 } 2373 } 2374 if ( false === $validity ) { 2375 $validity = new WP_Error( 'invalid_value', __( 'Invalid value.' ) ); 2376 } 2377 $validities[ $setting_id ] = $validity; 2378 } 2379 return $validities; 2380 } 2381 2382 /** 2383 * Prepares setting validity for exporting to the client (JS). 2384 * 2385 * Converts `WP_Error` instance into array suitable for passing into the 2386 * `wp.customize.Notification` JS model. 2387 * 2388 * @since 4.6.0 2389 * 2390 * @param true|WP_Error $validity Setting validity. 2391 * @return true|array If `$validity` was a WP_Error, the error codes will be array-mapped 2392 * to their respective `message` and `data` to pass into the 2393 * `wp.customize.Notification` JS model. 2394 */ 2395 public function prepare_setting_validity_for_js( $validity ) { 2396 if ( is_wp_error( $validity ) ) { 2397 $notification = array(); 2398 foreach ( $validity->errors as $error_code => $error_messages ) { 2399 $notification[ $error_code ] = array( 2400 'message' => implode( ' ', $error_messages ), 2401 'data' => $validity->get_error_data( $error_code ), 2402 ); 2403 } 2404 return $notification; 2405 } else { 2406 return true; 2407 } 2408 } 2409 2410 /** 2411 * Handle customize_save WP Ajax request to save/update a changeset. 2412 * 2413 * @since 3.4.0 2414 * @since 4.7.0 The semantics of this method have changed to update a changeset, optionally to also change the status and other attributes. 2415 */ 2416 public function save() { 2417 if ( ! is_user_logged_in() ) { 2418 wp_send_json_error( 'unauthenticated' ); 2419 } 2420 2421 if ( ! $this->is_preview() ) { 2422 wp_send_json_error( 'not_preview' ); 2423 } 2424 2425 $action = 'save-customize_' . $this->get_stylesheet(); 2426 if ( ! check_ajax_referer( $action, 'nonce', false ) ) { 2427 wp_send_json_error( 'invalid_nonce' ); 2428 } 2429 2430 $changeset_post_id = $this->changeset_post_id(); 2431 $is_new_changeset = empty( $changeset_post_id ); 2432 if ( $is_new_changeset ) { 2433 if ( ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->create_posts ) ) { 2434 wp_send_json_error( 'cannot_create_changeset_post' ); 2435 } 2436 } else { 2437 if ( ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->edit_post, $changeset_post_id ) ) { 2438 wp_send_json_error( 'cannot_edit_changeset_post' ); 2439 } 2440 } 2441 2442 if ( ! empty( $_POST['customize_changeset_data'] ) ) { 2443 $input_changeset_data = json_decode( wp_unslash( $_POST['customize_changeset_data'] ), true ); 2444 if ( ! is_array( $input_changeset_data ) ) { 2445 wp_send_json_error( 'invalid_customize_changeset_data' ); 2446 } 2447 } else { 2448 $input_changeset_data = array(); 2449 } 2450 2451 // Validate title. 2452 $changeset_title = null; 2453 if ( isset( $_POST['customize_changeset_title'] ) ) { 2454 $changeset_title = sanitize_text_field( wp_unslash( $_POST['customize_changeset_title'] ) ); 2455 } 2456 2457 // Validate changeset status param. 2458 $is_publish = null; 2459 $changeset_status = null; 2460 if ( isset( $_POST['customize_changeset_status'] ) ) { 2461 $changeset_status = wp_unslash( $_POST['customize_changeset_status'] ); 2462 if ( ! get_post_status_object( $changeset_status ) || ! in_array( $changeset_status, array( 'draft', 'pending', 'publish', 'future' ), true ) ) { 2463 wp_send_json_error( 'bad_customize_changeset_status', 400 ); 2464 } 2465 $is_publish = ( 'publish' === $changeset_status || 'future' === $changeset_status ); 2466 if ( $is_publish && ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->publish_posts ) ) { 2467 wp_send_json_error( 'changeset_publish_unauthorized', 403 ); 2468 } 2469 } 2470 2471 /* 2472 * Validate changeset date param. Date is assumed to be in local time for 2473 * the WP if in MySQL format (YYYY-MM-DD HH:MM:SS). Otherwise, the date 2474 * is parsed with strtotime() so that ISO date format may be supplied 2475 * or a string like "+10 minutes". 2476 */ 2477 $changeset_date_gmt = null; 2478 if ( isset( $_POST['customize_changeset_date'] ) ) { 2479 $changeset_date = wp_unslash( $_POST['customize_changeset_date'] ); 2480 if ( preg_match( '/^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d$/', $changeset_date ) ) { 2481 $mm = substr( $changeset_date, 5, 2 ); 2482 $jj = substr( $changeset_date, 8, 2 ); 2483 $aa = substr( $changeset_date, 0, 4 ); 2484 $valid_date = wp_checkdate( $mm, $jj, $aa, $changeset_date ); 2485 if ( ! $valid_date ) { 2486 wp_send_json_error( 'bad_customize_changeset_date', 400 ); 2487 } 2488 $changeset_date_gmt = get_gmt_from_date( $changeset_date ); 2489 } else { 2490 $timestamp = strtotime( $changeset_date ); 2491 if ( ! $timestamp ) { 2492 wp_send_json_error( 'bad_customize_changeset_date', 400 ); 2493 } 2494 $changeset_date_gmt = gmdate( 'Y-m-d H:i:s', $timestamp ); 2495 } 2496 } 2497 2498 $lock_user_id = null; 2499 $autosave = ! empty( $_POST['customize_changeset_autosave'] ); 2500 if ( ! $is_new_changeset ) { 2501 $lock_user_id = wp_check_post_lock( $this->changeset_post_id() ); 2502 } 2503 2504 // Force request to autosave when changeset is locked. 2505 if ( $lock_user_id && ! $autosave ) { 2506 $autosave = true; 2507 $changeset_status = null; 2508 $changeset_date_gmt = null; 2509 } 2510 2511 if ( $autosave && ! defined( 'DOING_AUTOSAVE' ) ) { // Back-compat. 2512 define( 'DOING_AUTOSAVE', true ); 2513 } 2514 2515 $autosaved = false; 2516 $r = $this->save_changeset_post( 2517 array( 2518 'status' => $changeset_status, 2519 'title' => $changeset_title, 2520 'date_gmt' => $changeset_date_gmt, 2521 'data' => $input_changeset_data, 2522 'autosave' => $autosave, 2523 ) 2524 ); 2525 if ( $autosave && ! is_wp_error( $r ) ) { 2526 $autosaved = true; 2527 } 2528 2529 // If the changeset was locked and an autosave request wasn't itself an error, then now explicitly return with a failure. 2530 if ( $lock_user_id && ! is_wp_error( $r ) ) { 2531 $r = new WP_Error( 2532 'changeset_locked', 2533 __( 'Changeset is being edited by other user.' ), 2534 array( 2535 'lock_user' => $this->get_lock_user_data( $lock_user_id ), 2536 ) 2537 ); 2538 } 2539 2540 if ( is_wp_error( $r ) ) { 2541 $response = array( 2542 'message' => $r->get_error_message(), 2543 'code' => $r->get_error_code(), 2544 ); 2545 if ( is_array( $r->get_error_data() ) ) { 2546 $response = array_merge( $response, $r->get_error_data() ); 2547 } else { 2548 $response['data'] = $r->get_error_data(); 2549 } 2550 } else { 2551 $response = $r; 2552 $changeset_post = get_post( $this->changeset_post_id() ); 2553 2554 // Dismiss all other auto-draft changeset posts for this user (they serve like autosave revisions), as there should only be one. 2555 if ( $is_new_changeset ) { 2556 $this->dismiss_user_auto_draft_changesets(); 2557 } 2558 2559 // Note that if the changeset status was publish, then it will get set to Trash if revisions are not supported. 2560 $response['changeset_status'] = $changeset_post->post_status; 2561 if ( $is_publish && 'trash' === $response['changeset_status'] ) { 2562 $response['changeset_status'] = 'publish'; 2563 } 2564 2565 if ( 'publish' !== $response['changeset_status'] ) { 2566 $this->set_changeset_lock( $changeset_post->ID ); 2567 } 2568 2569 if ( 'future' === $response['changeset_status'] ) { 2570 $response['changeset_date'] = $changeset_post->post_date; 2571 } 2572 2573 if ( 'publish' === $response['changeset_status'] || 'trash' === $response['changeset_status'] ) { 2574 $response['next_changeset_uuid'] = wp_generate_uuid4(); 2575 } 2576 } 2577 2578 if ( $autosave ) { 2579 $response['autosaved'] = $autosaved; 2580 } 2581 2582 if ( isset( $response['setting_validities'] ) ) { 2583 $response['setting_validities'] = array_map( array( $this, 'prepare_setting_validity_for_js' ), $response['setting_validities'] ); 2584 } 2585 2586 /** 2587 * Filters response data for a successful customize_save Ajax request. 2588 * 2589 * This filter does not apply if there was a nonce or authentication failure. 2590 * 2591 * @since 4.2.0 2592 * 2593 * @param array $response Additional information passed back to the 'saved' 2594 * event on `wp.customize`. 2595 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 2596 */ 2597 $response = apply_filters( 'customize_save_response', $response, $this ); 2598 2599 if ( is_wp_error( $r ) ) { 2600 wp_send_json_error( $response ); 2601 } else { 2602 wp_send_json_success( $response ); 2603 } 2604 } 2605 2606 /** 2607 * Save the post for the loaded changeset. 2608 * 2609 * @since 4.7.0 2610 * 2611 * @param array $args { 2612 * Args for changeset post. 2613 * 2614 * @type array $data Optional additional changeset data. Values will be merged on top of any existing post values. 2615 * @type string $status Post status. Optional. If supplied, the save will be transactional and a post revision will be allowed. 2616 * @type string $title Post title. Optional. 2617 * @type string $date_gmt Date in GMT. Optional. 2618 * @type int $user_id ID for user who is saving the changeset. Optional, defaults to the current user ID. 2619 * @type bool $starter_content Whether the data is starter content. If false (default), then $starter_content will be cleared for any $data being saved. 2620 * @type bool $autosave Whether this is a request to create an autosave revision. 2621 * } 2622 * 2623 * @return array|WP_Error Returns array on success and WP_Error with array data on error. 2624 */ 2625 function save_changeset_post( $args = array() ) { 2626 2627 $args = array_merge( 2628 array( 2629 'status' => null, 2630 'title' => null, 2631 'data' => array(), 2632 'date_gmt' => null, 2633 'user_id' => get_current_user_id(), 2634 'starter_content' => false, 2635 'autosave' => false, 2636 ), 2637 $args 2638 ); 2639 2640 $changeset_post_id = $this->changeset_post_id(); 2641 $existing_changeset_data = array(); 2642 if ( $changeset_post_id ) { 2643 $existing_status = get_post_status( $changeset_post_id ); 2644 if ( 'publish' === $existing_status || 'trash' === $existing_status ) { 2645 return new WP_Error( 2646 'changeset_already_published', 2647 __( 'The previous set of changes has already been published. Please try saving your current set of changes again.' ), 2648 array( 2649 'next_changeset_uuid' => wp_generate_uuid4(), 2650 ) 2651 ); 2652 } 2653 2654 $existing_changeset_data = $this->get_changeset_post_data( $changeset_post_id ); 2655 if ( is_wp_error( $existing_changeset_data ) ) { 2656 return $existing_changeset_data; 2657 } 2658 } 2659 2660 // Fail if attempting to publish but publish hook is missing. 2661 if ( 'publish' === $args['status'] && false === has_action( 'transition_post_status', '_wp_customize_publish_changeset' ) ) { 2662 return new WP_Error( 'missing_publish_callback' ); 2663 } 2664 2665 // Validate date. 2666 $now = gmdate( 'Y-m-d H:i:59' ); 2667 if ( $args['date_gmt'] ) { 2668 $is_future_dated = ( mysql2date( 'U', $args['date_gmt'], false ) > mysql2date( 'U', $now, false ) ); 2669 if ( ! $is_future_dated ) { 2670 return new WP_Error( 'not_future_date', __( 'You must supply a future date to schedule.' ) ); // Only future dates are allowed. 2671 } 2672 2673 if ( ! $this->is_theme_active() && ( 'future' === $args['status'] || $is_future_dated ) ) { 2674 return new WP_Error( 'cannot_schedule_theme_switches' ); // This should be allowed in the future, when theme is a regular setting. 2675 } 2676 $will_remain_auto_draft = ( ! $args['status'] && ( ! $changeset_post_id || 'auto-draft' === get_post_status( $changeset_post_id ) ) ); 2677 if ( $will_remain_auto_draft ) { 2678 return new WP_Error( 'cannot_supply_date_for_auto_draft_changeset' ); 2679 } 2680 } elseif ( $changeset_post_id && 'future' === $args['status'] ) { 2681 2682 // Fail if the new status is future but the existing post's date is not in the future. 2683 $changeset_post = get_post( $changeset_post_id ); 2684 if ( mysql2date( 'U', $changeset_post->post_date_gmt, false ) <= mysql2date( 'U', $now, false ) ) { 2685 return new WP_Error( 'not_future_date', __( 'You must supply a future date to schedule.' ) ); 2686 } 2687 } 2688 2689 if ( ! empty( $is_future_dated ) && 'publish' === $args['status'] ) { 2690 $args['status'] = 'future'; 2691 } 2692 2693 // Validate autosave param. See _wp_post_revision_fields() for why these fields are disallowed. 2694 if ( $args['autosave'] ) { 2695 if ( $args['date_gmt'] ) { 2696 return new WP_Error( 'illegal_autosave_with_date_gmt' ); 2697 } elseif ( $args['status'] ) { 2698 return new WP_Error( 'illegal_autosave_with_status' ); 2699 } elseif ( $args['user_id'] && get_current_user_id() !== $args['user_id'] ) { 2700 return new WP_Error( 'illegal_autosave_with_non_current_user' ); 2701 } 2702 } 2703 2704 // The request was made via wp.customize.previewer.save(). 2705 $update_transactionally = (bool) $args['status']; 2706 $allow_revision = (bool) $args['status']; 2707 2708 // Amend post values with any supplied data. 2709 foreach ( $args['data'] as $setting_id => $setting_params ) { 2710 if ( is_array( $setting_params ) && array_key_exists( 'value', $setting_params ) ) { 2711 $this->set_post_value( $setting_id, $setting_params['value'] ); // Add to post values so that they can be validated and sanitized. 2712 } 2713 } 2714 2715 // Note that in addition to post data, this will include any stashed theme mods. 2716 $post_values = $this->unsanitized_post_values( 2717 array( 2718 'exclude_changeset' => true, 2719 'exclude_post_data' => false, 2720 ) 2721 ); 2722 $this->add_dynamic_settings( array_keys( $post_values ) ); // Ensure settings get created even if they lack an input value. 2723 2724 /* 2725 * Get list of IDs for settings that have values different from what is currently 2726 * saved in the changeset. By skipping any values that are already the same, the 2727 * subset of changed settings can be passed into validate_setting_values to prevent 2728 * an underprivileged modifying a single setting for which they have the capability 2729 * from being blocked from saving. This also prevents a user from touching of the 2730 * previous saved settings and overriding the associated user_id if they made no change. 2731 */ 2732 $changed_setting_ids = array(); 2733 foreach ( $post_values as $setting_id => $setting_value ) { 2734 $setting = $this->get_setting( $setting_id ); 2735 2736 if ( $setting && 'theme_mod' === $setting->type ) { 2737 $prefixed_setting_id = $this->get_stylesheet() . '::' . $setting->id; 2738 } else { 2739 $prefixed_setting_id = $setting_id; 2740 } 2741 2742 $is_value_changed = ( 2743 ! isset( $existing_changeset_data[ $prefixed_setting_id ] ) 2744 || 2745 ! array_key_exists( 'value', $existing_changeset_data[ $prefixed_setting_id ] ) 2746 || 2747 $existing_changeset_data[ $prefixed_setting_id ]['value'] !== $setting_value 2748 ); 2749 if ( $is_value_changed ) { 2750 $changed_setting_ids[] = $setting_id; 2751 } 2752 } 2753 2754 /** 2755 * Fires before save validation happens. 2756 * 2757 * Plugins can add just-in-time {@see 'customize_validate_{$this->ID}'} filters 2758 * at this point to catch any settings registered after `customize_register`. 2759 * The dynamic portion of the hook name, `$this->ID` refers to the setting ID. 2760 * 2761 * @since 4.6.0 2762 * 2763 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 2764 */ 2765 do_action( 'customize_save_validation_before', $this ); 2766 2767 // Validate settings. 2768 $validated_values = array_merge( 2769 array_fill_keys( array_keys( $args['data'] ), null ), // Make sure existence/capability checks are done on value-less setting updates. 2770 $post_values 2771 ); 2772 $setting_validities = $this->validate_setting_values( 2773 $validated_values, 2774 array( 2775 'validate_capability' => true, 2776 'validate_existence' => true, 2777 ) 2778 ); 2779 $invalid_setting_count = count( array_filter( $setting_validities, 'is_wp_error' ) ); 2780 2781 /* 2782 * Short-circuit if there are invalid settings the update is transactional. 2783 * A changeset update is transactional when a status is supplied in the request. 2784 */ 2785 if ( $update_transactionally && $invalid_setting_count > 0 ) { 2786 $response = array( 2787 'setting_validities' => $setting_validities, 2788 /* translators: %s: Number of invalid settings. */ 2789 'message' => sprintf( _n( 'Unable to save due to %s invalid setting.', 'Unable to save due to %s invalid settings.', $invalid_setting_count ), number_format_i18n( $invalid_setting_count ) ), 2790 ); 2791 return new WP_Error( 'transaction_fail', '', $response ); 2792 } 2793 2794 // Obtain/merge data for changeset. 2795 $original_changeset_data = $this->get_changeset_post_data( $changeset_post_id ); 2796 $data = $original_changeset_data; 2797 if ( is_wp_error( $data ) ) { 2798 $data = array(); 2799 } 2800 2801 // Ensure that all post values are included in the changeset data. 2802 foreach ( $post_values as $setting_id => $post_value ) { 2803 if ( ! isset( $args['data'][ $setting_id ] ) ) { 2804 $args['data'][ $setting_id ] = array(); 2805 } 2806 if ( ! isset( $args['data'][ $setting_id ]['value'] ) ) { 2807 $args['data'][ $setting_id ]['value'] = $post_value; 2808 } 2809 } 2810 2811 foreach ( $args['data'] as $setting_id => $setting_params ) { 2812 $setting = $this->get_setting( $setting_id ); 2813 if ( ! $setting || ! $setting->check_capabilities() ) { 2814 continue; 2815 } 2816 2817 // Skip updating changeset for invalid setting values. 2818 if ( isset( $setting_validities[ $setting_id ] ) && is_wp_error( $setting_validities[ $setting_id ] ) ) { 2819 continue; 2820 } 2821 2822 $changeset_setting_id = $setting_id; 2823 if ( 'theme_mod' === $setting->type ) { 2824 $changeset_setting_id = sprintf( '%s::%s', $this->get_stylesheet(), $setting_id ); 2825 } 2826 2827 if ( null === $setting_params ) { 2828 // Remove setting from changeset entirely. 2829 unset( $data[ $changeset_setting_id ] ); 2830 } else { 2831 2832 if ( ! isset( $data[ $changeset_setting_id ] ) ) { 2833 $data[ $changeset_setting_id ] = array(); 2834 } 2835 2836 // Merge any additional setting params that have been supplied with the existing params. 2837 $merged_setting_params = array_merge( $data[ $changeset_setting_id ], $setting_params ); 2838 2839 // Skip updating setting params if unchanged (ensuring the user_id is not overwritten). 2840 if ( $data[ $changeset_setting_id ] === $merged_setting_params ) { 2841 continue; 2842 } 2843 2844 $data[ $changeset_setting_id ] = array_merge( 2845 $merged_setting_params, 2846 array( 2847 'type' => $setting->type, 2848 'user_id' => $args['user_id'], 2849 'date_modified_gmt' => current_time( 'mysql', true ), 2850 ) 2851 ); 2852 2853 // Clear starter_content flag in data if changeset is not explicitly being updated for starter content. 2854 if ( empty( $args['starter_content'] ) ) { 2855 unset( $data[ $changeset_setting_id ]['starter_content'] ); 2856 } 2857 } 2858 } 2859 2860 $filter_context = array( 2861 'uuid' => $this->changeset_uuid(), 2862 'title' => $args['title'], 2863 'status' => $args['status'], 2864 'date_gmt' => $args['date_gmt'], 2865 'post_id' => $changeset_post_id, 2866 'previous_data' => is_wp_error( $original_changeset_data ) ? array() : $original_changeset_data, 2867 'manager' => $this, 2868 ); 2869 2870 /** 2871 * Filters the settings' data that will be persisted into the changeset. 2872 * 2873 * Plugins may amend additional data (such as additional meta for settings) into the changeset with this filter. 2874 * 2875 * @since 4.7.0 2876 * 2877 * @param array $data Updated changeset data, mapping setting IDs to arrays containing a $value item and optionally other metadata. 2878 * @param array $context { 2879 * Filter context. 2880 * 2881 * @type string $uuid Changeset UUID. 2882 * @type string $title Requested title for the changeset post. 2883 * @type string $status Requested status for the changeset post. 2884 * @type string $date_gmt Requested date for the changeset post in MySQL format and GMT timezone. 2885 * @type int|false $post_id Post ID for the changeset, or false if it doesn't exist yet. 2886 * @type array $previous_data Previous data contained in the changeset. 2887 * @type WP_Customize_Manager $manager Manager instance. 2888 * } 2889 */ 2890 $data = apply_filters( 'customize_changeset_save_data', $data, $filter_context ); 2891 2892 // Switch theme if publishing changes now. 2893 if ( 'publish' === $args['status'] && ! $this->is_theme_active() ) { 2894 // Temporarily stop previewing the theme to allow switch_themes() to operate properly. 2895 $this->stop_previewing_theme(); 2896 switch_theme( $this->get_stylesheet() ); 2897 update_option( 'theme_switched_via_customizer', true ); 2898 $this->start_previewing_theme(); 2899 } 2900 2901 // Gather the data for wp_insert_post()/wp_update_post(). 2902 $post_array = array( 2903 // JSON_UNESCAPED_SLASHES is only to improve readability as slashes needn't be escaped in storage. 2904 'post_content' => wp_json_encode( $data, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT ), 2905 ); 2906 if ( $args['title'] ) { 2907 $post_array['post_title'] = $args['title']; 2908 } 2909 if ( $changeset_post_id ) { 2910 $post_array['ID'] = $changeset_post_id; 2911 } else { 2912 $post_array['post_type'] = 'customize_changeset'; 2913 $post_array['post_name'] = $this->changeset_uuid(); 2914 $post_array['post_status'] = 'auto-draft'; 2915 } 2916 if ( $args['status'] ) { 2917 $post_array['post_status'] = $args['status']; 2918 } 2919 2920 // Reset post date to now if we are publishing, otherwise pass post_date_gmt and translate for post_date. 2921 if ( 'publish' === $args['status'] ) { 2922 $post_array['post_date_gmt'] = '0000-00-00 00:00:00'; 2923 $post_array['post_date'] = '0000-00-00 00:00:00'; 2924 } elseif ( $args['date_gmt'] ) { 2925 $post_array['post_date_gmt'] = $args['date_gmt']; 2926 $post_array['post_date'] = get_date_from_gmt( $args['date_gmt'] ); 2927 } elseif ( $changeset_post_id && 'auto-draft' === get_post_status( $changeset_post_id ) ) { 2928 /* 2929 * Keep bumping the date for the auto-draft whenever it is modified; 2930 * this extends its life, preserving it from garbage-collection via 2931 * wp_delete_auto_drafts(). 2932 */ 2933 $post_array['post_date'] = current_time( 'mysql' ); 2934 $post_array['post_date_gmt'] = ''; 2935 } 2936 2937 $this->store_changeset_revision = $allow_revision; 2938 add_filter( 'wp_save_post_revision_post_has_changed', array( $this, '_filter_revision_post_has_changed' ), 5, 3 ); 2939 2940 /* 2941 * Update the changeset post. The publish_customize_changeset action will cause the settings in the 2942 * changeset to be saved via WP_Customize_Setting::save(). Updating a post with publish status will 2943 * trigger WP_Customize_Manager::publish_changeset_values(). 2944 */ 2945 add_filter( 'wp_insert_post_data', array( $this, 'preserve_insert_changeset_post_content' ), 5, 3 ); 2946 if ( $changeset_post_id ) { 2947 if ( $args['autosave'] && 'auto-draft' !== get_post_status( $changeset_post_id ) ) { 2948 // See _wp_translate_postdata() for why this is required as it will use the edit_post meta capability. 2949 add_filter( 'map_meta_cap', array( $this, 'grant_edit_post_capability_for_changeset' ), 10, 4 ); 2950 2951 $post_array['post_ID'] = $post_array['ID']; 2952 $post_array['post_type'] = 'customize_changeset'; 2953 2954 $r = wp_create_post_autosave( wp_slash( $post_array ) ); 2955 2956 remove_filter( 'map_meta_cap', array( $this, 'grant_edit_post_capability_for_changeset' ), 10 ); 2957 } else { 2958 $post_array['edit_date'] = true; // Prevent date clearing. 2959 2960 $r = wp_update_post( wp_slash( $post_array ), true ); 2961 2962 // Delete autosave revision for user when the changeset is updated. 2963 if ( ! empty( $args['user_id'] ) ) { 2964 $autosave_draft = wp_get_post_autosave( $changeset_post_id, $args['user_id'] ); 2965 if ( $autosave_draft ) { 2966 wp_delete_post( $autosave_draft->ID, true ); 2967 } 2968 } 2969 } 2970 } else { 2971 $r = wp_insert_post( wp_slash( $post_array ), true ); 2972 if ( ! is_wp_error( $r ) ) { 2973 $this->_changeset_post_id = $r; // Update cached post ID for the loaded changeset. 2974 } 2975 } 2976 remove_filter( 'wp_insert_post_data', array( $this, 'preserve_insert_changeset_post_content' ), 5 ); 2977 2978 $this->_changeset_data = null; // Reset so WP_Customize_Manager::changeset_data() will re-populate with updated contents. 2979 2980 remove_filter( 'wp_save_post_revision_post_has_changed', array( $this, '_filter_revision_post_has_changed' ) ); 2981 2982 $response = array( 2983 'setting_validities' => $setting_validities, 2984 ); 2985 2986 if ( is_wp_error( $r ) ) { 2987 $response['changeset_post_save_failure'] = $r->get_error_code(); 2988 return new WP_Error( 'changeset_post_save_failure', '', $response ); 2989 } 2990 2991 return $response; 2992 } 2993 2994 /** 2995 * Preserve the initial JSON post_content passed to save into the post. 2996 * 2997 * This is needed to prevent KSES and other {@see 'content_save_pre'} filters 2998 * from corrupting JSON data. 2999 * 3000 * Note that WP_Customize_Manager::validate_setting_values() have already 3001 * run on the setting values being serialized as JSON into the post content 3002 * so it is pre-sanitized. 3003 * 3004 * Also, the sanitization logic is re-run through the respective 3005 * WP_Customize_Setting::sanitize() method when being read out of the 3006 * changeset, via WP_Customize_Manager::post_value(), and this sanitized 3007 * value will also be sent into WP_Customize_Setting::update() for 3008 * persisting to the DB. 3009 * 3010 * Multiple users can collaborate on a single changeset, where one user may 3011 * have the unfiltered_html capability but another may not. A user with 3012 * unfiltered_html may add a script tag to some field which needs to be kept 3013 * intact even when another user updates the changeset to modify another field 3014 * when they do not have unfiltered_html. 3015 * 3016 * @since 5.4.1 3017 * 3018 * @param array $data An array of slashed and processed post data. 3019 * @param array $postarr An array of sanitized (and slashed) but otherwise unmodified post data. 3020 * @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed post data as originally passed to wp_insert_post(). 3021 * @return array Filtered post data. 3022 */ 3023 public function preserve_insert_changeset_post_content( $data, $postarr, $unsanitized_postarr ) { 3024 if ( 3025 isset( $data['post_type'] ) && 3026 isset( $unsanitized_postarr['post_content'] ) && 3027 'customize_changeset' === $data['post_type'] || 3028 ( 3029 'revision' === $data['post_type'] && 3030 ! empty( $data['post_parent'] ) && 3031 'customize_changeset' === get_post_type( $data['post_parent'] ) 3032 ) 3033 ) { 3034 $data['post_content'] = $unsanitized_postarr['post_content']; 3035 } 3036 return $data; 3037 } 3038 3039 /** 3040 * Trash or delete a changeset post. 3041 * 3042 * The following re-formulates the logic from `wp_trash_post()` as done in 3043 * `wp_publish_post()`. The reason for bypassing `wp_trash_post()` is that it 3044 * will mutate the the `post_content` and the `post_name` when they should be 3045 * untouched. 3046 * 3047 * @since 4.9.0 3048 * 3049 * @see wp_trash_post() 3050 * @global wpdb $wpdb WordPress database abstraction object. 3051 * 3052 * @param int|WP_Post $post The changeset post. 3053 * @return mixed A WP_Post object for the trashed post or an empty value on failure. 3054 */ 3055 public function trash_changeset_post( $post ) { 3056 global $wpdb; 3057 3058 $post = get_post( $post ); 3059 3060 if ( ! ( $post instanceof WP_Post ) ) { 3061 return $post; 3062 } 3063 $post_id = $post->ID; 3064 3065 if ( ! EMPTY_TRASH_DAYS ) { 3066 return wp_delete_post( $post_id, true ); 3067 } 3068 3069 if ( 'trash' === get_post_status( $post ) ) { 3070 return false; 3071 } 3072 3073 /** This filter is documented in wp-includes/post.php */ 3074 $check = apply_filters( 'pre_trash_post', null, $post ); 3075 if ( null !== $check ) { 3076 return $check; 3077 } 3078 3079 /** This action is documented in wp-includes/post.php */ 3080 do_action( 'wp_trash_post', $post_id ); 3081 3082 add_post_meta( $post_id, '_wp_trash_meta_status', $post->post_status ); 3083 add_post_meta( $post_id, '_wp_trash_meta_time', time() ); 3084 3085 $old_status = $post->post_status; 3086 $new_status = 'trash'; 3087 $wpdb->update( $wpdb->posts, array( 'post_status' => $new_status ), array( 'ID' => $post->ID ) ); 3088 clean_post_cache( $post->ID ); 3089 3090 $post->post_status = $new_status; 3091 wp_transition_post_status( $new_status, $old_status, $post ); 3092 3093 /** This action is documented in wp-includes/post.php */ 3094 do_action( "edit_post_{$post->post_type}", $post->ID, $post ); 3095 3096 /** This action is documented in wp-includes/post.php */ 3097 do_action( 'edit_post', $post->ID, $post ); 3098 3099 /** This action is documented in wp-includes/post.php */ 3100 do_action( "save_post_{$post->post_type}", $post->ID, $post, true ); 3101 3102 /** This action is documented in wp-includes/post.php */ 3103 do_action( 'save_post', $post->ID, $post, true ); 3104 3105 /** This action is documented in wp-includes/post.php */ 3106 do_action( 'wp_insert_post', $post->ID, $post, true ); 3107 3108 wp_after_insert_post( get_post( $post_id ), true, $post ); 3109 3110 wp_trash_post_comments( $post_id ); 3111 3112 /** This action is documented in wp-includes/post.php */ 3113 do_action( 'trashed_post', $post_id ); 3114 3115 return $post; 3116 } 3117 3118 /** 3119 * Handle request to trash a changeset. 3120 * 3121 * @since 4.9.0 3122 */ 3123 public function handle_changeset_trash_request() { 3124 if ( ! is_user_logged_in() ) { 3125 wp_send_json_error( 'unauthenticated' ); 3126 } 3127 3128 if ( ! $this->is_preview() ) { 3129 wp_send_json_error( 'not_preview' ); 3130 } 3131 3132 if ( ! check_ajax_referer( 'trash_customize_changeset', 'nonce', false ) ) { 3133 wp_send_json_error( 3134 array( 3135 'code' => 'invalid_nonce', 3136 'message' => __( 'There was an authentication problem. Please reload and try again.' ), 3137 ) 3138 ); 3139 } 3140 3141 $changeset_post_id = $this->changeset_post_id(); 3142 3143 if ( ! $changeset_post_id ) { 3144 wp_send_json_error( 3145 array( 3146 'message' => __( 'No changes saved yet, so there is nothing to trash.' ), 3147 'code' => 'non_existent_changeset', 3148 ) 3149 ); 3150 return; 3151 } 3152 3153 if ( $changeset_post_id ) { 3154 if ( ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->delete_post, $changeset_post_id ) ) { 3155 wp_send_json_error( 3156 array( 3157 'code' => 'changeset_trash_unauthorized', 3158 'message' => __( 'Unable to trash changes.' ), 3159 ) 3160 ); 3161 } 3162 3163 $lock_user = (int) wp_check_post_lock( $changeset_post_id ); 3164 3165 if ( $lock_user && get_current_user_id() !== $lock_user ) { 3166 wp_send_json_error( 3167 array( 3168 'code' => 'changeset_locked', 3169 'message' => __( 'Changeset is being edited by other user.' ), 3170 'lockUser' => $this->get_lock_user_data( $lock_user ), 3171 ) 3172 ); 3173 } 3174 } 3175 3176 if ( 'trash' === get_post_status( $changeset_post_id ) ) { 3177 wp_send_json_error( 3178 array( 3179 'message' => __( 'Changes have already been trashed.' ), 3180 'code' => 'changeset_already_trashed', 3181 ) 3182 ); 3183 return; 3184 } 3185 3186 $r = $this->trash_changeset_post( $changeset_post_id ); 3187 if ( ! ( $r instanceof WP_Post ) ) { 3188 wp_send_json_error( 3189 array( 3190 'code' => 'changeset_trash_failure', 3191 'message' => __( 'Unable to trash changes.' ), 3192 ) 3193 ); 3194 } 3195 3196 wp_send_json_success( 3197 array( 3198 'message' => __( 'Changes trashed successfully.' ), 3199 ) 3200 ); 3201 } 3202 3203 /** 3204 * Re-map 'edit_post' meta cap for a customize_changeset post to be the same as 'customize' maps. 3205 * 3206 * There is essentially a "meta meta" cap in play here, where 'edit_post' meta cap maps to 3207 * the 'customize' meta cap which then maps to 'edit_theme_options'. This is currently 3208 * required in core for `wp_create_post_autosave()` because it will call 3209 * `_wp_translate_postdata()` which in turn will check if a user can 'edit_post', but the 3210 * the caps for the customize_changeset post type are all mapping to the meta capability. 3211 * This should be able to be removed once #40922 is addressed in core. 3212 * 3213 * @since 4.9.0 3214 * 3215 * @link https://core.trac.wordpress.org/ticket/40922 3216 * @see WP_Customize_Manager::save_changeset_post() 3217 * @see _wp_translate_postdata() 3218 * 3219 * @param string[] $caps Array of the user's capabilities. 3220 * @param string $cap Capability name. 3221 * @param int $user_id The user ID. 3222 * @param array $args Adds the context to the cap. Typically the object ID. 3223 * @return array Capabilities. 3224 */ 3225 public function grant_edit_post_capability_for_changeset( $caps, $cap, $user_id, $args ) { 3226 if ( 'edit_post' === $cap && ! empty( $args[0] ) && 'customize_changeset' === get_post_type( $args[0] ) ) { 3227 $post_type_obj = get_post_type_object( 'customize_changeset' ); 3228 $caps = map_meta_cap( $post_type_obj->cap->$cap, $user_id ); 3229 } 3230 return $caps; 3231 } 3232 3233 /** 3234 * Marks the changeset post as being currently edited by the current user. 3235 * 3236 * @since 4.9.0 3237 * 3238 * @param int $changeset_post_id Changeset post ID. 3239 * @param bool $take_over Whether to take over the changeset. Default false. 3240 */ 3241 public function set_changeset_lock( $changeset_post_id, $take_over = false ) { 3242 if ( $changeset_post_id ) { 3243 $can_override = ! (bool) get_post_meta( $changeset_post_id, '_edit_lock', true ); 3244 3245 if ( $take_over ) { 3246 $can_override = true; 3247 } 3248 3249 if ( $can_override ) { 3250 $lock = sprintf( '%s:%s', time(), get_current_user_id() ); 3251 update_post_meta( $changeset_post_id, '_edit_lock', $lock ); 3252 } else { 3253 $this->refresh_changeset_lock( $changeset_post_id ); 3254 } 3255 } 3256 } 3257 3258 /** 3259 * Refreshes changeset lock with the current time if current user edited the changeset before. 3260 * 3261 * @since 4.9.0 3262 * 3263 * @param int $changeset_post_id Changeset post ID. 3264 */ 3265 public function refresh_changeset_lock( $changeset_post_id ) { 3266 if ( ! $changeset_post_id ) { 3267 return; 3268 } 3269 $lock = get_post_meta( $changeset_post_id, '_edit_lock', true ); 3270 $lock = explode( ':', $lock ); 3271 3272 if ( $lock && ! empty( $lock[1] ) ) { 3273 $user_id = (int) $lock[1]; 3274 $current_user_id = get_current_user_id(); 3275 if ( $user_id === $current_user_id ) { 3276 $lock = sprintf( '%s:%s', time(), $user_id ); 3277 update_post_meta( $changeset_post_id, '_edit_lock', $lock ); 3278 } 3279 } 3280 } 3281 3282 /** 3283 * Filters heartbeat settings for the Customizer. 3284 * 3285 * @since 4.9.0 3286 * @param array $settings Current settings to filter. 3287 * @return array Heartbeat settings. 3288 */ 3289 public function add_customize_screen_to_heartbeat_settings( $settings ) { 3290 global $pagenow; 3291 if ( 'customize.php' === $pagenow ) { 3292 $settings['screenId'] = 'customize'; 3293 } 3294 return $settings; 3295 } 3296 3297 /** 3298 * Get lock user data. 3299 * 3300 * @since 4.9.0 3301 * 3302 * @param int $user_id User ID. 3303 * @return array|null User data formatted for client. 3304 */ 3305 protected function get_lock_user_data( $user_id ) { 3306 if ( ! $user_id ) { 3307 return null; 3308 } 3309 $lock_user = get_userdata( $user_id ); 3310 if ( ! $lock_user ) { 3311 return null; 3312 } 3313 return array( 3314 'id' => $lock_user->ID, 3315 'name' => $lock_user->display_name, 3316 'avatar' => get_avatar_url( $lock_user->ID, array( 'size' => 128 ) ), 3317 ); 3318 } 3319 3320 /** 3321 * Check locked changeset with heartbeat API. 3322 * 3323 * @since 4.9.0 3324 * 3325 * @param array $response The Heartbeat response. 3326 * @param array $data The $_POST data sent. 3327 * @param string $screen_id The screen id. 3328 * @return array The Heartbeat response. 3329 */ 3330 public function check_changeset_lock_with_heartbeat( $response, $data, $screen_id ) { 3331 if ( isset( $data['changeset_uuid'] ) ) { 3332 $changeset_post_id = $this->find_changeset_post_id( $data['changeset_uuid'] ); 3333 } else { 3334 $changeset_post_id = $this->changeset_post_id(); 3335 } 3336 3337 if ( 3338 array_key_exists( 'check_changeset_lock', $data ) 3339 && 'customize' === $screen_id 3340 && $changeset_post_id 3341 && current_user_can( get_post_type_object( 'customize_changeset' )->cap->edit_post, $changeset_post_id ) 3342 ) { 3343 $lock_user_id = wp_check_post_lock( $changeset_post_id ); 3344 3345 if ( $lock_user_id ) { 3346 $response['customize_changeset_lock_user'] = $this->get_lock_user_data( $lock_user_id ); 3347 } else { 3348 3349 // Refreshing time will ensure that the user is sitting on customizer and has not closed the customizer tab. 3350 $this->refresh_changeset_lock( $changeset_post_id ); 3351 } 3352 } 3353 3354 return $response; 3355 } 3356 3357 /** 3358 * Removes changeset lock when take over request is sent via Ajax. 3359 * 3360 * @since 4.9.0 3361 */ 3362 public function handle_override_changeset_lock_request() { 3363 if ( ! $this->is_preview() ) { 3364 wp_send_json_error( 'not_preview', 400 ); 3365 } 3366 3367 if ( ! check_ajax_referer( 'customize_override_changeset_lock', 'nonce', false ) ) { 3368 wp_send_json_error( 3369 array( 3370 'code' => 'invalid_nonce', 3371 'message' => __( 'Security check failed.' ), 3372 ) 3373 ); 3374 } 3375 3376 $changeset_post_id = $this->changeset_post_id(); 3377 3378 if ( empty( $changeset_post_id ) ) { 3379 wp_send_json_error( 3380 array( 3381 'code' => 'no_changeset_found_to_take_over', 3382 'message' => __( 'No changeset found to take over' ), 3383 ) 3384 ); 3385 } 3386 3387 if ( ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->edit_post, $changeset_post_id ) ) { 3388 wp_send_json_error( 3389 array( 3390 'code' => 'cannot_remove_changeset_lock', 3391 'message' => __( 'Sorry, you are not allowed to take over.' ), 3392 ) 3393 ); 3394 } 3395 3396 $this->set_changeset_lock( $changeset_post_id, true ); 3397 3398 wp_send_json_success( 'changeset_taken_over' ); 3399 } 3400 3401 /** 3402 * Whether a changeset revision should be made. 3403 * 3404 * @since 4.7.0 3405 * @var bool 3406 */ 3407 protected $store_changeset_revision; 3408 3409 /** 3410 * Filters whether a changeset has changed to create a new revision. 3411 * 3412 * Note that this will not be called while a changeset post remains in auto-draft status. 3413 * 3414 * @since 4.7.0 3415 * 3416 * @param bool $post_has_changed Whether the post has changed. 3417 * @param WP_Post $last_revision The last revision post object. 3418 * @param WP_Post $post The post object. 3419 * @return bool Whether a revision should be made. 3420 */ 3421 public function _filter_revision_post_has_changed( $post_has_changed, $last_revision, $post ) { 3422 unset( $last_revision ); 3423 if ( 'customize_changeset' === $post->post_type ) { 3424 $post_has_changed = $this->store_changeset_revision; 3425 } 3426 return $post_has_changed; 3427 } 3428 3429 /** 3430 * Publish changeset values. 3431 * 3432 * This will the values contained in a changeset, even changesets that do not 3433 * correspond to current manager instance. This is called by 3434 * `_wp_customize_publish_changeset()` when a customize_changeset post is 3435 * transitioned to the `publish` status. As such, this method should not be 3436 * called directly and instead `wp_publish_post()` should be used. 3437 * 3438 * Please note that if the settings in the changeset are for a non-activated 3439 * theme, the theme must first be switched to (via `switch_theme()`) before 3440 * invoking this method. 3441 * 3442 * @since 4.7.0 3443 * 3444 * @see _wp_customize_publish_changeset() 3445 * @global wpdb $wpdb WordPress database abstraction object. 3446 * 3447 * @param int $changeset_post_id ID for customize_changeset post. Defaults to the changeset for the current manager instance. 3448 * @return true|WP_Error True or error info. 3449 */ 3450 public function _publish_changeset_values( $changeset_post_id ) { 3451 global $wpdb; 3452 3453 $publishing_changeset_data = $this->get_changeset_post_data( $changeset_post_id ); 3454 if ( is_wp_error( $publishing_changeset_data ) ) { 3455 return $publishing_changeset_data; 3456 } 3457 3458 $changeset_post = get_post( $changeset_post_id ); 3459 3460 /* 3461 * Temporarily override the changeset context so that it will be read 3462 * in calls to unsanitized_post_values() and so that it will be available 3463 * on the $wp_customize object passed to hooks during the save logic. 3464 */ 3465 $previous_changeset_post_id = $this->_changeset_post_id; 3466 $this->_changeset_post_id = $changeset_post_id; 3467 $previous_changeset_uuid = $this->_changeset_uuid; 3468 $this->_changeset_uuid = $changeset_post->post_name; 3469 $previous_changeset_data = $this->_changeset_data; 3470 $this->_changeset_data = $publishing_changeset_data; 3471 3472 // Parse changeset data to identify theme mod settings and user IDs associated with settings to be saved. 3473 $setting_user_ids = array(); 3474 $theme_mod_settings = array(); 3475 $namespace_pattern = '/^(?P<stylesheet>.+?)::(?P<setting_id>.+)$/'; 3476 $matches = array(); 3477 foreach ( $this->_changeset_data as $raw_setting_id => $setting_params ) { 3478 $actual_setting_id = null; 3479 $is_theme_mod_setting = ( 3480 isset( $setting_params['value'] ) 3481 && 3482 isset( $setting_params['type'] ) 3483 && 3484 'theme_mod' === $setting_params['type'] 3485 && 3486 preg_match( $namespace_pattern, $raw_setting_id, $matches ) 3487 ); 3488 if ( $is_theme_mod_setting ) { 3489 if ( ! isset( $theme_mod_settings[ $matches['stylesheet'] ] ) ) { 3490 $theme_mod_settings[ $matches['stylesheet'] ] = array(); 3491 } 3492 $theme_mod_settings[ $matches['stylesheet'] ][ $matches['setting_id'] ] = $setting_params; 3493 3494 if ( $this->get_stylesheet() === $matches['stylesheet'] ) { 3495 $actual_setting_id = $matches['setting_id']; 3496 } 3497 } else { 3498 $actual_setting_id = $raw_setting_id; 3499 } 3500 3501 // Keep track of the user IDs for settings actually for this theme. 3502 if ( $actual_setting_id && isset( $setting_params['user_id'] ) ) { 3503 $setting_user_ids[ $actual_setting_id ] = $setting_params['user_id']; 3504 } 3505 } 3506 3507 $changeset_setting_values = $this->unsanitized_post_values( 3508 array( 3509 'exclude_post_data' => true, 3510 'exclude_changeset' => false, 3511 ) 3512 ); 3513 $changeset_setting_ids = array_keys( $changeset_setting_values ); 3514 $this->add_dynamic_settings( $changeset_setting_ids ); 3515 3516 /** 3517 * Fires once the theme has switched in the Customizer, but before settings 3518 * have been saved. 3519 * 3520 * @since 3.4.0 3521 * 3522 * @param WP_Customize_Manager $manager WP_Customize_Manager instance. 3523 */ 3524 do_action( 'customize_save', $this ); 3525 3526 /* 3527 * Ensure that all settings will allow themselves to be saved. Note that 3528 * this is safe because the setting would have checked the capability 3529 * when the setting value was written into the changeset. So this is why 3530 * an additional capability check is not required here. 3531 */ 3532 $original_setting_capabilities = array(); 3533 foreach ( $changeset_setting_ids as $setting_id ) { 3534 $setting = $this->get_setting( $setting_id ); 3535 if ( $setting && ! isset( $setting_user_ids[ $setting_id ] ) ) { 3536 $original_setting_capabilities[ $setting->id ] = $setting->capability; 3537 $setting->capability = 'exist'; 3538 } 3539 } 3540 3541 $original_user_id = get_current_user_id(); 3542 foreach ( $changeset_setting_ids as $setting_id ) { 3543 $setting = $this->get_setting( $setting_id ); 3544 if ( $setting ) { 3545 /* 3546 * Set the current user to match the user who saved the value into 3547 * the changeset so that any filters that apply during the save 3548 * process will respect the original user's capabilities. This 3549 * will ensure, for example, that KSES won't strip unsafe HTML 3550 * when a scheduled changeset publishes via WP Cron. 3551 */ 3552 if ( isset( $setting_user_ids[ $setting_id ] ) ) { 3553 wp_set_current_user( $setting_user_ids[ $setting_id ] ); 3554 } else { 3555 wp_set_current_user( $original_user_id ); 3556 } 3557 3558 $setting->save(); 3559 } 3560 } 3561 wp_set_current_user( $original_user_id ); 3562 3563 // Update the stashed theme mod settings, removing the active theme's stashed settings, if activated. 