More on Upgrading to WPMu 1.3

As I already noted previously here, we have upgraded UMW Blogs to WPMu 1.3. Everything went smoothly on the surface, save for one rogue widget plugin I mentioned in the previous post. Well, as time goes on, other issues have emerged that are easily fixed but raised some interesting questions for me as I searched for the solutions.

Let me start with the relatively straightforward issue first. Certain themes, in this case the venerable MistyLook was encountering the following error after the upgrade:

“Warning: array_key_exists(): The first argument should be either a string or an integer in …/wp-includes/category-template.php on line 176″

Seems that certain changes in the categroy-template.php file are incompatible with this theme. There may be others, so I am doing a pretty thorough search, but so far I have found no other issues. The fix for this issue can be found in this forum thread, and I found that the fix recommended by farseas worked like a charm.

The above issue was pretty straightforward as is the fix, the next issue is a little more problematic for me because it raises some questions that I believe are pretty important to an open source community. I got an e-mail from Martha this afternoon letting me know that the Userthemes plugin (an essential one for us) was throwing a 404 error. I checked this plugin on the upgrade to make sure it was working, but I didn’t actually try and edit a theme, I just looked at the tab in the WPMu site admin area.

My grave mistake, this plugin depends on the theme-editor.php file, which to my great surprise is no longer a part of the source code of WPMu, which I searched on the WPMu trac here. Realizing this and now a bit concerned, I did a google search for the file name “theme-editor.php” and found the following ticket (#480) which suggests that this file is unnecessary for WPMu because it poses a security risk and has therefore been eliminated from the source code. Huh?!

What’s interesting about this ticket, however, is the brief discussion that follows. I think it is important so I will re-post it here:

RavanH: Is the file missing on purpose? If so, people should warned that plugin UserThemes? depends on the file and they should keep the one from a previous install. The 1.2.5 version seems to work, but haven’t tested fully.

Donncha: Yes, it’s missing on purpose. There is no reason why a theme should be edited through it. That User Themes plugin is a security risk if I’m reading the description at http://wpmudev.org/project/User-Themes it appears to allow any blog admin to edit the themes. As some comments on that page point out, those themes are PHP and you’re just asking for trouble installing that plugin!

RavanH: ok, i will have to stick with the old theme-editor.php then…
I can relate to the risk involved when the system is used for public sign-up. but please, let me assess the risk i take myself. to be clear: i am not working with wp_mu as a public service but only with a limited set of people that can be trusted to operate carefully when maintaining their blogs. is wp_mu only supposed to be used for free and unlimited sign-up???

Donncha is a programming maven, and the work he has done on WPMu is remarkable to say the least. At the same time, I have to say that I agree with RavanH to some large degree here. We are using the Userthemes plugin on a case-by-case basis, and it is really important for many of the sites we are doing in the controlled environment of UMW Blogs. Shouldn’t we be able to take risks with the application if it works for us? I think so.

Nonetheless, the fix is pretty easy, just get an old theme-editor.php file from the WPMu archived version and upload it to the wp-admin directory. Then replace the following line of code:
wp_die( "The theme editor is disabled" );

to this

if((get_option('ut_use_user_theme') == 0) || (get_option('ut_enabled') == 0)){ wp_die('Either you have not been granted permission from the site administrator to access the theme editor OR you do not have a usertheme as your active theme, theme editor will die while a system theme is active.'); }

This should work for the short term, and I hope possibilities like this for WPMu aren’t all dependent upon outdated hacks that are in and of themselves security risks.

Related posts on bavatuesdays

This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *