/** * Sets up the default filters and actions for most * of the WordPress hooks. * * If you need to remove a default hook, this file will * give you the priority for which to use to remove the * hook. * * Not all of the default hooks are found in default-filters.php * * @package WordPress */ // Strip, trim, kses, special chars for string saves foreach ( array( 'pre_term_name', 'pre_comment_author_name', 'pre_link_name', 'pre_link_target', 'pre_link_rel', 'pre_user_display_name', 'pre_user_first_name', 'pre_user_last_name', 'pre_user_nickname' ) as $filter ) { add_filter( $filter, 'sanitize_text_field' ); add_filter( $filter, 'wp_filter_kses' ); add_filter( $filter, '_wp_specialchars', 30 ); } // Strip, kses, special chars for string display foreach ( array( 'term_name', 'comment_author_name', 'link_name', 'link_target', 'link_rel', 'user_display_name', 'user_first_name', 'user_last_name', 'user_nickname' ) as $filter ) { if ( is_admin() ) { // These are expensive. Run only on admin pages for defense in depth. add_filter( $filter, 'sanitize_text_field' ); add_filter( $filter, 'wp_kses_data' ); } add_filter( $filter, '_wp_specialchars', 30 ); } // Kses only for textarea saves foreach ( array( 'pre_term_description', 'pre_link_description', 'pre_link_notes', 'pre_user_description' ) as $filter ) { add_filter( $filter, 'wp_filter_kses' ); } // Kses only for textarea admin displays if ( is_admin() ) { foreach ( array( 'term_description', 'link_description', 'link_notes', 'user_description' ) as $filter ) { add_filter( $filter, 'wp_kses_data' ); } add_filter( 'comment_text', 'wp_kses_post' ); } // Email saves foreach ( array( 'pre_comment_author_email', 'pre_user_email' ) as $filter ) { add_filter( $filter, 'trim' ); add_filter( $filter, 'sanitize_email' ); add_filter( $filter, 'wp_filter_kses' ); } // Email admin display foreach ( array( 'comment_author_email', 'user_email' ) as $filter ) { add_filter( $filter, 'sanitize_email' ); if ( is_admin() ) { add_filter( $filter, 'wp_kses_data' ); } } // Save URL foreach ( array( 'pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image', 'pre_link_rss', 'pre_post_guid', ) as $filter ) { add_filter( $filter, 'wp_strip_all_tags' ); add_filter( $filter, 'esc_url_raw' ); add_filter( $filter, 'wp_filter_kses' ); } // Display URL foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url', 'post_guid' ) as $filter ) { if ( is_admin() ) { add_filter( $filter, 'wp_strip_all_tags' ); } add_filter( $filter, 'esc_url' ); if ( is_admin() ) { add_filter( $filter, 'wp_kses_data' ); } } // Slugs add_filter( 'pre_term_slug', 'sanitize_title' ); add_filter( 'wp_insert_post_data', '_wp_customize_changeset_filter_insert_post_data', 10, 2 ); // Keys foreach ( array( 'pre_post_type', 'pre_post_status', 'pre_post_comment_status', 'pre_post_ping_status' ) as $filter ) { add_filter( $filter, 'sanitize_key' ); } // Mime types add_filter( 'pre_post_mime_type', 'sanitize_mime_type' ); add_filter( 'post_mime_type', 'sanitize_mime_type' ); // Meta add_filter( 'register_meta_args', '_wp_register_meta_args_whitelist', 10, 2 ); // Post meta add_action( 'added_post_meta', 'wp_cache_set_posts_last_changed' ); add_action( 'updated_post_meta', 'wp_cache_set_posts_last_changed' ); add_action( 'deleted_post_meta', 'wp_cache_set_posts_last_changed' ); // Term meta add_action( 'added_term_meta', 'wp_cache_set_terms_last_changed' ); add_action( 'updated_term_meta', 'wp_cache_set_terms_last_changed' ); add_action( 'deleted_term_meta', 'wp_cache_set_terms_last_changed' ); add_filter( 'get_term_metadata', 'wp_check_term_meta_support_prefilter' ); add_filter( 'add_term_metadata', 'wp_check_term_meta_support_prefilter' ); add_filter( 'update_term_metadata', 'wp_check_term_meta_support_prefilter' ); add_filter( 'delete_term_metadata', 'wp_check_term_meta_support_prefilter' ); add_filter( 'get_term_metadata_by_mid', 'wp_check_term_meta_support_prefilter' ); add_filter( 'update_term_metadata_by_mid', 'wp_check_term_meta_support_prefilter' ); add_filter( 'delete_term_metadata_by_mid', 'wp_check_term_meta_support_prefilter' ); add_filter( 'update_term_metadata_cache', 'wp_check_term_meta_support_prefilter' ); // Comment meta add_action( 'added_comment_meta', 'wp_cache_set_comments_last_changed' ); add_action( 'updated_comment_meta', 'wp_cache_set_comments_last_changed' ); add_action( 'deleted_comment_meta', 'wp_cache_set_comments_last_changed' ); // Places to balance tags on input foreach ( array( 'content_save_pre', 'excerpt_save_pre', 'comment_save_pre', 'pre_comment_content' ) as $filter ) { add_filter( $filter, 'convert_invalid_entities' ); add_filter( $filter, 'balanceTags', 50 ); } // Add proper rel values for links with target. add_action( 'init', 'wp_init_targeted_link_rel_filters' ); // Format strings for display. foreach ( array( 'comment_author', 'term_name', 'link_name', 'link_description', 'link_notes', 'bloginfo', 'wp_title', 'widget_title' ) as $filter ) { add_filter( $filter, 'wptexturize' ); add_filter( $filter, 'convert_chars' ); add_filter( $filter, 'esc_html' ); } // Format WordPress foreach ( array( 'the_content', 'the_title', 'wp_title' ) as $filter ) { add_filter( $filter, 'capital_P_dangit', 11 ); } add_filter( 'comment_text', 'capital_P_dangit', 31 ); // Format titles foreach ( array( 'single_post_title', 'single_cat_title', 'single_tag_title', 'single_month_title', 'nav_menu_attr_title', 'nav_menu_description' ) as $filter ) { add_filter( $filter, 'wptexturize' ); add_filter( $filter, 'strip_tags' ); } // Format text area for display. foreach ( array( 'term_description', 'get_the_post_type_description' ) as $filter ) { add_filter( $filter, 'wptexturize' ); add_filter( $filter, 'convert_chars' ); add_filter( $filter, 'wpautop' ); add_filter( $filter, 'shortcode_unautop' ); } // Format for RSS add_filter( 'term_name_rss', 'convert_chars' ); // Pre save hierarchy add_filter( 'wp_insert_post_parent', 'wp_check_post_hierarchy_for_loops', 10, 2 ); add_filter( 'wp_update_term_parent', 'wp_check_term_hierarchy_for_loops', 10, 3 ); // Display filters add_filter( 'the_title', 'wptexturize' ); add_filter( 'the_title', 'convert_chars' ); add_filter( 'the_title', 'trim' ); add_filter( 'the_content', 'do_blocks', 9 ); add_filter( 'the_content', 'wptexturize' ); add_filter( 'the_content', 'convert_smilies', 20 ); add_filter( 'the_content', 'wpautop' ); add_filter( 'the_content', 'shortcode_unautop' ); add_filter( 'the_content', 'prepend_attachment' ); add_filter( 'the_content', 'wp_make_content_images_responsive' ); add_filter( 'the_excerpt', 'wptexturize' ); add_filter( 'the_excerpt', 'convert_smilies' ); add_filter( 'the_excerpt', 'convert_chars' ); add_filter( 'the_excerpt', 'wpautop' ); add_filter( 'the_excerpt', 'shortcode_unautop' ); add_filter( 'get_the_excerpt', 'wp_trim_excerpt', 10, 2 ); add_filter( 'the_post_thumbnail_caption', 'wptexturize' ); add_filter( 'the_post_thumbnail_caption', 'convert_smilies' ); add_filter( 'the_post_thumbnail_caption', 'convert_chars' ); add_filter( 'comment_text', 'wptexturize' ); add_filter( 