3564 if ( did_action( 'switch_theme' ) ) { 3565 $other_theme_mod_settings = $theme_mod_settings; 3566 unset( $other_theme_mod_settings[ $this->get_stylesheet() ] ); 3567 $this->update_stashed_theme_mod_settings( $other_theme_mod_settings ); 3568 } 3569 3570 /** 3571 * Fires after Customize settings have been saved. 3572 * 3573 * @since 3.6.0 3574 * 3575 * @param WP_Customize_Manager $manager WP_Customize_Manager instance. 3576 */ 3577 do_action( 'customize_save_after', $this ); 3578 3579 // Restore original capabilities. 3580 foreach ( $original_setting_capabilities as $setting_id => $capability ) { 3581 $setting = $this->get_setting( $setting_id ); 3582 if ( $setting ) { 3583 $setting->capability = $capability; 3584 } 3585 } 3586 3587 // Restore original changeset data. 3588 $this->_changeset_data = $previous_changeset_data; 3589 $this->_changeset_post_id = $previous_changeset_post_id; 3590 $this->_changeset_uuid = $previous_changeset_uuid; 3591 3592 /* 3593 * Convert all autosave revisions into their own auto-drafts so that users can be prompted to 3594 * restore them when a changeset is published, but they had been locked out from including 3595 * their changes in the changeset. 3596 */ 3597 $revisions = wp_get_post_revisions( $changeset_post_id, array( 'check_enabled' => false ) ); 3598 foreach ( $revisions as $revision ) { 3599 if ( false !== strpos( $revision->post_name, "{$changeset_post_id}-autosave" ) ) { 3600 $wpdb->update( 3601 $wpdb->posts, 3602 array( 3603 'post_status' => 'auto-draft', 3604 'post_type' => 'customize_changeset', 3605 'post_name' => wp_generate_uuid4(), 3606 'post_parent' => 0, 3607 ), 3608 array( 3609 'ID' => $revision->ID, 3610 ) 3611 ); 3612 clean_post_cache( $revision->ID ); 3613 } 3614 } 3615 3616 return true; 3617 } 3618 3619 /** 3620 * Update stashed theme mod settings. 3621 * 3622 * @since 4.7.0 3623 * 3624 * @param array $inactive_theme_mod_settings Mapping of stylesheet to arrays of theme mod settings. 3625 * @return array|false Returns array of updated stashed theme mods or false if the update failed or there were no changes. 3626 */ 3627 protected function update_stashed_theme_mod_settings( $inactive_theme_mod_settings ) { 3628 $stashed_theme_mod_settings = get_option( 'customize_stashed_theme_mods' ); 3629 if ( empty( $stashed_theme_mod_settings ) ) { 3630 $stashed_theme_mod_settings = array(); 3631 } 3632 3633 // Delete any stashed theme mods for the active theme since they would have been loaded and saved upon activation. 3634 unset( $stashed_theme_mod_settings[ $this->get_stylesheet() ] ); 3635 3636 // Merge inactive theme mods with the stashed theme mod settings. 3637 foreach ( $inactive_theme_mod_settings as $stylesheet => $theme_mod_settings ) { 3638 if ( ! isset( $stashed_theme_mod_settings[ $stylesheet ] ) ) { 3639 $stashed_theme_mod_settings[ $stylesheet ] = array(); 3640 } 3641 3642 $stashed_theme_mod_settings[ $stylesheet ] = array_merge( 3643 $stashed_theme_mod_settings[ $stylesheet ], 3644 $theme_mod_settings 3645 ); 3646 } 3647 3648 $autoload = false; 3649 $result = update_option( 'customize_stashed_theme_mods', $stashed_theme_mod_settings, $autoload ); 3650 if ( ! $result ) { 3651 return false; 3652 } 3653 return $stashed_theme_mod_settings; 3654 } 3655 3656 /** 3657 * Refresh nonces for the current preview. 3658 * 3659 * @since 4.2.0 3660 */ 3661 public function refresh_nonces() { 3662 if ( ! $this->is_preview() ) { 3663 wp_send_json_error( 'not_preview' ); 3664 } 3665 3666 wp_send_json_success( $this->get_nonces() ); 3667 } 3668 3669 /** 3670 * Delete a given auto-draft changeset or the autosave revision for a given changeset or delete changeset lock. 3671 * 3672 * @since 4.9.0 3673 */ 3674 public function handle_dismiss_autosave_or_lock_request() { 3675 // Calls to dismiss_user_auto_draft_changesets() and wp_get_post_autosave() require non-zero get_current_user_id(). 3676 if ( ! is_user_logged_in() ) { 3677 wp_send_json_error( 'unauthenticated', 401 ); 3678 } 3679 3680 if ( ! $this->is_preview() ) { 3681 wp_send_json_error( 'not_preview', 400 ); 3682 } 3683 3684 if ( ! check_ajax_referer( 'customize_dismiss_autosave_or_lock', 'nonce', false ) ) { 3685 wp_send_json_error( 'invalid_nonce', 403 ); 3686 } 3687 3688 $changeset_post_id = $this->changeset_post_id(); 3689 $dismiss_lock = ! empty( $_POST['dismiss_lock'] ); 3690 $dismiss_autosave = ! empty( $_POST['dismiss_autosave'] ); 3691 3692 if ( $dismiss_lock ) { 3693 if ( empty( $changeset_post_id ) && ! $dismiss_autosave ) { 3694 wp_send_json_error( 'no_changeset_to_dismiss_lock', 404 ); 3695 } 3696 if ( ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->edit_post, $changeset_post_id ) && ! $dismiss_autosave ) { 3697 wp_send_json_error( 'cannot_remove_changeset_lock', 403 ); 3698 } 3699 3700 delete_post_meta( $changeset_post_id, '_edit_lock' ); 3701 3702 if ( ! $dismiss_autosave ) { 3703 wp_send_json_success( 'changeset_lock_dismissed' ); 3704 } 3705 } 3706 3707 if ( $dismiss_autosave ) { 3708 if ( empty( $changeset_post_id ) || 'auto-draft' === get_post_status( $changeset_post_id ) ) { 3709 $dismissed = $this->dismiss_user_auto_draft_changesets(); 3710 if ( $dismissed > 0 ) { 3711 wp_send_json_success( 'auto_draft_dismissed' ); 3712 } else { 3713 wp_send_json_error( 'no_auto_draft_to_delete', 404 ); 3714 } 3715 } else { 3716 $revision = wp_get_post_autosave( $changeset_post_id, get_current_user_id() ); 3717 3718 if ( $revision ) { 3719 if ( ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->delete_post, $changeset_post_id ) ) { 3720 wp_send_json_error( 'cannot_delete_autosave_revision', 403 ); 3721 } 3722 3723 if ( ! wp_delete_post( $revision->ID, true ) ) { 3724 wp_send_json_error( 'autosave_revision_deletion_failure', 500 ); 3725 } else { 3726 wp_send_json_success( 'autosave_revision_deleted' ); 3727 } 3728 } else { 3729 wp_send_json_error( 'no_autosave_revision_to_delete', 404 ); 3730 } 3731 } 3732 } 3733 3734 wp_send_json_error( 'unknown_error', 500 ); 3735 } 3736 3737 /** 3738 * Add a customize setting. 3739 * 3740 * @since 3.4.0 3741 * @since 4.5.0 Return added WP_Customize_Setting instance. 3742 * 3743 * @see WP_Customize_Setting::__construct() 3744 * @link https://developer.wordpress.org/themes/customize-api 3745 * 3746 * @param WP_Customize_Setting|string $id Customize Setting object, or ID. 3747 * @param array $args Optional. Array of properties for the new Setting object. 3748 * See WP_Customize_Setting::__construct() for information 3749 * on accepted arguments. Default empty array. 3750 * @return WP_Customize_Setting The instance of the setting that was added. 3751 */ 3752 public function add_setting( $id, $args = array() ) { 3753 if ( $id instanceof WP_Customize_Setting ) { 3754 $setting = $id; 3755 } else { 3756 $class = 'WP_Customize_Setting'; 3757 3758 /** This filter is documented in wp-includes/class-wp-customize-manager.php */ 3759 $args = apply_filters( 'customize_dynamic_setting_args', $args, $id ); 3760 3761 /** This filter is documented in wp-includes/class-wp-customize-manager.php */ 3762 $class = apply_filters( 'customize_dynamic_setting_class', $class, $id, $args ); 3763 3764 $setting = new $class( $this, $id, $args ); 3765 } 3766 3767 $this->settings[ $setting->id ] = $setting; 3768 return $setting; 3769 } 3770 3771 /** 3772 * Register any dynamically-created settings, such as those from $_POST['customized'] 3773 * that have no corresponding setting created. 3774 * 3775 * This is a mechanism to "wake up" settings that have been dynamically created 3776 * on the front end and have been sent to WordPress in `$_POST['customized']`. When WP 3777 * loads, the dynamically-created settings then will get created and previewed 3778 * even though they are not directly created statically with code. 3779 * 3780 * @since 4.2.0 3781 * 3782 * @param array $setting_ids The setting IDs to add. 3783 * @return array The WP_Customize_Setting objects added. 3784 */ 3785 public function add_dynamic_settings( $setting_ids ) { 3786 $new_settings = array(); 3787 foreach ( $setting_ids as $setting_id ) { 3788 // Skip settings already created. 3789 if ( $this->get_setting( $setting_id ) ) { 3790 continue; 3791 } 3792 3793 $setting_args = false; 3794 $setting_class = 'WP_Customize_Setting'; 3795 3796 /** 3797 * Filters a dynamic setting's constructor args. 3798 * 3799 * For a dynamic setting to be registered, this filter must be employed 3800 * to override the default false value with an array of args to pass to 3801 * the WP_Customize_Setting constructor. 3802 * 3803 * @since 4.2.0 3804 * 3805 * @param false|array $setting_args The arguments to the WP_Customize_Setting constructor. 3806 * @param string $setting_id ID for dynamic setting, usually coming from `$_POST['customized']`. 3807 */ 3808 $setting_args = apply_filters( 'customize_dynamic_setting_args', $setting_args, $setting_id ); 3809 if ( false === $setting_args ) { 3810 continue; 3811 } 3812 3813 /** 3814 * Allow non-statically created settings to be constructed with custom WP_Customize_Setting subclass. 3815 * 3816 * @since 4.2.0 3817 * 3818 * @param string $setting_class WP_Customize_Setting or a subclass. 3819 * @param string $setting_id ID for dynamic setting, usually coming from `$_POST['customized']`. 3820 * @param array $setting_args WP_Customize_Setting or a subclass. 3821 */ 3822 $setting_class = apply_filters( 'customize_dynamic_setting_class', $setting_class, $setting_id, $setting_args ); 3823 3824 $setting = new $setting_class( $this, $setting_id, $setting_args ); 3825 3826 $this->add_setting( $setting ); 3827 $new_settings[] = $setting; 3828 } 3829 return $new_settings; 3830 } 3831 3832 /** 3833 * Retrieve a customize setting. 3834 * 3835 * @since 3.4.0 3836 * 3837 * @param string $id Customize Setting ID. 3838 * @return WP_Customize_Setting|void The setting, if set. 3839 */ 3840 public function get_setting( $id ) { 3841 if ( isset( $this->settings[ $id ] ) ) { 3842 return $this->settings[ $id ]; 3843 } 3844 } 3845 3846 /** 3847 * Remove a customize setting. 3848 * 3849 * Note that removing the setting doesn't destroy the WP_Customize_Setting instance or remove its filters. 3850 * 3851 * @since 3.4.0 3852 * 3853 * @param string $id Customize Setting ID. 3854 */ 3855 public function remove_setting( $id ) { 3856 unset( $this->settings[ $id ] ); 3857 } 3858 3859 /** 3860 * Add a customize panel. 3861 * 3862 * @since 4.0.0 3863 * @since 4.5.0 Return added WP_Customize_Panel instance. 3864 * 3865 * @see WP_Customize_Panel::__construct() 3866 * 3867 * @param WP_Customize_Panel|string $id Customize Panel object, or ID. 3868 * @param array $args Optional. Array of properties for the new Panel object. 3869 * See WP_Customize_Panel::__construct() for information 3870 * on accepted arguments. Default empty array. 3871 * @return WP_Customize_Panel The instance of the panel that was added. 3872 */ 3873 public function add_panel( $id, $args = array() ) { 3874 if ( $id instanceof WP_Customize_Panel ) { 3875 $panel = $id; 3876 } else { 3877 $panel = new WP_Customize_Panel( $this, $id, $args ); 3878 } 3879 3880 $this->panels[ $panel->id ] = $panel; 3881 return $panel; 3882 } 3883 3884 /** 3885 * Retrieve a customize panel. 