Opened 3 years ago
Closed 8 months ago
#14044 closed enhancement (invalid)
check_admin_referer is a template tag only
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Security | Version: | 3.0 |
| Severity: | normal | Keywords: | has-patch dev-feedback needs-testing gsoc |
| Cc: | wojtek.szkutnik@… |
Description
when a plugin author wants to check (e.g. in the init hook) if a certain admin_referer is available or not, the plugin needs to write it's own admin referer implementation because the existing function
check_admin_referer()
can only be used to check for, but not agains (if it's not the appropriate refer, the script will die.
this is mainly because that function is to be used as a admin "template tag" only.
useful would be a function that will return a boolean value instead of dieing / continuing execution.
this can be done by moving the decision out of check_admin_referer() into a new function check_admin_referer_test() and leave the die in there.
this will make plugin coding more safe because right now no such function exists and that done it's hard to check pre-conditions like proper form submits in init.
Attachments (1)
Change History (6)
wojtek.szkutnik — 3 years ago
comment:1
wojtek.szkutnik — 3 years ago
- Cc wojtek.szkutnik@… added
- Keywords has-patch needs-testing added; needs-patch removed
comment:2
wojtek.szkutnik — 3 years ago
- Keywords gsoc added
- Component changed from General to Security
- Milestone changed from Awaiting Review to Future Release
Use case?
comment:4
gazouteast — 2 years ago
@nacin
Use Case = comments 6 & 7 here -
http://studioslice.com/2010/04/18/community-submitted-news-ver-11-is-out/
Plugin is in repo here - http://wordpress.org/extend/plugins/community-submitted-news/
Looks as if plugin authors are using the admin-only check to validate form submission by non-registered users. I've seen this on a couple of other plugins too, but can't remember their names as it was pre-WP3
Gaz
How about adding another argument?