'comment_text', 'convert_chars' ); add_filter( 'comment_text', 'make_clickable', 9 ); add_filter( 'comment_text', 'force_balance_tags', 25 ); add_filter( 'comment_text', 'convert_smilies', 20 ); add_filter( 'comment_text', 'wpautop', 30 ); add_filter( 'comment_excerpt', 'convert_chars' ); add_filter( 'list_cats', 'wptexturize' ); add_filter( 'wp_sprintf', 'wp_sprintf_l', 10, 2 ); add_filter( 'widget_text', 'balanceTags' ); add_filter( 'widget_text_content', 'capital_P_dangit', 11 ); add_filter( 'widget_text_content', 'wptexturize' ); add_filter( 'widget_text_content', 'convert_smilies', 20 ); add_filter( 'widget_text_content', 'wpautop' ); add_filter( 'widget_text_content', 'shortcode_unautop' ); add_filter( 'widget_text_content', 'do_shortcode', 11 ); // Runs after wpautop(); note that $post global will be null when shortcodes run. add_filter( 'date_i18n', 'wp_maybe_decline_date' ); // RSS filters add_filter( 'the_title_rss', 'strip_tags' ); add_filter( 'the_title_rss', 'ent2ncr', 8 ); add_filter( 'the_title_rss', 'esc_html' ); add_filter( 'the_content_rss', 'ent2ncr', 8 ); add_filter( 'the_content_feed', 'wp_staticize_emoji' ); add_filter( 'the_content_feed', '_oembed_filter_feed_content' ); add_filter( 'the_excerpt_rss', 'convert_chars' ); add_filter( 'the_excerpt_rss', 'ent2ncr', 8 ); add_filter( 'comment_author_rss', 'ent2ncr', 8 ); add_filter( 'comment_text_rss', 'ent2ncr', 8 ); add_filter( 'comment_text_rss', 'esc_html' ); add_filter( 'comment_text_rss', 'wp_staticize_emoji' ); add_filter( 'bloginfo_rss', 'ent2ncr', 8 ); add_filter( 'the_author', 'ent2ncr', 8 ); add_filter( 'the_guid', 'esc_url' ); // Email filters add_filter( 'wp_mail', 'wp_staticize_emoji_for_email' ); // Mark site as no longer fresh foreach ( array( 'publish_post', 'publish_page', 'wp_ajax_save-widget', 'wp_ajax_widgets-order', 'customize_save_after' ) as $action ) { add_action( $action, '_delete_option_fresh_site', 0 ); } // Misc filters add_filter( 'option_ping_sites', 'privacy_ping_filter' ); add_filter( 'option_blog_charset', '_wp_specialchars' ); // IMPORTANT: This must not be wp_specialchars() or esc_html() or it'll cause an infinite loop add_filter( 'option_blog_charset', '_canonical_charset' ); add_filter( 'option_home', '_config_wp_home' ); add_filter( 'option_siteurl', '_config_wp_siteurl' ); add_filter( 'tiny_mce_before_init', '_mce_set_direction' ); add_filter( 'teeny_mce_before_init', '_mce_set_direction' ); add_filter( 'pre_kses', 'wp_pre_kses_less_than' ); add_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10, 3 ); add_filter( 'sanitize_title', 'sanitize_title_with_dashes', 10, 3 ); add_action( 'check_comment_flood', 'check_comment_flood_db', 10, 4 ); add_filter( 'comment_flood_filter', 'wp_throttle_comment_flood', 10, 3 ); add_filter( 'pre_comment_content', 'wp_rel_nofollow', 15 ); add_filter( 'comment_email', 'antispambot' ); add_filter( 'option_tag_base', '_wp_filter_taxonomy_base' ); add_filter( 'option_category_base', '_wp_filter_taxonomy_base' ); add_filter( 'the_posts', '_close_comments_for_old_posts', 10, 2 ); add_filter( 'comments_open', '_close_comments_for_old_post', 10, 2 ); add_filter( 'pings_open', '_close_comments_for_old_post', 10, 2 ); add_filter( 'editable_slug', 'urldecode' ); add_filter( 'editable_slug', 'esc_textarea' ); add_filter( 'nav_menu_meta_box_object', '_wp_nav_menu_meta_box_object' ); add_filter( 'pingback_ping_source_uri', 'pingback_ping_source_uri' ); add_filter( 'xmlrpc_pingback_error', 'xmlrpc_pingback_error' ); add_filter( 'title_save_pre', 'trim' ); add_action( 'transition_comment_status', '_clear_modified_cache_on_transition_comment_status', 10, 2 ); add_filter( 'http_request_host_is_external', 'allowed_http_request_hosts', 10, 2 ); // REST API filters. add_action( 'xmlrpc_rsd_apis', 'rest_output_rsd' ); add_action( 'wp_head', 'rest_output_link_wp_head', 10, 0 ); add_action( 'template_redirect', 'rest_output_link_header', 11, 0 ); add_action( 'auth_cookie_malformed', 'rest_cookie_collect_status' ); add_action( 'auth_cookie_expired', 'rest_cookie_collect_status' ); add_action( 'auth_cookie_bad_username', 'rest_cookie_collect_status' ); add_action( 'auth_cookie_bad_hash', 'rest_cookie_collect_status' ); add_action( 'auth_cookie_valid', 'rest_cookie_collect_status' ); add_filter( 'rest_authentication_errors', 'rest_cookie_check_errors', 100 ); // Actions add_action( 'wp_head', '_wp_render_title_tag', 1 ); add_action( 'wp_head', 'wp_enqueue_scripts', 1 ); add_action( 'wp_head', 'wp_resource_hints', 2 ); add_action( 'wp_head', 'feed_links', 2 ); add_action( 'wp_head', 'feed_links_extra', 3 ); add_action( 'wp_head', 'rsd_link' ); add_action( 'wp_head', 'wlwmanifest_link' ); add_action( 'wp_head', 'adjacent_posts_rel_link_wp_head', 10, 0 ); add_action( 'wp_head', 'locale_stylesheet' ); add_action( 'publish_future_post', 'check_and_publish_future_post', 10, 1 ); add_action( 'wp_head', 'noindex', 1 ); add_action( 'wp_head', 'print_emoji_detection_script', 7 ); add_action( 'wp_head', 'wp_print_styles', 8 ); add_action( 'wp_head', 'wp_print_head_scripts', 9 ); add_action( 'wp_head', 'wp_generator' ); add_action( 'wp_head', 'rel_canonical' ); add_action( 'wp_head', 'wp_shortlink_wp_head', 10, 0 ); add_action( 'wp_head', 'wp_custom_css_cb', 101 ); add_action( 'wp_head', 'wp_site_icon', 99 ); add_action( 'wp_footer', 'wp_print_footer_scripts', 20 ); add_action( 'template_redirect', 'wp_shortlink_header', 11, 0 ); add_action( 'wp_print_footer_scripts', '_wp_footer_scripts' ); add_action( 'init', 'check_theme_switched', 99 ); add_action( 'after_switch_theme', '_wp_menus_changed' ); add_action( 'after_switch_theme', '_wp_sidebars_changed' ); add_action( 'wp_print_styles', 'print_emoji_styles' ); if ( isset( $_GET['replytocom'] ) ) { add_action( 'wp_head', 'wp_no_robots' ); } // Login actions add_filter( 'login_head', 'wp_resource_hints', 8 ); add_action( 'login_head', 'wp_print_head_scripts', 9 ); add_action( 'login_head', 'print_admin_styles', 9 ); add_action( 'login_head', 'wp_site_icon', 99 ); add_action( 'login_footer', 'wp_print_footer_scripts', 20 ); add_action( 'login_init', 'send_frame_options_header', 10, 0 ); // Feed Generator Tags foreach ( array( 'rss2_head', 'commentsrss2_head', 'rss_head', 'rdf_header', 'atom_head', 'comments_atom_head', 'opml_head', 'app_head' ) as $action ) { add_action( $action, 'the_generator' ); } // Feed Site Icon add_action( 'atom_head', 'atom_site_icon' ); add_action( 'rss2_head', 'rss2_site_icon' ); // WP Cron if ( ! defined( 'DOING_CRON' ) ) { add_action( 'init', 'wp_cron' ); } // 2 Actions 2 Furious add_action( 'do_feed_rdf', 'do_feed_rdf', 10, 1 ); add_action( 'do_feed_rss', 'do_feed_rss', 10, 1 ); add_action( 'do_feed_rss2', 'do_feed_rss2', 10, 1 ); add_action( 'do_feed_atom', 'do_feed_atom', 10, 1 ); add_action( 'do_pings', 'do_all_pings', 10, 1 ); add_action( 'do_robots', 'do_robots' ); add_action( 'set_comment_cookies', 'wp_set_comment_cookies', 10, 3 ); add_action( 'sanitize_comment_cookies', 'sanitize_comment_cookies' ); add_action( 'admin_print_scripts', 'print_emoji_detection_script' ); add_action( 