3886 * 3887 * @since 4.0.0 3888 * 3889 * @param string $id Panel ID to get. 3890 * @return WP_Customize_Panel|void Requested panel instance, if set. 3891 */ 3892 public function get_panel( $id ) { 3893 if ( isset( $this->panels[ $id ] ) ) { 3894 return $this->panels[ $id ]; 3895 } 3896 } 3897 3898 /** 3899 * Remove a customize panel. 3900 * 3901 * Note that removing the panel doesn't destroy the WP_Customize_Panel instance or remove its filters. 3902 * 3903 * @since 4.0.0 3904 * 3905 * @param string $id Panel ID to remove. 3906 */ 3907 public function remove_panel( $id ) { 3908 // Removing core components this way is _doing_it_wrong(). 3909 if ( in_array( $id, $this->components, true ) ) { 3910 $message = sprintf( 3911 /* translators: 1: Panel ID, 2: Link to 'customize_loaded_components' filter reference. */ 3912 __( 'Removing %1$s manually will cause PHP warnings. Use the %2$s filter instead.' ), 3913 $id, 3914 sprintf( 3915 '<a href="%1$s">%2$s</a>', 3916 esc_url( 'https://developer.wordpress.org/reference/hooks/customize_loaded_components/' ), 3917 '<code>customize_loaded_components</code>' 3918 ) 3919 ); 3920 3921 _doing_it_wrong( __METHOD__, $message, '4.5.0' ); 3922 } 3923 unset( $this->panels[ $id ] ); 3924 } 3925 3926 /** 3927 * Register a customize panel type. 3928 * 3929 * Registered types are eligible to be rendered via JS and created dynamically. 3930 * 3931 * @since 4.3.0 3932 * 3933 * @see WP_Customize_Panel 3934 * 3935 * @param string $panel Name of a custom panel which is a subclass of WP_Customize_Panel. 3936 */ 3937 public function register_panel_type( $panel ) { 3938 $this->registered_panel_types[] = $panel; 3939 } 3940 3941 /** 3942 * Render JS templates for all registered panel types. 3943 * 3944 * @since 4.3.0 3945 */ 3946 public function render_panel_templates() { 3947 foreach ( $this->registered_panel_types as $panel_type ) { 3948 $panel = new $panel_type( $this, 'temp', array() ); 3949 $panel->print_template(); 3950 } 3951 } 3952 3953 /** 3954 * Add a customize section. 3955 * 3956 * @since 3.4.0 3957 * @since 4.5.0 Return added WP_Customize_Section instance. 3958 * 3959 * @see WP_Customize_Section::__construct() 3960 * 3961 * @param WP_Customize_Section|string $id Customize Section object, or ID. 3962 * @param array $args Optional. Array of properties for the new Section object. 3963 * See WP_Customize_Section::__construct() for information 3964 * on accepted arguments. Default empty array. 3965 * @return WP_Customize_Section The instance of the section that was added. 3966 */ 3967 public function add_section( $id, $args = array() ) { 3968 if ( $id instanceof WP_Customize_Section ) { 3969 $section = $id; 3970 } else { 3971 $section = new WP_Customize_Section( $this, $id, $args ); 3972 } 3973 3974 $this->sections[ $section->id ] = $section; 3975 return $section; 3976 } 3977 3978 /** 3979 * Retrieve a customize section. 3980 * 3981 * @since 3.4.0 3982 * 3983 * @param string $id Section ID. 3984 * @return WP_Customize_Section|void The section, if set. 3985 */ 3986 public function get_section( $id ) { 3987 if ( isset( $this->sections[ $id ] ) ) { 3988 return $this->sections[ $id ]; 3989 } 3990 } 3991 3992 /** 3993 * Remove a customize section. 3994 * 3995 * Note that removing the section doesn't destroy the WP_Customize_Section instance or remove its filters. 3996 * 3997 * @since 3.4.0 3998 * 3999 * @param string $id Section ID. 4000 */ 4001 public function remove_section( $id ) { 4002 unset( $this->sections[ $id ] ); 4003 } 4004 4005 /** 4006 * Register a customize section type. 4007 * 4008 * Registered types are eligible to be rendered via JS and created dynamically. 4009 * 4010 * @since 4.3.0 4011 * 4012 * @see WP_Customize_Section 4013 * 4014 * @param string $section Name of a custom section which is a subclass of WP_Customize_Section. 4015 */ 4016 public function register_section_type( $section ) { 4017 $this->registered_section_types[] = $section; 4018 } 4019 4020 /** 4021 * Render JS templates for all registered section types. 4022 * 4023 * @since 4.3.0 4024 */ 4025 public function render_section_templates() { 4026 foreach ( $this->registered_section_types as $section_type ) { 4027 $section = new $section_type( $this, 'temp', array() ); 4028 $section->print_template(); 4029 } 4030 } 4031 4032 /** 4033 * Add a customize control. 4034 * 4035 * @since 3.4.0 4036 * @since 4.5.0 Return added WP_Customize_Control instance. 4037 * 4038 * @see WP_Customize_Control::__construct() 4039 * 4040 * @param WP_Customize_Control|string $id Customize Control object, or ID. 4041 * @param array $args Optional. Array of properties for the new Control object. 4042 * See WP_Customize_Control::__construct() for information 4043 * on accepted arguments. Default empty array. 4044 * @return WP_Customize_Control The instance of the control that was added. 4045 */ 4046 public function add_control( $id, $args = array() ) { 4047 if ( $id instanceof WP_Customize_Control ) { 4048 $control = $id; 4049 } else { 4050 $control = new WP_Customize_Control( $this, $id, $args ); 4051 } 4052 4053 $this->controls[ $control->id ] = $control; 4054 return $control; 4055 } 4056 4057 /** 4058 * Retrieve a customize control. 4059 * 4060 * @since 3.4.0 4061 * 4062 * @param string $id ID of the control. 4063 * @return WP_Customize_Control|void The control object, if set. 4064 */ 4065 public function get_control( $id ) { 4066 if ( isset( $this->controls[ $id ] ) ) { 4067 return $this->controls[ $id ]; 4068 } 4069 } 4070 4071 /** 4072 * Remove a customize control. 4073 * 4074 * Note that removing the control doesn't destroy the WP_Customize_Control instance or remove its filters. 4075 * 4076 * @since 3.4.0 4077 * 4078 * @param string $id ID of the control. 4079 */ 4080 public function remove_control( $id ) { 4081 unset( $this->controls[ $id ] ); 4082 } 4083 4084 /** 4085 * Register a customize control type. 4086 * 4087 * Registered types are eligible to be rendered via JS and created dynamically. 4088 * 4089 * @since 4.1.0 4090 * 4091 * @param string $control Name of a custom control which is a subclass of 4092 * WP_Customize_Control. 4093 */ 4094 public function register_control_type( $control ) { 4095 $this->registered_control_types[] = $control; 4096 } 4097 4098 /** 4099 * Render JS templates for all registered control types. 4100 * 4101 * @since 4.1.0 4102 */ 4103 public function render_control_templates() { 4104 if ( $this->branching() ) { 4105 $l10n = array( 4106 /* translators: %s: User who is customizing the changeset in customizer. */ 4107 'locked' => __( '%s is already customizing this changeset. Please wait until they are done to try customizing. Your latest changes have been autosaved.' ), 4108 /* translators: %s: User who is customizing the changeset in customizer. */ 4109 'locked_allow_override' => __( '%s is already customizing this changeset. Do you want to take over?' ), 4110 ); 4111 } else { 4112 $l10n = array( 4113 /* translators: %s: User who is customizing the changeset in customizer. */ 4114 'locked' => __( '%s is already customizing this site. Please wait until they are done to try customizing. Your latest changes have been autosaved.' ), 4115 /* translators: %s: User who is customizing the changeset in customizer. */ 4116 'locked_allow_override' => __( '%s is already customizing this site. Do you want to take over?' ), 4117 ); 4118 } 4119 4120 foreach ( $this->registered_control_types as $control_type ) { 4121 $control = new $control_type( 4122 $this, 4123 'temp', 4124 array( 4125 'settings' => array(), 4126 ) 4127 ); 4128 $control->print_template(); 4129 } 4130 ?> 4131 4132 <script type="text/html" id="tmpl-customize-control-default-content"> 4133 <# 4134 var inputId = _.uniqueId( 'customize-control-default-input-' ); 4135 var descriptionId = _.uniqueId( 'customize-control-default-description-' ); 4136 var describedByAttr = data.description ? ' aria-describedby="' + descriptionId + '" ' : ''; 4137 #> 4138 <# switch ( data.type ) { 4139 case 'checkbox': #> 4140 <span class="customize-inside-control-row"> 4141 <input 4142 id="{{ inputId }}" 4143 {{{ describedByAttr }}} 4144 type="checkbox" 4145 value="{{ data.value }}" 4146 data-customize-setting-key-link="default" 4147 > 4148 <label for="{{ inputId }}"> 4149 {{ data.label }} 4150 </label> 4151 <# if ( data.description ) { #> 4152 <span id="{{ descriptionId }}" class="description customize-control-description">{{{ data.description }}}</span> 4153 <# } #> 4154 </span> 4155 <# 4156 break; 4157 case 'radio': 4158 if ( ! data.choices ) { 4159 return; 4160 } 4161 #> 4162 <# if ( data.label ) { #> 4163 <label for="{{ inputId }}" class="customize-control-title"> 4164 {{ data.label }} 4165 </label> 4166 <# } #> 4167 <# if ( data.description ) { #> 4168 <span id="{{ descriptionId }}" class="description customize-control-description">{{{ data.description }}}</span> 4169 <# } #> 4170 <# _.each( data.choices, function( val, key ) { #> 4171 <span class="customize-inside-control-row"> 4172 <# 4173 var value, text; 4174 if ( _.isObject( val ) ) { 4175 value = val.value; 4176 text = val.text; 4177 } else { 4178 value = key; 4179 text = val; 4180 } 4181 #> 4182 <input 4183 id="{{ inputId + '-' + value }}" 4184 type="radio" 4185 value="{{ value }}" 4186 name="{{ inputId }}" 4187 data-customize-setting-key-link="default" 4188 {{{ describedByAttr }}} 4189 > 4190 <label for="{{ inputId + '-' + value }}">{{ text }}</label> 4191 </span> 4192 <# } ); #> 4193 <# 4194 break; 4195 default: 4196 #> 4197 <# if ( data.label ) { #> 4198 <label for="{{ inputId }}" class="customize-control-title"> 4199 {{ data.label }} 4200 </label> 4201 <# } #> 4202 <# if ( data.description ) { #> 4203 <span id="{{ descriptionId }}" class="description customize-control-description">{{{ data.description }}}</span> 4204 <# } #> 4205 4206 <# 4207 var inputAttrs = { 4208 id: inputId, 4209 'data-customize-setting-key-link': 'default' 4210 }; 4211 if ( 'textarea' === data.type ) { 4212 inputAttrs.rows = '5'; 4213 } else if ( 'button' === data.type ) { 4214 inputAttrs['class'] = 'button button-secondary'; 4215 inputAttrs.type = 'button'; 4216 } else { 4217 inputAttrs.type = data.type; 4218 } 4219 if ( data.description ) { 4220 inputAttrs['aria-describedby'] = descriptionId; 4221 } 4222 _.extend( inputAttrs, data.input_attrs ); 4223 #> 4224 4225 <# if ( 'button' === data.type ) { #> 4226 <button 4227 <# _.each( _.extend( inputAttrs ), function( value, key ) { #> 4228 {{{ key }}}="{{ value }}" 4229 <# } ); #> 4230 >{{ inputAttrs.value }}</button> 4231 <# } else if ( 'textarea' === data.type ) { #> 4232 <textarea 4233 <# _.each( _.extend( inputAttrs ), function( value, key ) { #> 4234 {{{ key }}}="{{ value }}" 4235 <# }); #> 4236 >{{ inputAttrs.value }}</textarea> 4237 <# } else if ( 'select' === data.type ) { #> 4238 <# delete inputAttrs.type; #> 4239 <select 4240 <# _.each( _.extend( inputAttrs ), function( value, key ) { #> 4241 {{{ key }}}="{{ value }}" 4242 <# }); #> 4243 > 4244 <# _.each( data.choices, function( val, key ) { #> 4245 <# 4246 var value, text; 4247 if ( _.isObject( val ) ) { 4248 value = val.value; 4249 text = val.text; 4250 } else { 4251 value = key; 4252 text = val; 4253 } 4254 #> 4255 <option value="{{ value }}">{{ text }}</option> 4256 <# } ); #> 4257 </select> 4258 <# } else { #> 4259 <input 4260 <# _.each( _.extend( inputAttrs ), function( value, key ) { #> 4261 {{{ key }}}="{{ value }}" 4262 <# }); #> 4263 > 4264 <# } #> 4265 <# } #> 4266 </script> 4267 4268 <script type="text/html" id="tmpl-customize-notification"> 4269 <li class="notice notice-{{ data.type || 'info' }} {{ data.alt ? 