WP_Customize_Manager::setup_theme()

Start preview and customize theme.

Description

Check if customize query variable exist. Init filters to filter the current theme.

Source

File: wp-includes/class-wp-customize-manager.php 

public function setup_theme() {
		global $pagenow;

		// Check permissions for customize.php access since this method is called before customize.php can run any code.
		if ( 'customize.php' === $pagenow && ! current_user_can( 'customize' ) ) {
			if ( ! is_user_logged_in() ) {
				auth_redirect();
			} else {
				wp_die(
					'<h1>' . __( 'You need a higher level of permission.' ) . '</h1>' .
					'<p>' . __( 'Sorry, you are not allowed to customize this site.' ) . '</p>',
					403
				);
			}
			return;
		}

		// If a changeset was provided is invalid.
		if ( isset( $this->_changeset_uuid ) && false !== $this->_changeset_uuid && ! wp_is_uuid( $this->_changeset_uuid ) ) {
			$this->wp_die( -1, __( 'Invalid changeset UUID' ) );
		}

		/*
		 * Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
		 * application will inject the customize_preview_nonce query parameter into all Ajax requests.
		 * For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
		 * a user when a valid nonce isn't present.
		 */
		$has_post_data_nonce = (
			check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
			||
			check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
			||
			check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
		);
		if ( ! current_user_can( 'customize' ) || ! $has_post_data_nonce ) {
			unset( $_POST['customized'] );
			unset( $_REQUEST['customized'] );
		}

		/*
		 * If unauthenticated then require a valid changeset UUID to load the preview.
		 * In this way, the UUID serves as a secret key. If the messenger channel is present,
		 * then send unauthenticated code to prompt re-auth.
		 */
		if ( ! current_user_can( 'customize' ) && ! $this->changeset_post_id() ) {
			$this->wp_die( $this->messenger_channel ? 0 : -1, __( 'Non-existent changeset UUID.' ) );
		}

		if ( ! headers_sent() ) {
			send_origin_headers();
		}

		// Hide the admin bar if we're embedded in the customizer iframe.
		if ( $this->messenger_channel ) {
			show_admin_bar( false );
		}

		if ( $this->is_theme_active() ) {
			// Once the theme is loaded, we'll validate it.
			add_action( 'after_setup_theme', array( $this, 'after_setup_theme' ) );
		} else {
			// If the requested theme is not the active theme and the user doesn't have
			// the switch_themes cap, bail.
			if ( ! current_user_can( 'switch_themes' ) ) {
				$this->wp_die( -1, __( 'Sorry, you are not allowed to edit theme options on this site.' ) );
			}

			// If the theme has errors while loading, bail.
			if ( $this->theme()->errors() ) {
				$this->wp_die( -1, $this->theme()->errors()->get_error_message() );
			}

			// If the theme isn't allowed per multisite settings, bail.
			if ( ! $this->theme()->is_allowed() ) {
				$this->wp_die( -1, __( 'The requested theme does not exist.' ) );
			}
		}

		// Make sure changeset UUID is established immediately after the theme is loaded.
		add_action( 'after_setup_theme', array( $this, 'establish_loaded_changeset' ), 5 );

		/*
		 * Import theme starter content for fresh installations when landing in the customizer.
		 * Import starter content at after_setup_theme:100 so that any
		 * add_theme_support( 'starter-content' ) calls will have been made.
		 */
		if ( get_option( 'fresh_site' ) && 'customize.php' === $pagenow ) {
			add_action( 'after_setup_theme', array( $this, 'import_theme_starter_content' ), 100 );
		}

		$this->start_previewing_theme();
	}

Uses

Uses Description
wp-includes/functions.php: wp_is_uuid()

Validates that a UUID is valid.
wp-includes/class-wp-customize-manager.php: WP_Customize_Manager::changeset_post_id()

Get the changeset post ID for the loaded changeset.
wp-includes/capabilities.php: current_user_can()

Returns whether the current user has the specified capability.
wp-includes/class-wp-customize-manager.php: WP_Customize_Manager::get_stylesheet()

Retrieve the stylesheet name of the previewed theme.
wp-includes/class-wp-customize-manager.php: WP_Customize_Manager::wp_die()

Custom wp_die wrapper. Returns either the standard message for UI or the Ajax message.
wp-includes/class-wp-customize-manager.php: WP_Customize_Manager::is_theme_active()

Checks if the current theme is active.
wp-includes/class-wp-customize-manager.php: WP_Customize_Manager::theme()

Get the theme being customized.
wp-includes/class-wp-customize-manager.php: WP_Customize_Manager::start_previewing_theme()

If the theme to be previewed isn’t the active theme, add filter callbacks to swap it out at runtime.
wp-includes/l10n.php: __()

Retrieve the translation of $text.
wp-includes/pluggable.php: is_user_logged_in()

Determines whether the current visitor is a logged in user.
wp-includes/pluggable.php: auth_redirect()

Checks if a user is logged in, if not it redirects them to the login page.
wp-includes/pluggable.php: check_ajax_referer()

Verifies the Ajax request to prevent processing requests external of the blog.
wp-includes/functions.php: wp_die()

Kills WordPress execution and displays HTML page with an error message.
wp-includes/http.php: send_origin_headers()

Send Access-Control-Allow-Origin and related headers if the current request is from an allowed origin.
wp-includes/admin-bar.php: show_admin_bar()

Sets the display status of the admin bar.
wp-includes/plugin.php: add_action()

Adds a callback function to an action hook.
wp-includes/option.php: get_option()

Retrieves an option value based on an option name.

Changelog

Version Description
3.4.0 Introduced.

© 2003–2021 WordPress Foundation
Licensed under the GNU GPLv2+ License.
https://developer.wordpress.org/reference/classes/wp_customize_manager/setup_theme