'admin_print_scripts', 'print_head_scripts', 20 ); add_action( 'admin_print_footer_scripts', '_wp_footer_scripts' ); add_action( 'admin_print_styles', 'print_emoji_styles' ); add_action( 'admin_print_styles', 'print_admin_styles', 20 ); add_action( 'init', 'smilies_init', 5 ); add_action( 'plugins_loaded', 'wp_maybe_load_widgets', 0 ); add_action( 'plugins_loaded', 'wp_maybe_load_embeds', 0 ); add_action( 'shutdown', 'wp_ob_end_flush_all', 1 ); // Create a revision whenever a post is updated. add_action( 'post_updated', 'wp_save_post_revision', 10, 1 ); add_action( 'publish_post', '_publish_post_hook', 5, 1 ); add_action( 'transition_post_status', '_transition_post_status', 5, 3 ); add_action( 'transition_post_status', '_update_term_count_on_transition_post_status', 10, 3 ); add_action( 'comment_form', 'wp_comment_form_unfiltered_html_nonce' ); add_action( 'admin_init', 'send_frame_options_header', 10, 0 ); add_action( 'welcome_panel', 'wp_welcome_panel' ); // Privacy add_action( 'user_request_action_confirmed', '_wp_privacy_account_request_confirmed' ); add_action( 'user_request_action_confirmed', '_wp_privacy_send_request_confirmation_notification', 12 ); // After request marked as completed. add_filter( 'wp_privacy_personal_data_exporters', 'wp_register_comment_personal_data_exporter' ); add_filter( 'wp_privacy_personal_data_exporters', 'wp_register_media_personal_data_exporter' ); add_filter( 'wp_privacy_personal_data_exporters', 'wp_register_user_personal_data_exporter', 1 ); add_filter( 'wp_privacy_personal_data_erasers', 'wp_register_comment_personal_data_eraser' ); add_action( 'init', 'wp_schedule_delete_old_privacy_export_files' ); add_action( 'wp_privacy_delete_old_export_files', 'wp_privacy_delete_old_export_files' ); // Cron tasks add_action( 'wp_scheduled_delete', 'wp_scheduled_delete' ); add_action( 'wp_scheduled_auto_draft_delete', 'wp_delete_auto_drafts' ); add_action( 'importer_scheduled_cleanup', 'wp_delete_attachment' ); add_action( 'upgrader_scheduled_cleanup', 'wp_delete_attachment' ); add_action( 'delete_expired_transients', 'delete_expired_transients' ); // Navigation menu actions add_action( 'delete_post', '_wp_delete_post_menu_item' ); add_action( 'delete_term', '_wp_delete_tax_menu_item', 10, 3 ); add_action( 'transition_post_status', '_wp_auto_add_pages_to_menu', 10, 3 ); add_action( 'delete_post', '_wp_delete_customize_changeset_dependent_auto_drafts' ); // Post Thumbnail CSS class filtering add_action( 'begin_fetch_post_thumbnail_html', '_wp_post_thumbnail_class_filter_add' ); add_action( 'end_fetch_post_thumbnail_html', '_wp_post_thumbnail_class_filter_remove' ); // Redirect Old Slugs add_action( 'template_redirect', 'wp_old_slug_redirect' ); add_action( 'post_updated', 'wp_check_for_changed_slugs', 12, 3 ); add_action( 'attachment_updated', 'wp_check_for_changed_slugs', 12, 3 ); // Redirect Old Dates add_action( 'post_updated', 'wp_check_for_changed_dates', 12, 3 ); add_action( 'attachment_updated', 'wp_check_for_changed_dates', 12, 3 ); // Nonce check for Post Previews add_action( 'init', '_show_post_preview' ); // Output JS to reset window.name for previews add_action( 'wp_head', 'wp_post_preview_js', 1 ); // Timezone add_filter( 'pre_option_gmt_offset', 'wp_timezone_override_offset' ); // Admin Color Schemes add_action( 'admin_init', 'register_admin_color_schemes', 1 ); add_action( 'admin_color_scheme_picker', 'admin_color_scheme_picker' ); // If the upgrade hasn't run yet, assume link manager is used. add_filter( 'default_option_link_manager_enabled', '__return_true' ); // This option no longer exists; tell plugins we always support auto-embedding. add_filter( 'pre_option_embed_autourls', '__return_true' ); // Default settings for heartbeat add_filter( 'heartbeat_settings', 'wp_heartbeat_settings' ); // Check if the user is logged out add_action( 'admin_enqueue_scripts', 'wp_auth_check_load' ); add_filter( 'heartbeat_send', 'wp_auth_check' ); add_filter( 'heartbeat_nopriv_send', 'wp_auth_check' ); // Default authentication filters add_filter( 'authenticate', 'wp_authenticate_username_password', 20, 3 ); add_filter( 'authenticate', 'wp_authenticate_email_password', 20, 3 ); add_filter( 'authenticate', 'wp_authenticate_spam_check', 99 ); add_filter( 'determine_current_user', 'wp_validate_auth_cookie' ); add_filter( 'determine_current_user', 'wp_validate_logged_in_cookie', 20 ); // Split term updates. add_action( 'admin_init', '_wp_check_for_scheduled_split_terms' ); add_action( 'split_shared_term', '_wp_check_split_default_terms', 10, 4 ); add_action( 'split_shared_term', '_wp_check_split_terms_in_menus', 10, 4 ); add_action( 'split_shared_term', '_wp_check_split_nav_menu_terms', 10, 4 ); add_action( 'wp_split_shared_term_batch', '_wp_batch_split_terms' ); // Email notifications. add_action( 'comment_post', 'wp_new_comment_notify_moderator' ); add_action( 'comment_post', 'wp_new_comment_notify_postauthor' ); add_action( 'after_password_reset', 'wp_password_change_notification' ); add_action( 'register_new_user', 'wp_send_new_user_notifications' ); add_action( 'edit_user_created_user', 'wp_send_new_user_notifications', 10, 2 ); // REST API actions. add_action( 'init', 'rest_api_init' ); add_action( 'rest_api_init', 'rest_api_default_filters', 10, 1 ); add_action( 'rest_api_init', 'register_initial_settings', 10 ); add_action( 'rest_api_init', 'create_initial_rest_routes', 99 ); add_action( 'parse_request', 'rest_api_loaded' ); /** * Filters formerly mixed into wp-includes */ // Theme add_action( 'wp_loaded', '_custom_header_background_just_in_time' ); add_action( 'wp_head', '_custom_logo_header_styles' ); add_action( 'plugins_loaded', '_wp_customize_include' ); add_action( 'transition_post_status', '_wp_customize_publish_changeset', 10, 3 ); add_action( 'admin_enqueue_scripts', '_wp_customize_loader_settings' ); add_action( 'delete_attachment', '_delete_attachment_theme_mod' ); add_action( 'transition_post_status', '_wp_keep_alive_customize_changeset_dependent_auto_drafts', 20, 3 ); // Calendar widget cache add_action( 'save_post', 'delete_get_calendar_cache' ); add_action( 'delete_post', 'delete_get_calendar_cache' ); add_action( 'update_option_start_of_week', 'delete_get_calendar_cache' ); add_action( 'update_option_gmt_offset', 'delete_get_calendar_cache' ); // Author add_action( 'transition_post_status', '__clear_multi_author_cache' ); // Post add_action( 'init', 'create_initial_post_types', 0 ); // highest priority add_action( 'admin_menu', '_add_post_type_submenus' ); add_action( 'before_delete_post', '_reset_front_page_settings_for_post' ); add_action( 'wp_trash_post', '_reset_front_page_settings_for_post' ); add_action( 'change_locale', 'create_initial_post_types' ); // Post Formats add_filter( 'request', '_post_format_request' ); add_filter( 'term_link', '_post_format_link', 10, 3 ); add_filter( 'get_post_format', '_post_format_get_term' ); add_filter( 'get_terms', '_post_format_get_terms', 10, 3 ); add_filter( 'wp_get_object_terms', '_post_format_wp_get_object_terms' ); // KSES