'notice-alt' : '' }} {{ data.dismissible ? 'is-dismissible' : '' }} {{ data.containerClasses || '' }}" data-code="{{ data.code }}" data-type="{{ data.type }}"> 4270 <div class="notification-message">{{{ data.message || data.code }}}</div> 4271 <# if ( data.dismissible ) { #> 4272 <button type="button" class="notice-dismiss"><span class="screen-reader-text"><?php _e( 'Dismiss' ); ?></span></button> 4273 <# } #> 4274 </li> 4275 </script> 4276 4277 <script type="text/html" id="tmpl-customize-changeset-locked-notification"> 4278 <li class="notice notice-{{ data.type || 'info' }} {{ data.containerClasses || '' }}" data-code="{{ data.code }}" data-type="{{ data.type }}"> 4279 <div class="notification-message customize-changeset-locked-message"> 4280 <img class="customize-changeset-locked-avatar" src="{{ data.lockUser.avatar }}" alt="{{ data.lockUser.name }}" /> 4281 <p class="currently-editing"> 4282 <# if ( data.message ) { #> 4283 {{{ data.message }}} 4284 <# } else if ( data.allowOverride ) { #> 4285 <?php 4286 echo esc_html( sprintf( $l10n['locked_allow_override'], '{{ data.lockUser.name }}' ) ); 4287 ?> 4288 <# } else { #> 4289 <?php 4290 echo esc_html( sprintf( $l10n['locked'], '{{ data.lockUser.name }}' ) ); 4291 ?> 4292 <# } #> 4293 </p> 4294 <p class="notice notice-error notice-alt" hidden></p> 4295 <p class="action-buttons"> 4296 <# if ( data.returnUrl !== data.previewUrl ) { #> 4297 <a class="button customize-notice-go-back-button" href="{{ data.returnUrl }}"><?php _e( 'Go back' ); ?></a> 4298 <# } #> 4299 <a class="button customize-notice-preview-button" href="{{ data.frontendPreviewUrl }}"><?php _e( 'Preview' ); ?></a> 4300 <# if ( data.allowOverride ) { #> 4301 <button class="button button-primary wp-tab-last customize-notice-take-over-button"><?php _e( 'Take over' ); ?></button> 4302 <# } #> 4303 </p> 4304 </div> 4305 </li> 4306 </script> 4307 4308 <script type="text/html" id="tmpl-customize-code-editor-lint-error-notification"> 4309 <li class="notice notice-{{ data.type || 'info' }} {{ data.alt ? 'notice-alt' : '' }} {{ data.dismissible ? 'is-dismissible' : '' }} {{ data.containerClasses || '' }}" data-code="{{ data.code }}" data-type="{{ data.type }}"> 4310 <div class="notification-message">{{{ data.message || data.code }}}</div> 4311 4312 <p> 4313 <# var elementId = 'el-' + String( Math.random() ); #> 4314 <input id="{{ elementId }}" type="checkbox"> 4315 <label for="{{ elementId }}"><?php _e( 'Update anyway, even though it might break your site?' ); ?></label> 4316 </p> 4317 </li> 4318 </script> 4319 4320 <?php 4321 /* The following template is obsolete in core but retained for plugins. */ 4322 ?> 4323 <script type="text/html" id="tmpl-customize-control-notifications"> 4324 <ul> 4325 <# _.each( data.notifications, function( notification ) { #> 4326 <li class="notice notice-{{ notification.type || 'info' }} {{ data.altNotice ? 'notice-alt' : '' }}" data-code="{{ notification.code }}" data-type="{{ notification.type }}">{{{ notification.message || notification.code }}}</li> 4327 <# } ); #> 4328 </ul> 4329 </script> 4330 4331 <script type="text/html" id="tmpl-customize-preview-link-control" > 4332 <# var elementPrefix = _.uniqueId( 'el' ) + '-' #> 4333 <p class="customize-control-title"> 4334 <?php esc_html_e( 'Share Preview Link' ); ?> 4335 </p> 4336 <p class="description customize-control-description"><?php esc_html_e( 'See how changes would look live on your website, and share the preview with people who can\'t access the Customizer.' ); ?></p> 4337 <div class="customize-control-notifications-container"></div> 4338 <div class="preview-link-wrapper"> 4339 <label for="{{ elementPrefix }}customize-preview-link-input" class="screen-reader-text"><?php esc_html_e( 'Preview Link' ); ?></label> 4340 <a href="" target=""> 4341 <span class="preview-control-element" data-component="url"></span> 4342 <span class="screen-reader-text"><?php _e( '(opens in a new tab)' ); ?></span> 4343 </a> 4344 <input id="{{ elementPrefix }}customize-preview-link-input" readonly tabindex="-1" class="preview-control-element" data-component="input"> 4345 <button class="customize-copy-preview-link preview-control-element button button-secondary" data-component="button" data-copy-text="<?php esc_attr_e( 'Copy' ); ?>" data-copied-text="<?php esc_attr_e( 'Copied' ); ?>" ><?php esc_html_e( 'Copy' ); ?></button> 4346 </div> 4347 </script> 4348 <script type="text/html" id="tmpl-customize-selected-changeset-status-control"> 4349 <# var inputId = _.uniqueId( 'customize-selected-changeset-status-control-input-' ); #> 4350 <# var descriptionId = _.uniqueId( 'customize-selected-changeset-status-control-description-' ); #> 4351 <# if ( data.label ) { #> 4352 <label for="{{ inputId }}" class="customize-control-title">{{ data.label }}</label> 4353 <# } #> 4354 <# if ( data.description ) { #> 4355 <span id="{{ descriptionId }}" class="description customize-control-description">{{{ data.description }}}</span> 4356 <# } #> 4357 <# _.each( data.choices, function( choice ) { #> 4358 <# var choiceId = inputId + '-' + choice.status; #> 4359 <span class="customize-inside-control-row"> 4360 <input id="{{ choiceId }}" type="radio" value="{{ choice.status }}" name="{{ inputId }}" data-customize-setting-key-link="default"> 4361 <label for="{{ choiceId }}">{{ choice.label }}</label> 4362 </span> 4363 <# } ); #> 4364 </script> 4365 <?php 4366 } 4367 4368 /** 4369 * Helper function to compare two objects by priority, ensuring sort stability via instance_number. 4370 * 4371 * @since 3.4.0 4372 * @deprecated 4.7.0 Use wp_list_sort() 4373 * 4374 * @param WP_Customize_Panel|WP_Customize_Section|WP_Customize_Control $a Object A. 4375 * @param WP_Customize_Panel|WP_Customize_Section|WP_Customize_Control $b Object B. 4376 * @return int 4377 */ 4378 protected function _cmp_priority( $a, $b ) { 4379 _deprecated_function( __METHOD__, '4.7.0', 'wp_list_sort' ); 4380 4381 if ( $a->priority === $b->priority ) { 4382 return $a->instance_number - $b->instance_number; 4383 } else { 4384 return $a->priority - $b->priority; 4385 } 4386 } 4387 4388 /** 4389 * Prepare panels, sections, and controls. 4390 * 4391 * For each, check if required related components exist, 4392 * whether the user has the necessary capabilities, 4393 * and sort by priority. 4394 * 4395 * @since 3.4.0 4396 */ 4397 public function prepare_controls() { 4398 4399 $controls = array(); 4400 $this->controls = wp_list_sort( 4401 $this->controls, 4402 array( 4403 'priority' => 'ASC', 4404 'instance_number' => 'ASC', 4405 ), 4406 'ASC', 4407 true 4408 ); 4409 4410 foreach ( $this->controls as $id => $control ) { 4411 if ( ! isset( $this->sections[ $control->section ] ) || ! $control->check_capabilities() ) { 4412 continue; 4413 } 4414 4415 $this->sections[ $control->section ]->controls[] = $control; 4416 $controls[ $id ] = $control; 4417 } 4418 $this->controls = $controls; 4419 4420 // Prepare sections. 4421 $this->sections = wp_list_sort( 4422 $this->sections, 4423 array( 4424 'priority' => 'ASC', 4425 'instance_number' => 'ASC', 4426 ), 4427 'ASC', 4428 true 4429 ); 4430 $sections = array(); 4431 4432 foreach ( $this->sections as $section ) { 4433 if ( ! $section->check_capabilities() ) { 4434 continue; 4435 } 4436 4437 $section->controls = wp_list_sort( 4438 $section->controls, 4439 array( 4440 'priority' => 'ASC', 4441 'instance_number' => 'ASC', 4442 ) 4443 ); 4444 4445 if ( ! $section->panel ) { 4446 // Top-level section. 4447 $sections[ $section->id ] = $section; 4448 } else { 4449 // This section belongs to a panel. 4450 if ( isset( $this->panels [ $section->panel ] ) ) { 4451 $this->panels[ $section->panel ]->sections[ $section->id ] = $section; 4452 } 4453 } 4454 } 4455 $this->sections = $sections; 4456 4457 // Prepare panels. 4458 $this->panels = wp_list_sort( 4459 $this->panels, 4460 array( 4461 'priority' => 'ASC', 4462 'instance_number' => 'ASC', 4463 ), 4464 'ASC', 4465 true 4466 ); 4467 $panels = array(); 4468 4469 foreach ( $this->panels as $panel ) { 4470 if ( ! $panel->check_capabilities() ) { 4471 continue; 4472 } 4473 4474 $panel->sections = wp_list_sort( 4475 $panel->sections, 4476 array( 4477 'priority' => 'ASC', 4478 'instance_number' => 'ASC', 4479 ), 4480 'ASC', 4481 true 4482 ); 4483 $panels[ $panel->id ] = $panel; 4484 } 4485 $this->panels = $panels; 4486 4487 // Sort panels and top-level sections together. 4488 $this->containers = array_merge( $this->panels, $this->sections ); 4489 $this->containers = wp_list_sort( 4490 $this->containers, 4491 array( 4492 'priority' => 'ASC', 4493 'instance_number' => 'ASC', 4494 ), 4495 'ASC', 4496 true 4497 ); 4498 } 4499 4500 /** 4501 * Enqueue scripts for customize controls. 4502 * 4503 * @since 3.4.0 4504 */ 4505 public function enqueue_control_scripts() { 4506 foreach ( $this->controls as $control ) { 4507 $control->enqueue(); 4508 } 4509 4510 if ( ! is_multisite() && ( current_user_can( 'install_themes' ) || current_user_can( 'update_themes' ) || current_user_can( 'delete_themes' ) ) ) { 4511 wp_enqueue_script( 'updates' ); 4512 wp_localize_script( 4513 'updates', 4514 '_wpUpdatesItemCounts', 4515 array( 4516 'totals' => wp_get_update_data(), 4517 ) 4518 ); 4519 } 4520 } 4521 4522 /** 4523 * Determine whether the user agent is iOS. 4524 * 4525 * @since 4.4.0 4526 * 4527 * @return bool Whether the user agent is iOS. 4528 */ 4529 public function is_ios() { 4530 return wp_is_mobile() && preg_match( '/iPad|iPod|iPhone/', $_SERVER['HTTP_USER_AGENT'] ); 4531 } 4532 4533 /** 4534 * Get the template string for the Customizer pane document title. 4535 * 4536 * @since 4.4.0 4537 * 4538 * @return string The template string for the document title. 4539 */ 4540 public function get_document_title_template() { 4541 if ( $this->is_theme_active() ) { 4542 /* translators: %s: Document title from the preview. */ 4543 $document_title_tmpl = __( 'Customize: %s' ); 4544 } else { 4545 /* translators: %s: Document title from the preview. */ 4546 $document_title_tmpl = __( 'Live Preview: %s' ); 4547 } 4548 $document_title_tmpl = html_entity_decode( $document_title_tmpl, ENT_QUOTES, 'UTF-8' ); // Because exported to JS and assigned to document.title. 4549 return $document_title_tmpl; 4550 } 4551 4552 /** 4553 * Set the initial URL to be previewed. 4554 * 4555 * URL is validated. 4556 * 4557 * @since 4.4.0 4558 * 4559 * @param string $preview_url URL to be previewed. 