Opened 12 months ago
Closed 12 months ago
#20872 closed defect (bug) (fixed)
Customizer: Accessing /wp-admin/customize.php doesn't redirect to wp-login.php when not logged in
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Milestone: | 3.4 |
| Component: | Appearance | Version: | 3.4 |
| Severity: | normal | Keywords: | has-patch |
| Cc: |
Description
I just sent the direct link to the Customizer domain.com/wp-admin/customize.php to a friend and he only got a Cheatin’ uh? message.
The problem is, that we include the admin.php in customize.php. admin.php includes wp-load.php which includes wp-settings.php.
do_action( 'plugins_loaded' ); is fired.
_wp_customize_include() is fired.
WP_Customize_Manager::setup_theme() is fired.
In setup_theme()
if ( ! current_user_can( 'edit_theme_options' ) ) wp_die( __( 'Cheatin’ uh?' ) );
fails.
The main issue is, that auth_redirect() can't be fired since the Customizer runs before this action.
Attachments (1)
Change History (18)
- Summary changed from Accessing /wp-admin/customize.php doesn't redirect to wp-login.php when not logged in to Customizer: Accessing /wp-admin/customize.php doesn't redirect to wp-login.php when not logged in
Replying to nacin:
We can fire it ourselves.
if ( is_admin() && ! defined( 'DOING_AJAX' ) ) auth_redirect();
Works for me.
comment:3
SergeyBiryukov — 12 months ago
- Keywords has-patch added; needs-patch removed
This works when customize.php is loaded inside a frame on themes.php, too. Nice!
- Owner set to nacin
- Resolution set to fixed
- Status changed from new to closed
In [21019]:
- Resolution fixed deleted
- Status changed from closed to reopened
We should probably do:
if ( is_admin() && ! defined( 'DOING_AJAX' ) ) {
auth_redirect();
} elseif ( defined( 'DOING_AJAX' ) && ! is_user_logged_in() ) {
wp_die( -1 );
} elseif ( ! is_user_logged_in() ) {
// redirect to login for the preview
}
For the ajax check, see #20876.
This is because a logged-in cookie could be lost even with an auth cookie in place. Not typical, but can occur with mapped domains pretty easily.
comment:10
in reply to:
↑ 8
koopersmith — 12 months ago
Replying to nacin:
We should probably do:
... defined( 'DOING_AJAX' ) ...
Since we're running the preview ajax requests through the front end (instead of admin-ajax), DOING_AJAX will not be (and should not be) defined, so we shouldn't have to check for it.
comment:11
nacin — 12 months ago
Since we're running the preview ajax requests through the front end (instead of admin-ajax), DOING_AJAX will not be (and should not be) defined, so we shouldn't have to check for it.
Save runs through admin-ajax, no?
comment:12
ryan — 12 months ago
I don't see any saves triggering ::setup_theme(). The reloads that are triggered for header and such aren't DOING_AJAX.
comment:13
ryan — 12 months ago
Sorry. When I said saves I meant updates/refreshes. Clicking the save button is indeed DOING_AJAX and setup_theme() is triggered.
comment:14
ryan — 12 months ago
- Keywords commit removed
comment:15
ryan — 12 months ago
Handling a redirect in the preview could be tricky, especially with the wp_redirect_status override. How about something like:
if ( is_admin() && ! defined( 'DOING_AJAX' ) ) {
auth_redirect();
} elseif ( defined( 'DOING_AJAX' ) && ! is_user_logged_in() ) {
wp_die( -1 );
} elseif ( ! is_user_logged_in() ) {
echo 'WP_CUSTOMIZER_NOT_LOGGED_IN';
die;
}
Check for WP_CUSTOMIZER_NOT_LOGGED_IN in api.PreviewFrame. If found output a please log in message and a link to wp-login.php with redirect_to set to the customizer.
comment:16
ocean90 — 12 months ago
Instead of WP_CUSTOMIZER_NOT_LOGGED_IN we could also use wp_die() and the ajax wp_die handler, see http://core.trac.wordpress.org/attachment/ticket/20876/20876.patch.
comment:17
ocean90 — 12 months ago
- Resolution set to fixed
- Status changed from reopened to closed
AJAX check will be handled in #20876.
We can fire it ourselves.
if ( is_admin() && ! defined( 'DOING_AJAX' ) ) auth_redirect();Does that look right?