add_action( 'init', 'kses_init' ); add_action( 'set_current_user', 'kses_init' ); // Script Loader add_action( 'wp_default_scripts', 'wp_default_scripts' ); add_action( 'wp_default_scripts', 'wp_default_packages' ); add_action( 'wp_enqueue_scripts', 'wp_localize_jquery_ui_datepicker', 1000 ); add_action( 'admin_enqueue_scripts', 'wp_localize_jquery_ui_datepicker', 1000 ); add_action( 'wp_enqueue_scripts', 'wp_common_block_scripts_and_styles' ); add_action( 'admin_enqueue_scripts', 'wp_common_block_scripts_and_styles' ); add_action( 'enqueue_block_assets', 'wp_enqueue_registered_block_scripts_and_styles' ); add_action( 'enqueue_block_editor_assets', 'wp_enqueue_registered_block_scripts_and_styles' ); add_action( 'admin_print_scripts-index.php', 'wp_localize_community_events' ); add_filter( 'wp_print_scripts', 'wp_just_in_time_script_localization' ); add_filter( 'print_scripts_array', 'wp_prototype_before_jquery' ); add_filter( 'customize_controls_print_styles', 'wp_resource_hints', 1 ); add_action( 'wp_default_styles', 'wp_default_styles' ); add_filter( 'style_loader_src', 'wp_style_loader_src', 10, 2 ); // Taxonomy add_action( 'init', 'create_initial_taxonomies', 0 ); // highest priority add_action( 'change_locale', 'create_initial_taxonomies' ); // Canonical add_action( 'template_redirect', 'redirect_canonical' ); add_action( 'template_redirect', 'wp_redirect_admin_locations', 1000 ); // Shortcodes add_filter( 'the_content', 'do_shortcode', 11 ); // AFTER wpautop() // Media add_action( 'wp_playlist_scripts', 'wp_playlist_scripts' ); add_action( 'customize_controls_enqueue_scripts', 'wp_plupload_default_settings' ); // Nav menu add_filter( 'nav_menu_item_id', '_nav_menu_item_id_use_once', 10, 2 ); // Widgets add_action( 'init', 'wp_widgets_init', 1 ); // Admin Bar // Don't remove. Wrong way to disable. add_action( 'template_redirect', '_wp_admin_bar_init', 0 ); add_action( 'admin_init', '_wp_admin_bar_init' ); add_action( 'before_signup_header', '_wp_admin_bar_init' ); add_action( 'activate_header', '_wp_admin_bar_init' ); add_action( 'wp_footer', 'wp_admin_bar_render', 1000 ); add_action( 'in_admin_header', 'wp_admin_bar_render', 0 ); // Former admin filters that can also be hooked on the front end add_action( 'media_buttons', 'media_buttons' ); add_filter( 'image_send_to_editor', 'image_add_caption', 20, 8 ); add_filter( 'media_send_to_editor', 'image_media_send_to_editor', 10, 3 ); // Embeds add_action( 'rest_api_init', 'wp_oembed_register_route' ); add_filter( 'rest_pre_serve_request', '_oembed_rest_pre_serve_request', 10, 4 ); add_action( 'wp_head', 'wp_oembed_add_discovery_links' ); add_action( 'wp_head', 'wp_oembed_add_host_js' ); add_action( 'embed_head', 'enqueue_embed_scripts', 1 ); add_action( 'embed_head', 'print_emoji_detection_script' ); add_action( 'embed_head', 'print_embed_styles' ); add_action( 'embed_head', 'wp_print_head_scripts', 20 ); add_action( 'embed_head', 'wp_print_styles', 20 ); add_action( 'embed_head', 'wp_no_robots' ); add_action( 'embed_head', 'rel_canonical' ); add_action( 'embed_head', 'locale_stylesheet', 30 ); add_action( 'embed_content_meta', 'print_embed_comments_button' ); add_action( 'embed_content_meta', 'print_embed_sharing_button' ); add_action( 'embed_footer', 'print_embed_sharing_dialog' ); add_action( 'embed_footer', 'print_embed_scripts' ); add_action( 'embed_footer', 'wp_print_footer_scripts', 20 ); add_filter( 'excerpt_more', 'wp_embed_excerpt_more', 20 ); add_filter( 'the_excerpt_embed', 'wptexturize' ); add_filter( 'the_excerpt_embed', 'convert_chars' ); add_filter( 'the_excerpt_embed', 'wpautop' ); add_filter( 'the_excerpt_embed', 'shortcode_unautop' ); add_filter( 'the_excerpt_embed', 'wp_embed_excerpt_attachment' ); add_filter( 'oembed_dataparse', 'wp_filter_oembed_iframe_title_attribute', 5, 3 ); add_filter( 'oembed_dataparse', 'wp_filter_oembed_result', 10, 3 ); add_filter( 'oembed_response_data', 'get_oembed_response_data_rich', 10, 4 ); add_filter( 'pre_oembed_result', 'wp_filter_pre_oembed_result', 10, 3 ); // Capabilities add_filter( 'user_has_cap', 'wp_maybe_grant_install_languages_cap', 1 ); add_filter( 'user_has_cap', 'wp_maybe_grant_resume_extensions_caps', 1 ); add_filter( 'user_has_cap', 'wp_maybe_grant_site_health_caps', 1, 4 ); unset( $filter, $action ); /** * Core User Role & Capabilities API * * @package WordPress * @subpackage Users */ /** * Map meta capabilities to primitive capabilities. * * This does not actually compare whether the user ID has the actual capability, * just what the capability or capabilities are. Meta capability list value can * be 'delete_user', 'edit_user', 'remove_user', 'promote_user', 'delete_post', * 'delete_page', 'edit_post', 'edit_page', 'read_post', or 'read_page'. * * @since 2.0.0 * * @global array $post_type_meta_caps Used to get post type meta capabilities. * * @param string $cap Capability name. * @param int $user_id User ID. * @param int $object_id Optional. ID of the specific object to check against if `$cap` is a "meta" cap. * "Meta" capabilities, e.g. 'edit_post', 'edit_user', etc., are capabilities used * by map_meta_cap() to map to other "primitive" capabilities, e.g. 'edit_posts', * 'edit_others_posts', etc. The parameter is accessed via func_get_args(). * @return array Actual capabilities for meta capability. */ function map_meta_cap( $cap, $user_id ) { $args = array_slice( func_get_args(), 2 ); $caps = array(); switch ( $cap ) { case 'remove_user': // In multisite the user must be a super admin to remove themselves. if ( isset( $args[0] ) && $user_id == $args[0] && ! is_super_admin( $user_id ) ) { $caps[] = 'do_not_allow'; } else { $caps[] = 'remove_users'; } break; case 'promote_user': case 'add_users': $caps[] = 'promote_users'; break; case 'edit_user': case 'edit_users': // Allow user to edit itself if ( 'edit_user' == $cap && isset( $args[0] ) && $user_id == $args[0] ) { break; } // In multisite the user must have manage_network_users caps. If editing a super admin, the user must be a super admin. if ( is_multisite() && ( ( ! is_super_admin( $user_id ) && 'edit_user' === $cap && is_super_admin( $args[0] ) ) || ! user_can( $user_id, 'manage_network_users' ) ) ) { $caps[] = 'do_not_allow'; } else { $caps[] = 'edit_users'; // edit_user maps to edit_users. } break; case 'delete_post': case 'delete_page': $post = get_post( $args[0] ); if ( ! $post ) { $caps[] = 'do_not_allow'; break; } if ( 'revision' == $post->post_type ) { $post = get_post( $post->post_parent ); if ( ! $post ) { $caps[] = 'do_not_allow'; break; } } if ( ( get_option( 'page_for_posts' ) == $post->ID ) || ( get_option( 'page_on_front' ) == $post->ID ) ) { $caps[] = 'manage_options'; break; } $post_type = get_post_type_object( $post->post_type ); if ( ! $post_type ) { /* translators: 1: post type, 2: capability name */ _doing_it_wrong( __FUNCTION__, sprintf( __( 'The post type %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post of that type.' ), $post->post_type, $cap ), '4.4.0' ); $caps[] = 'edit_others_posts'; break; } if ( ! $post_type->map_meta_cap ) { $caps[] = $post_type->cap->$cap; // Prior to 3.1 we would re-call map_meta_cap here. if ( 'delete_post' == $cap ) { $cap = $post_type->cap->$cap; } break; } // If the post author is set and the user is the author... if ( $post->post_author && $user_id == $post->post_author ) { // If the post is published or scheduled... if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) { $caps[] = $post_type->cap->delete_published_posts; } elseif ( 'trash' == $post->post_status ) { $status = get_post_meta( $post->ID, '_wp_trash_meta_status', true ); if ( in_array( $status, array( 'publish', 'future' ), true ) ) { $caps[] = $post_type->cap->delete_published_posts; } else { $caps[] = $post_type->cap->delete_posts; } } else { // If the post is draft... $caps[] = $post_type->cap->delete_posts; } } else { // The user is trying to edit someone else's post. $caps[] = $post_type->cap->delete_others_posts; // The post is published or scheduled, extra cap required. if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) { $caps[] = $post_type->cap->delete_published_posts; } elseif ( 'private' == $post->post_status ) { $caps[] = $post_type->cap->delete_private_posts; } } /* * Setting the privacy policy page requires `manage_privacy_options`, * so deleting it should require that too. */ if ( (int) get_option( 'wp_page_for_privacy_policy' ) === $post->ID ) { $caps = array_merge( $caps, map_meta_cap( 'manage_privacy_options', $user_id ) ); } break; // edit_post breaks down to edit_posts, edit_published_posts, or // edit_others_posts case 'edit_post': case 'edit_page': $post = get_post( $args[0] ); if ( ! $post ) { $caps[] = 'do_not_allow'; break; } if ( 'revision' == $post->post_type ) { $post = get_post( $post->post_parent ); if ( ! $post ) { $caps[] = 'do_not_allow'; break; } } $post_type = get_post_type_object( $post->post_type ); if ( ! $post_type ) { /* translators: 1: post type, 2: capability name */ _doing_it_wrong( __FUNCTION__, sprintf( __( 'The post type %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post of that type.' ), $post->post_type, $cap ), '4.4.0' ); $caps[] = 'edit_others_posts'; break; } if ( ! $post_type->map_meta_cap ) { $caps[] = $post_type->cap->$cap; // Prior to 3.1 we would re-call map_meta_cap here. if ( 'edit_post' == $cap ) { $cap = $post_type->cap->$cap; } break; } // If the post author is set and the user is the author... if ( $post->post_author && $user_id == $post->post_author ) { // If the post is published or scheduled... if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) { $caps[] = $post_type->cap->edit_published_posts; } elseif ( 'trash' == $post->post_status ) { $status = get_post_meta( $post->ID, '_wp_trash_meta_status', true ); if ( in_array( $status, array( 'publish', 'future' ), true ) ) { $caps[] = $post_type->cap->edit_published_posts; } else { $caps[] = $post_type->cap->edit_posts; } } else { // If the post is draft... $caps[] = $post_type->cap->edit_posts; } } else { // The user is trying to edit someone else's post. $caps[] = $post_type->cap->edit_others_posts; // The post is published or scheduled, extra cap required. if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) { $caps[] = $post_type->cap->edit_published_posts; } elseif ( 'private' == $post->post_status ) { $caps[] = $post_type->cap->edit_private_posts; } } /* * Setting the privacy policy page requires `manage_privacy_options`, * so editing it should require that too. */ if ( (int) get_option( 'wp_page_for_privacy_policy' ) === $post->ID ) { $caps = array_merge( $caps, map_meta_cap( 'manage_privacy_options', $user_id ) ); } break; case 'read_post': case 'read_page': $post = get_post( $args[0] ); if ( ! $post ) { $caps[] = 'do_not_allow'; break; } if ( 'revision' == $post->post_type ) { $post = get_post( $post->post_parent ); if ( ! $post ) { $caps[] = 'do_not_allow'; break; } } $post_type = get_post_type_object( $post->post_type ); if ( ! $post_type ) { /* translators: 1: post type, 2: capability name */ _doing_it_wrong( __FUNCTION__, sprintf( __( 'The post type %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post of that type.' ), $post->post_type, $cap ), '4.4.0' ); $caps[] = 'edit_others_posts'; break; } if ( ! $post_type->map_meta_cap ) { $caps[] = $post_type->cap->$cap; // Prior to 3.1 we would re-call map_meta_cap here. if ( 'read_post' == $cap ) { $cap = $post_type->cap->$cap; } break; } $status_obj = get_post_status_object( $post->post_status ); if ( $status_obj->public ) { $caps[] = $post_type->cap->read; break; } if ( $post->post_author && $user_id == $post->post_author ) { $caps[] = $post_type->cap->read; } elseif ( $status_obj->private ) { $caps[] = $post_type->cap->read_private_posts; } else { $caps = map_meta_cap( 'edit_post', $user_id, $post->ID ); } break; case 'publish_post': $post = get_post( $args[0] ); if ( ! $post ) { $caps[] = 'do_not_allow'; break; } $post_type = get_post_type_object( $post->post_type ); if ( ! $post_type ) { /* translators: 1: post type, 2: capability name */ _doing_it_wrong( __FUNCTION__, sprintf( __( 'The post type %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post of that type.' ), $post->post_type, $cap ), '4.4.0' ); $caps[] = 'edit_others_posts'; break; } $caps[] = $post_type->cap->publish_posts; break; case 'edit_post_meta': case 'delete_post_meta': case 'add_post_meta': case 'edit_comment_meta': case 'delete_comment_meta': case 'add_comment_meta': case 'edit_term_meta': case 'delete_term_meta': case 'add_term_meta': case 'edit_user_meta': case 'delete_user_meta': case 'add_user_meta': list( $_, $object_type, $_ ) = explode( '_', $cap ); $object_id = (int) $args[0]; $object_subtype = get_object_subtype( $object_type, $object_id ); if ( empty( $object_subtype ) ) { $caps[] = 'do_not_allow'; break; } $caps = map_meta_cap( "edit_{$object_type}", $user_id, $object_id ); $meta_key = isset( $args[1] ) ? $args[1] : false; if ( $meta_key ) { $allowed = ! is_protected_meta( $meta_key, $object_type ); if ( ! empty( $object_subtype ) && has_filter( "auth_{$object_type}_meta_{$meta_key}_for_{$object_subtype}" ) ) { /** * Filters whether the user is allowed to edit a specific meta key of a specific object type and subtype. * * The dynamic portions of the hook name, `$object_type`, `$meta_key`, * and `$object_subtype`, refer to the metadata object type (comment, post, term or user), * the meta key value, and the object subtype respectively. * * @since 4.9.8 * * @param bool $allowed Whether the user can add the object meta. Default false. * @param string $meta_key The meta key. * @param int $object_id Object ID. * @param int $user_id User ID. * @param string $cap Capability name. * @param string[] $caps Array of the user's capabilities. */ $allowed = apply_filters( "auth_{$object_type}_meta_{$meta_key}_for_{$object_subtype}", $allowed, $meta_key, $object_id, $user_id, $cap, $caps ); } else { /** * Filters whether the user is allowed to edit a specific meta key of a specific object type. * * Return true to have the mapped meta caps from `edit_{$object_type}` apply. * * The dynamic portion of