4560 */ 4561 public function set_preview_url( $preview_url ) { 4562 $preview_url = esc_url_raw( $preview_url ); 4563 $this->preview_url = wp_validate_redirect( $preview_url, home_url( '/' ) ); 4564 } 4565 4566 /** 4567 * Get the initial URL to be previewed. 4568 * 4569 * @since 4.4.0 4570 * 4571 * @return string URL being previewed. 4572 */ 4573 public function get_preview_url() { 4574 if ( empty( $this->preview_url ) ) { 4575 $preview_url = home_url( '/' ); 4576 } else { 4577 $preview_url = $this->preview_url; 4578 } 4579 return $preview_url; 4580 } 4581 4582 /** 4583 * Determines whether the admin and the frontend are on different domains. 4584 * 4585 * @since 4.7.0 4586 * 4587 * @return bool Whether cross-domain. 4588 */ 4589 public function is_cross_domain() { 4590 $admin_origin = wp_parse_url( admin_url() ); 4591 $home_origin = wp_parse_url( home_url() ); 4592 $cross_domain = ( strtolower( $admin_origin['host'] ) !== strtolower( $home_origin['host'] ) ); 4593 return $cross_domain; 4594 } 4595 4596 /** 4597 * Get URLs allowed to be previewed. 4598 * 4599 * If the front end and the admin are served from the same domain, load the 4600 * preview over ssl if the Customizer is being loaded over ssl. This avoids 4601 * insecure content warnings. This is not attempted if the admin and front end 4602 * are on different domains to avoid the case where the front end doesn't have 4603 * ssl certs. Domain mapping plugins can allow other urls in these conditions 4604 * using the customize_allowed_urls filter. 4605 * 4606 * @since 4.7.0 4607 * 4608 * @return array Allowed URLs. 4609 */ 4610 public function get_allowed_urls() { 4611 $allowed_urls = array( home_url( '/' ) ); 4612 4613 if ( is_ssl() && ! $this->is_cross_domain() ) { 4614 $allowed_urls[] = home_url( '/', 'https' ); 4615 } 4616 4617 /** 4618 * Filters the list of URLs allowed to be clicked and followed in the Customizer preview. 4619 * 4620 * @since 3.4.0 4621 * 4622 * @param string[] $allowed_urls An array of allowed URLs. 4623 */ 4624 $allowed_urls = array_unique( apply_filters( 'customize_allowed_urls', $allowed_urls ) ); 4625 4626 return $allowed_urls; 4627 } 4628 4629 /** 4630 * Get messenger channel. 4631 * 4632 * @since 4.7.0 4633 * 4634 * @return string Messenger channel. 4635 */ 4636 public function get_messenger_channel() { 4637 return $this->messenger_channel; 4638 } 4639 4640 /** 4641 * Set URL to link the user to when closing the Customizer. 4642 * 4643 * URL is validated. 4644 * 4645 * @since 4.4.0 4646 * 4647 * @param string $return_url URL for return link. 4648 */ 4649 public function set_return_url( $return_url ) { 4650 $return_url = esc_url_raw( $return_url ); 4651 $return_url = remove_query_arg( wp_removable_query_args(), $return_url ); 4652 $return_url = wp_validate_redirect( $return_url ); 4653 $this->return_url = $return_url; 4654 } 4655 4656 /** 4657 * Get URL to link the user to when closing the Customizer. 4658 * 4659 * @since 4.4.0 4660 * 4661 * @global array $_registered_pages 4662 * 4663 * @return string URL for link to close Customizer. 4664 */ 4665 public function get_return_url() { 4666 global $_registered_pages; 4667 4668 $referer = wp_get_referer(); 4669 $excluded_referer_basenames = array( 'customize.php', 'wp-login.php' ); 4670 4671 if ( $this->return_url ) { 4672 $return_url = $this->return_url; 4673 } elseif ( $referer && ! in_array( wp_basename( parse_url( $referer, PHP_URL_PATH ) ), $excluded_referer_basenames, true ) ) { 4674 $return_url = $referer; 4675 } elseif ( $this->preview_url ) { 4676 $return_url = $this->preview_url; 4677 } else { 4678 $return_url = home_url( '/' ); 4679 } 4680 4681 $return_url_basename = wp_basename( parse_url( $this->return_url, PHP_URL_PATH ) ); 4682 $return_url_query = parse_url( $this->return_url, PHP_URL_QUERY ); 4683 4684 if ( 'themes.php' === $return_url_basename && $return_url_query ) { 4685 parse_str( $return_url_query, $query_vars ); 4686 4687 /* 4688 * If the return URL is a page added by a theme to the Appearance menu via add_submenu_page(), 4689 * verify that belongs to the active theme, otherwise fall back to the Themes screen. 4690 */ 4691 if ( isset( $query_vars['page'] ) && ! isset( $_registered_pages[ "appearance_page_{$query_vars['page']}" ] ) ) { 4692 $return_url = admin_url( 'themes.php' ); 4693 } 4694 } 4695 4696 return $return_url; 4697 } 4698 4699 /** 4700 * Set the autofocused constructs. 4701 * 4702 * @since 4.4.0 4703 * 4704 * @param array $autofocus { 4705 * Mapping of 'panel', 'section', 'control' to the ID which should be autofocused. 4706 * 4707 * @type string $control ID for control to be autofocused. 4708 * @type string $section ID for section to be autofocused. 4709 * @type string $panel ID for panel to be autofocused. 4710 * } 4711 */ 4712 public function set_autofocus( $autofocus ) { 4713 $this->autofocus = array_filter( wp_array_slice_assoc( $autofocus, array( 'panel', 'section', 'control' ) ), 'is_string' ); 4714 } 4715 4716 /** 4717 * Get the autofocused constructs. 4718 * 4719 * @since 4.4.0 4720 * 4721 * @return array { 4722 * Mapping of 'panel', 'section', 'control' to the ID which should be autofocused. 4723 * 4724 * @type string $control ID for control to be autofocused. 4725 * @type string $section ID for section to be autofocused. 4726 * @type string $panel ID for panel to be autofocused. 4727 * } 4728 */ 4729 public function get_autofocus() { 4730 return $this->autofocus; 4731 } 4732 4733 /** 4734 * Get nonces for the Customizer. 4735 * 4736 * @since 4.5.0 4737 * 4738 * @return array Nonces. 4739 */ 4740 public function get_nonces() { 4741 $nonces = array( 4742 'save' => wp_create_nonce( 'save-customize_' . $this->get_stylesheet() ), 4743 'preview' => wp_create_nonce( 'preview-customize_' . $this->get_stylesheet() ), 4744 'switch_themes' => wp_create_nonce( 'switch_themes' ), 4745 'dismiss_autosave_or_lock' => wp_create_nonce( 'customize_dismiss_autosave_or_lock' ), 4746 'override_lock' => wp_create_nonce( 'customize_override_changeset_lock' ), 4747 'trash' => wp_create_nonce( 'trash_customize_changeset' ), 4748 ); 4749 4750 /** 4751 * Filters nonces for Customizer. 4752 * 4753 * @since 4.2.0 4754 * 4755 * @param string[] $nonces Array of refreshed nonces for save and 4756 * preview actions. 4757 * @param WP_Customize_Manager $this WP_Customize_Manager instance. 4758 */ 4759 $nonces = apply_filters( 'customize_refresh_nonces', $nonces, $this ); 4760 4761 return $nonces; 4762 } 4763 4764 /** 4765 * Print JavaScript settings for parent window. 4766 * 4767 * @since 4.4.0 4768 */ 4769 public function customize_pane_settings() { 4770 4771 $login_url = add_query_arg( 4772 array( 4773 'interim-login' => 1, 4774 'customize-login' => 1, 4775 ), 4776 wp_login_url() 4777 ); 4778 4779 // Ensure dirty flags are set for modified settings. 4780 foreach ( array_keys( $this->unsanitized_post_values() ) as $setting_id ) { 4781 $setting = $this->get_setting( $setting_id ); 4782 if ( $setting ) { 4783 $setting->dirty = true; 4784 } 4785 } 4786 4787 $autosave_revision_post = null; 4788 $autosave_autodraft_post = null; 4789 $changeset_post_id = $this->changeset_post_id(); 4790 if ( ! $this->saved_starter_content_changeset && ! $this->autosaved() ) { 4791 if ( $changeset_post_id ) { 4792 if ( is_user_logged_in() ) { 4793 $autosave_revision_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() ); 4794 } 4795 } else { 4796 $autosave_autodraft_posts = $this->get_changeset_posts( 4797 array( 4798 'posts_per_page' => 1, 4799 'post_status' => 'auto-draft', 4800 'exclude_restore_dismissed' => true, 4801 ) 4802 ); 4803 if ( ! empty( $autosave_autodraft_posts ) ) { 4804 $autosave_autodraft_post = array_shift( $autosave_autodraft_posts ); 4805 } 4806 } 4807 } 4808 4809 $current_user_can_publish = current_user_can( get_post_type_object( 'customize_changeset' )->cap->publish_posts ); 4810 4811 // @todo Include all of the status labels here from script-loader.php, and then allow it to be filtered. 4812 $status_choices = array(); 4813 if ( $current_user_can_publish ) { 4814 $status_choices[] = array( 4815 'status' => 'publish', 4816 'label' => __( 'Publish' ), 4817 ); 4818 } 4819 $status_choices[] = array( 4820 'status' => 'draft', 4821 'label' => __( 'Save Draft' ), 4822 ); 4823 if ( $current_user_can_publish ) { 4824 $status_choices[] = array( 4825 'status' => 'future', 4826 'label' => _x( 'Schedule', 'customizer changeset action/button label' ), 4827 ); 4828 } 4829 4830 // Prepare Customizer settings to pass to JavaScript. 4831 $changeset_post = null; 4832 if ( $changeset_post_id ) { 4833 $changeset_post = get_post( $changeset_post_id ); 4834 } 4835 4836 // Determine initial date to be at present or future, not past. 4837 $current_time = current_time( 'mysql', false ); 4838 $initial_date = $current_time; 4839 if ( $changeset_post ) { 4840 $initial_date = get_the_time( 'Y-m-d H:i:s', $changeset_post->ID ); 4841 if ( $initial_date < $current_time ) { 4842 $initial_date = $current_time; 4843 } 4844 } 4845 4846 $lock_user_id = false; 4847 if ( $this->changeset_post_id() ) { 4848 $lock_user_id = wp_check_post_lock( $this->changeset_post_id() ); 4849 } 4850 4851 $settings = array( 4852 'changeset' => array( 4853 'uuid' => $this->changeset_uuid(), 4854 'branching' => $this->branching(), 4855 'autosaved' => $this->autosaved(), 4856 'hasAutosaveRevision' => ! empty( $autosave_revision_post ), 4857 'latestAutoDraftUuid' => $autosave_autodraft_post ? $autosave_autodraft_post->post_name : null, 4858 'status' => $changeset_post ? $changeset_post->post_status : '', 4859 'currentUserCanPublish' => $current_user_can_publish, 4860 'publishDate' => $initial_date, 4861 'statusChoices' => $status_choices, 4862 'lockUser' => $lock_user_id ? $this->get_lock_user_data( $lock_user_id ) : null, 4863 ), 4864 'initialServerDate' => $current_time, 4865 'dateFormat' => get_option( 'date_format' ), 4866 'timeFormat' => get_option( 'time_format' ), 4867 'initialServerTimestamp' => floor( microtime( true ) * 1000 ), 4868 'initialClientTimestamp' => -1, // To be set with JS below. 4869 'timeouts' => array( 4870 'windowRefresh' => 250, 4871 'changesetAutoSave' => AUTOSAVE_INTERVAL * 1000, 4872 'keepAliveCheck' => 2500, 4873 'reflowPaneContents' => 100, 4874 'previewFrameSensitivity' => 2000, 4875 ), 4876 'theme' => array( 4877 'stylesheet' => $this->get_stylesheet(), 4878 'active' => $this->is_theme_active(), 4879 '_canInstall' => current_user_can( 'install_themes' ), 4880 ), 4881 'url' => array( 4882 'preview' => esc_url_raw( $this->get_preview_url() ), 4883 'return' => esc_url_raw( $this->get_return_url() ), 4884 'parent' => esc_url_raw( admin_url() ), 4885 'activated' => esc_url_raw( home_url( '/' ) ), 4886 'ajax' => esc_url_raw( admin_url( 'admin-ajax.php', 'relative' ) ), 4887 'allowed' => array_map( 'esc_url_raw', $this->get_allowed_urls() ), 4888 'isCrossDomain' => $this->is_cross_domain(), 4889 'home' => esc_url_raw( home_url( '/' ) ), 4890 'login' => esc_url_raw( $login_url ), 4891 ), 4892 'browser' => array( 4893 'mobile' => wp_is_mobile(), 4894 'ios' => $this->is_ios(), 4895 ), 4896 'panels' => array(), 4897 'sections' => array(), 4898 'nonce' => $this->get_nonces(), 4899 'autofocus' => $this->