Index: wp-includes/pluggable.php =================================================================== --- wp-includes/pluggable.php (revision 20951) +++ wp-includes/pluggable.php (working copy) @@ -831,8 +831,10 @@ * * @param string $action Action nonce * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5) + * @param bool $die Die if checking fails + * @param bool $renonce If checking succeeds, calculate a new nonce and send it as an X-WP-nonce header */ -function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) { +function check_ajax_referer( $action = -1, $query_arg = false, $die = true, $renonce = false ) { if ( $query_arg ) $nonce = $_REQUEST[$query_arg]; else @@ -849,6 +851,9 @@ do_action('check_ajax_referer', $action, $result); + if ( $renonce && !headers_sent() ) + header( 'X-WP-nonce: ' . $action . '=' . wp_create_nonce( $action ) ); + return $result; } endif; Index: wp-includes/script-loader.php =================================================================== --- wp-includes/script-loader.php (revision 20951) +++ wp-includes/script-loader.php (working copy) @@ -373,6 +373,9 @@ $scripts->add( 'admin-gallery', "/wp-admin/js/gallery$suffix.js", array( 'jquery-ui-sortable' ) ); $scripts->add( 'admin-widgets', "/wp-admin/js/widgets$suffix.js", array( 'jquery-ui-sortable', 'jquery-ui-draggable', 'jquery-ui-droppable' ), false, 1 ); + $scripts->localize( 'admin-widgets', 'widgetsL10n', array( + 'loggedOut' => __('You are logged out!') + )); $scripts->add( 'theme', "/wp-admin/js/theme$suffix.js", array( 'jquery' ), false, 1 ); Index: wp-admin/includes/ajax-actions.php =================================================================== --- wp-admin/includes/ajax-actions.php (revision 20951) +++ wp-admin/includes/ajax-actions.php (working copy) @@ -1510,7 +1510,7 @@ } function wp_ajax_widgets_order() { - check_ajax_referer( 'save-sidebar-widgets', 'savewidgets' ); + check_ajax_referer( 'save-sidebar-widgets', 'savewidgets', true, true ); if ( !current_user_can('edit_theme_options') ) wp_die( -1 ); @@ -1543,7 +1543,7 @@ function wp_ajax_save_widget() { global $wp_registered_widgets, $wp_registered_widget_controls, $wp_registered_widget_updates; - check_ajax_referer( 'save-sidebar-widgets', 'savewidgets' ); + check_ajax_referer( 'save-sidebar-widgets', 'savewidgets', true, true ); if ( !current_user_can('edit_theme_options') || !isset($_POST['id_base']) ) wp_die( -1 ); Index: wp-admin/js/widgets.dev.js =================================================================== --- wp-admin/js/widgets.dev.js (revision 20951) +++ wp-admin/js/widgets.dev.js (working copy) @@ -189,8 +189,11 @@ a['sidebars[' + $(this).attr('id') + ']'] = $(this).sortable('toArray').join(','); }); - $.post( ajaxurl, a, function() { + var xhr = $.post( ajaxurl, a, function() { $('img.ajax-feedback').css('visibility', 'hidden'); + nonce_header = xhr.getResponseHeader("X-WP-nonce"); + nonce = nonce_header.split("=", 2)[1]; + $('#_wpnonce_widgets').val(nonce); }); this.resize(); @@ -212,9 +215,19 @@ data += '&' + $.param(a); - $.post( ajaxurl, data, function(r){ + var xhr = $.post( ajaxurl, data, function(r){ var id; + if ( "0" === r ) { + logout_message = $('.logout-message', widget) + if ( !logout_message.length ) { + $('img.ajax-feedback', widget).parent().parent().append($('

' + widgetsL10n.loggedOut + '

')); + } + $('.ajax-feedback', widget).css('visibility', 'hidden'); + logout_message.fadeOut(50).fadeIn(500); + return false; + } + if ( del ) { if ( !$('input.widget_number', widget).val() ) { id = $('input.widget-id', widget).val(); @@ -236,14 +249,20 @@ } } else { $('.ajax-feedback').css('visibility', 'hidden'); + $('.logout-message', widget).hide(); if ( r && r.length > 2 ) { $('div.widget-content', widget).html(r); wpWidgets.appendTitle(widget); wpWidgets.fixLabels(widget); } } - if ( order ) + if ( order ) { wpWidgets.saveOrder(); + } else { + nonce_header = xhr.getResponseHeader("X-WP-nonce"); + nonce = nonce_header.split("=", 2)[1]; + $('#_wpnonce_widgets').val(nonce); + } }); }, Index: wp-admin/css/wp-admin.dev.css =================================================================== --- wp-admin/css/wp-admin.dev.css (revision 20951) +++ wp-admin/css/wp-admin.dev.css (working copy) @@ -7883,7 +7883,7 @@ display: block; } -.widget .widget-inside p { +.widget-inside p { margin: 0 0 1em; padding: 0; }