the hook name, `$object_type` refers to the object type being filtered. * The dynamic portion of the hook name, `$meta_key`, refers to the meta key passed to map_meta_cap(). * * @since 3.3.0 As `auth_post_meta_{$meta_key}`. * @since 4.6.0 * * @param bool $allowed Whether the user can add the object meta. Default false. * @param string $meta_key The meta key. * @param int $object_id Object ID. * @param int $user_id User ID. * @param string $cap Capability name. * @param string[] $caps Array of the user's capabilities. */ $allowed = apply_filters( "auth_{$object_type}_meta_{$meta_key}", $allowed, $meta_key, $object_id, $user_id, $cap, $caps ); } if ( ! empty( $object_subtype ) ) { /** * Filters whether the user is allowed to edit meta for specific object types/subtypes. * * Return true to have the mapped meta caps from `edit_{$object_type}` apply. * * The dynamic portion of the hook name, `$object_type` refers to the object type being filtered. * The dynamic portion of the hook name, `$object_subtype` refers to the object subtype being filtered. * The dynamic portion of the hook name, `$meta_key`, refers to the meta key passed to map_meta_cap(). * * @since 4.6.0 As `auth_post_{$post_type}_meta_{$meta_key}`. * @since 4.7.0 * @deprecated 4.9.8 Use `auth_{$object_type}_meta_{$meta_key}_for_{$object_subtype}` * * @param bool $allowed Whether the user can add the object meta. Default false. * @param string $meta_key The meta key. * @param int $object_id Object ID. * @param int $user_id User ID. * @param string $cap Capability name. * @param string[] $caps Array of the user's capabilities. */ $allowed = apply_filters_deprecated( "auth_{$object_type}_{$object_subtype}_meta_{$meta_key}", array( $allowed, $meta_key, $object_id, $user_id, $cap, $caps ), '4.9.8', "auth_{$object_type}_meta_{$meta_key}_for_{$object_subtype}" ); } if ( ! $allowed ) { $caps[] = $cap; } } break; case 'edit_comment': $comment = get_comment( $args[0] ); if ( ! $comment ) { $caps[] = 'do_not_allow'; break; } $post = get_post( $comment->comment_post_ID ); /* * If the post doesn't exist, we have an orphaned comment. * Fall back to the edit_posts capability, instead. */ if ( $post ) { $caps = map_meta_cap( 'edit_post', $user_id, $post->ID ); } else { $caps = map_meta_cap( 'edit_posts', $user_id ); } break; case 'unfiltered_upload': if ( defined( 'ALLOW_UNFILTERED_UPLOADS' ) && ALLOW_UNFILTERED_UPLOADS && ( ! is_multisite() || is_super_admin( $user_id ) ) ) { $caps[] = $cap; } else { $caps[] = 'do_not_allow'; } break; case 'edit_css': case 'unfiltered_html': // Disallow unfiltered_html for all users, even admins and super admins. if ( defined( 'DISALLOW_UNFILTERED_HTML' ) && DISALLOW_UNFILTERED_HTML ) { $caps[] = 'do_not_allow'; } elseif ( is_multisite() && ! is_super_admin( $user_id ) ) { $caps[] = 'do_not_allow'; } else { $caps[] = 'unfiltered_html'; } break; case 'edit_files': case 'edit_plugins': case 'edit_themes': // Disallow the file editors. if ( defined( 'DISALLOW_FILE_EDIT' ) && DISALLOW_FILE_EDIT ) { $caps[] = 'do_not_allow'; } elseif ( ! wp_is_file_mod_allowed( 'capability_edit_themes' ) ) { $caps[] = 'do_not_allow'; } elseif ( is_multisite() && ! is_super_admin( $user_id ) ) { $caps[] = 'do_not_allow'; } else { $caps[] = $cap; } break; case 'update_plugins': case 'delete_plugins': case 'install_plugins': case 'upload_plugins': case 'update_themes': case 'delete_themes': case 'install_themes': case 'upload_themes': case 'update_core': // Disallow anything that creates, deletes, or updates core, plugin, or theme files. // Files in uploads are excepted. if ( ! wp_is_file_mod_allowed( 'capability_update_core' ) ) { $caps[] = 'do_not_allow'; } elseif ( is_multisite() && ! is_super_admin( $user_id ) ) { $caps[] = 'do_not_allow'; } elseif ( 'upload_themes' === $cap ) { $caps[] = 'install_themes'; } elseif ( 'upload_plugins' === $cap ) { $caps[] = 'install_plugins'; } else { $caps[] = $cap; } break; case 'install_languages': case 'update_languages': if ( ! wp_is_file_mod_allowed( 'can_install_language_pack' ) ) { $caps[] = 'do_not_allow'; } elseif ( is_multisite() && ! is_super_admin( $user_id ) ) { $caps[] = 'do_not_allow'; } else { $caps[] = 'install_languages'; } break; case 'activate_plugins': case 'deactivate_plugins': case 'activate_plugin': case 'deactivate_plugin': $caps[] = 'activate_plugins'; if ( is_multisite() ) { // update_, install_, and delete_ are handled above with is_super_admin(). $menu_perms = get_site_option( 'menu_items', array() ); if ( empty( $menu_perms['plugins'] ) ) { $caps[] = 'manage_network_plugins'; } } break; case 'resume_plugin': $caps[] = 'resume_plugins'; break; case 'resume_theme': $caps[] = 'resume_themes'; break; case 'delete_user': case 'delete_users': // If multisite only super admins can delete users. if ( is_multisite() && ! is_super_admin( $user_id ) ) { $caps[] = 'do_not_allow'; } else { $caps[] = 'delete_users'; // delete_user maps to delete_users. } break; case 'create_users': if ( ! is_multisite() ) { $caps[] = $cap; } elseif ( is_super_admin( $user_id ) || get_site_option( 'add_new_users' ) ) { $caps[] = $cap; } else { $caps[] = 'do_not_allow'; } break; case 'manage_links': if ( get_option( 'link_manager_enabled' ) ) { $caps[] = $cap; } else { $caps[] = 'do_not_allow'; } break; case 'customize': $caps[] = 'edit_theme_options'; break; case 'delete_site': if ( is_multisite() ) { $caps[] = 'manage_options'; } else { $caps[] = 'do_not_allow'; } break; case 'edit_term': case 'delete_term': case 'assign_term': $term_id = (int) $args[0]; $term = get_term( $term_id ); if ( ! $term || is_wp_error( $term ) ) { $caps[] = 'do_not_allow'; break; } $tax = get_taxonomy( $term->taxonomy ); if ( ! $tax ) { $caps[] = 'do_not_allow'; break; } if ( 'delete_term' === $cap && ( $term->term_id == get_option( 'default_' . $term->taxonomy ) ) ) { $caps[] = 'do_not_allow'; break; } $taxo_cap = $cap . 's'; $caps = map_meta_cap( $tax->cap->$taxo_cap, $user_id, $term_id ); break; case 'manage_post_tags': case 'edit_categories': case 'edit_post_tags': case 'delete_categories': case 'delete_post_tags': $caps[] = 'manage_categories'; break; case 'assign_categories': case 'assign_post_tags': $caps[] = 'edit_posts'; break; case 'create_sites': case 'delete_sites': case 'manage_network': case 'manage_sites': case 'manage_network_users': case 'manage_network_plugins': case 'manage_network_themes': case 'manage_network_options': case 'upgrade_network': $caps[] = $cap; break; case 'setup_network': if ( is_multisite() ) { $caps[] = 'manage_network_options'; } else { $caps[] = 'manage_options'; } break; case 'update_php': if ( is_multisite() && ! is_super_admin( $user_id ) ) { $caps[] = 'do_not_allow'; } else { $caps[] = 'update_core'; } break; case 'export_others_personal_data': case 'erase_others_personal_data': case 'manage_privacy_options': $caps[] = is_multisite() ? 'manage_network' : 'manage_options'; break; default: // Handle meta capabilities for custom post types. global $post_type_meta_caps; if ( isset( $post_type_meta_caps[ $cap ] ) ) { $args = array_merge( array( $post_type_meta_caps[ $cap ], $user_id ), $args ); return call_user_func_array( 'map_meta_cap', $args ); } // Block capabilities map to their post equivalent. $block_caps = array( 'edit_blocks', 'edit_others_blocks', 'publish_blocks', 'read_private_blocks', 'delete_blocks', 'delete_private_blocks', 'delete_published_blocks', 'delete_others_blocks', 'edit_private_blocks', 'edit_published_blocks', ); if ( in_array( $cap, $block_caps, true ) ) { $cap = str_replace( '_blocks', '_posts', $cap ); } // If no meta caps match, return the original cap. $caps[] = $cap; } /** * Filters a user's capabilities depending on specific context and/or privilege. * * @since 2.8.0 * * @param string[] $caps Array of the user's capabilities. * @param string $cap Capability name. * @param int $user_id The user ID. * @param array $args Adds the context to the cap. Typically the object ID. */ return apply_filters( 'map_meta_cap', $caps, $cap, $user_id, $args ); } /** * Whether the current user has a specific capability. * * While checking against particular roles in place of a capability is supported * in part, this practice is discouraged as it may produce unreliable results. * * Note: Will always return true if the current user is a super admin, unless specifically denied. * * @since 2.0.0 * * @see WP_User::has_cap() * @see map_meta_cap() * * @param string $capability Capability name. * @param int $object_id Optional. ID of the specific object to check against if `$capability` is a "meta" cap. * "Meta" capabilities, e.g. 'edit_post', 'edit_user', etc., are capabilities used * by map_meta_cap() to map to other "primitive" capabilities, e.g. 'edit_posts', * 'edit_others_posts', etc. Accessed via func_get_args() and passed to WP_User::has_cap(), * then map_meta_cap(). * @return bool Whether the current user has the given capability. If `$capability` is a meta cap and `$object_id` is * passed, whether the current user has the given meta capability for the given object. */ function current_user_can( $capability ) { $current_user = wp_get_current_user(); if ( empty( $current_user ) ) { return false; } $args = array_slice( func_get_args(), 1 ); $args = array_merge( array( $capability ), $args ); return call_user_func_array( array( $current_user, 'has_cap' ), $args ); } /** * Whether the current user has a specific capability for a given site. * * @since 3.0.0 * * @param int $blog_id Site ID. * @param string $capability Capability name. * @return bool Whether the user has the given capability. */ function current_user_can_for_blog( $blog_id, $capability ) { $switched = is_multisite() ? switch_to_blog( $blog_id ) : false; $current_user = wp_get_current_user(); if ( empty( $current_user ) ) { if ( $switched ) { restore_current_blog(); } return false; } $args = array_slice( func_get_args(), 2 ); $args = array_merge( array( $capability ), $args ); $can = call_user_func_array( array( $current_user, 'has_cap' ), $args ); if ( $switched ) { restore_current_blog(); } return $can; } /** * Whether the author of the supplied post has a specific capability. * * @since 2.9.0 * * @param int|WP_Post $post Post ID or post object. * @param string $capability Capability name. * @return bool Whether the post author has the given capability. */ function author_can( $post, $capability ) { if ( ! $post = get_post( $post ) ) { return false; } $author = get_userdata( $post->post_author ); if ( ! $author ) { return false; } $args = array_slice( func_get_args(), 2 ); $args = array_merge( array( $capability ), $args ); return call_user_func_array( array( $author, 'has_cap' ), $args ); } /** * Whether a particular user has a specific capability. * * @since 3.1.0 * * @param int|WP_User $user User ID or object. * @param string $capability Capability name. * @return bool Whether the user has the given capability. */ function user_can( $user, $capability ) { if ( ! is_object( $user ) ) { $user = get_userdata( $user ); } if ( ! $user || ! $user->exists() ) { return false; } $args = array_slice( func_get_args(), 2 ); $args = array_merge( array( $capability ), $args ); return call_user_func_array( array( $user, 'has_cap' ), $args ); } /** * Retrieves the global WP_Roles instance and instantiates it if necessary. * * @since 4.3.0 * * @global WP_Roles $wp_roles WP_Roles global instance. * * @return WP_Roles WP_Roles global instance if not already instantiated. */ function wp_roles() { global $wp_roles; if ( ! isset( $wp_roles ) ) { $wp_roles = new WP_Roles(); } return $wp_roles; } /** * Retrieve role object. * * @since 2.0.0 * * @param string $role Role name. * @return WP_Role|null WP_Role object if found, null if the role does not exist. */ function get_role( $role ) { return wp_roles()->get_role( $role ); } /** * Add role, if it does not exist. * * @since 2.0.0 * * @param string $role Role name. * @param string $display_name Display name for role. * @param array $capabilities List of capabilities, e.g. array( 'edit_posts' => true, 'delete_posts' => false ); * @return WP_Role|null WP_Role object if role is added, null if already exists. */ function add_role( $role, $display_name, $capabilities = array() ) { if ( empty( $role ) ) { return; } return wp_roles()->add_role( $role, $display_name, $capabilities ); } /** * Remove role, if it exists. * * @since 2.0.0 * * @param string $role Role name. */ function remove_role( $role ) { wp_roles()->remove_role( $role ); } /** * Retrieve a list of super admins. * * @since 3.0.0 * * @global array $super_admins * * @return array List of super admin logins */ function get_super_admins() { global $super_admins; if ( isset( $super_admins ) ) { return $super_admins; } else { return get_site_option( 'site_admins', array( 'admin' ) ); } } /** * Determine if user is a site admin. * * @since 3.0.0 * * @param int $user_id (Optional) The ID of a user. Defaults to the current user. * @return bool True if the user is a site admin. */ function is_super_admin( $user_id = false ) { if ( ! $user_id || $user_id == get_current_user_id() ) { $user = wp_get_current_user(); } else { $user = get_userdata( $user_id ); } if ( ! $user || ! $user->exists() ) { return false; } if ( is_multisite() ) { $super_admins = get_super_admins(); if ( is_array( $super_admins ) && in_array( $user->user_login, $super_admins ) ) { return true; } } else { if ( $user->has_cap( 'delete_users' ) ) { return true; } } return false; } /** * Grants Super Admin privileges. * * @since 3.0.0 * * @global array $super_admins * * @param int $user_id ID of the user to be granted Super Admin privileges. * @return bool True on success, false on failure. This can fail when the user is * already a super admin or when the `$super_admins` global is defined. */ function grant_super_admin( $user_id ) { // If global super_admins override is defined, there is nothing to do here. if ( isset( $GLOBALS['super_admins'] ) || ! is_multisite() ) { return false; } /** * Fires before the user is granted Super Admin privileges. * * @since 3.0.0 * * @param int $user_id ID of the user that is about to be granted Super Admin privileges. */ do_action( 'grant_super_admin', $user_id ); // Directly fetch site_admins instead of using get_super_admins() $super_admins = get_site_option( 'site_admins', array( 'admin' ) ); $user = get_userdata( $user_id ); if ( $user && ! in_array( $user->user_login, $super_admins ) ) { $super_admins[] = $user->user_login; update_site_option( 'site_admins', $super_admins ); /** * Fires after the user is granted Super Admin privileges. * * @since 3.0.0 * * @param int $user_id ID of the user that was granted Super Admin privileges. */ do_action( 'granted_super_admin', $user_id ); return true; } return false; } /** * Revokes Super Admin privileges. * * @since 3.0.0 * * @global array $super_admins * * @param int $user_id ID of the user Super Admin privileges to be revoked from. * @return bool True on success, false on failure. This can fail when the user's email * is the network admin email or when the `$super_admins` global is defined. */ function revoke_super_admin( $user_id ) { // If global super_admins override is defined, there is nothing to do here. if ( isset( $GLOBALS['super_admins'] ) || ! is_multisite() ) { return false; } /** * Fires before the user's Super Admin privileges are revoked. * * @since 3.0.0 * * @param int $user_id ID of the user Super Admin privileges are being revoked from. */ do_action( 'revoke_super_admin', $user_id ); // Directly fetch site_admins instead of using get_super_admins() $super_admins = get_site_option( 'site_admins', array( 'admin' ) ); $user = get_userdata( $user_id ); if ( $user && 0 !== strcasecmp( $user->user_email, get_site_option( 'admin_email' ) ) ) { if ( false !== ( $key = array_search( $user->user_login, $super_admins ) ) ) { unset( $super_admins[ $key ] ); update_site_option( 'site_admins', $super_admins ); /** * Fires after the user's Super Admin privileges are revoked. * * @since 3.0.0 * * @param int $user_id ID of the user Super Admin privileges were revoked from. */ do_action( 'revoked_super_admin', $user_id ); return true; } } return false; } /** * Filters the user capabilities to grant the 'install_languages' capability as necessary. * * A user must have at least one out of the 'update_core', 'install_plugins', and * 'install_themes' capabilities to qualify for 'install_languages'. * * @since 4.9.0 * * @param bool[] $allcaps An array of all the user's capabilities. * @return bool[] Filtered array of the user's capabilities. */ function wp_maybe_grant_install_languages_cap( $allcaps ) { if ( ! empty( $allcaps['update_core'] ) || ! empty( $allcaps['install_plugins'] ) || ! empty( $allcaps['install_themes'] ) ) { $allcaps['install_languages'] = true; } return $allcaps; } /** * Filters the user capabilities to grant the 'resume_plugins' and 'resume_themes' capabilities as necessary. * * @since 5.2.0 * * @param bool[] $allcaps An array of all the user's capabilities. * @return bool[] Filtered array of the user's capabilities. */ function wp_maybe_grant_resume_extensions_caps( $allcaps ) { // Even in a multisite, regular administrators should be able to resume plugins. if ( ! empty( $allcaps['activate_plugins'] ) ) { $allcaps['resume_plugins'] = true; } // Even in a multisite, regular administrators should be able to resume themes. if ( ! empty( $allcaps['switch_themes'] ) ) { $allcaps['resume_themes'] = true; } return $allcaps; } /** * Filters the user capabilities to grant the 'view_site_health_checks' capabilities as necessary. * * @since 5.2.2 * * @param bool[] $allcaps An array of all the user's capabilities. * @param string[] $caps Required primitive capabilities for the requested capability. * @param array $args { * Arguments that accompany the requested capability check. * * @type string $0 Requested capability. * @type int $1 Concerned user ID. * @type mixed ...$2 Optional second and further parameters, typically object ID. * } * @param WP_User $user The user object. * @return bool[] Filtered array of the user's capabilities. */ function wp_maybe_grant_site_health_caps( $allcaps, $caps, $args, $user ) { if ( ! empty( $allcaps['install_plugins'] ) && ( ! is_multisite() || is_super_admin( $user->ID ) ) ) { $allcaps['view_site_health_checks'] = true; } return $allcaps; } return; // Dummy gettext calls to get strings in the catalog. /* translators: user role for administrators */ _x( 'Administrator', 'User role' ); /* translators: user role for editors */ _x( 'Editor', 'User role' ); /* translators: user role for authors */ _x( 'Author', 'User role' ); /* translators: user role for contributors */ _x( 'Contributor', 'User role' ); /* translators: user role for subscriber */ _x( 'Subscriber', 'User role' ); /** * User API: WP_Role class * * @package WordPress * @subpackage Users * @since 4.4.0 */ /** * Core class used to extend the user roles API. * * @since 2.0.0 */ class WP_Role { /** * Role name. * * @since 2.0.0 * @var string */ public $name; /** * List of capabilities the role contains. * * @since 2.0.0 * @var array */ public $capabilities; /** * Constructor - Set up object properties. * * The list of capabilities, must have the key as the name of the capability * and the value a boolean of whether it is granted to the role. * * @since 2.0.0 * * @param string $role Role name. * @param array $capabilities List of capabilities. */ public function __construct( $role, $capabilities ) { $this->name = $role; $this->capabilities = $capabilities; } /** * Assign role a capability. * * @since 2.0.0 * * @param string $cap Capability name. * @param bool $grant Whether role has capability privilege. */ public function add_cap( $cap, $grant = true ) { $this->capabilities[ $cap ] = $grant; wp_roles()->add_cap( $this->name, $cap, $grant ); } /** * Removes a capability from a role. * * This is a container for WP_Roles::remove_cap() to remove the * capability from the role. That is to say, that WP_Roles::remove_cap() * implements the functionality, but it also makes sense to use this class, * because you don't need to enter the role name. * * @since 2.0.0 * * @param string $cap Capability name. */ public function remove_cap( $cap ) { unset( $this->capabilities[ $cap ] ); wp_roles()->remove_cap( $this->name, $cap ); } /** * Determines whether the role has the given capability. * * The capabilities is passed through the {@see 'role_has_cap'} filter. * The first parameter for the hook is the list of capabilities the class * has assigned. The second parameter is the capability name to look for. * The third and final parameter for the hook is the role name. * * @since 2.0.0 * * @param string $cap Capability name. * @return bool True if the role has the given capability. False otherwise. */ public function has_cap( $cap ) { /** * Filters which capabilities a role has. * * @since 2.0.0 * * @param bool[] $capabilities Associative array of capabilities for the role. * @param string $cap Capability name. * @param string $name Role name. */ $capabilities = apply_filters( 'role_has_cap', $this->capabilities, $cap, $this->name ); if ( ! empty( $capabilities[ $cap ] ) ) { return $capabilities[ $cap ]; } else { return false; } } }