Ticket #35662: 35662.3.diff
File 35662.3.diff, 1.4 KB (added by , 9 years ago) |
---|
-
src/wp-includes/rest-api/class-wp-rest-server.php
250 250 } 251 251 } 252 252 253 $nonce = null; 254 255 // Find existing nonce. 256 if ( isset( $_REQUEST['_wpnonce'] ) ) { 257 $nonce = $_REQUEST['_wpnonce']; 258 } elseif ( isset( $_SERVER['HTTP_X_WP_NONCE'] ) ) { 259 $nonce = $_SERVER['HTTP_X_WP_NONCE']; 260 } 261 262 // Check the nonce. 263 $nonce_is_valid = wp_verify_nonce( $nonce, 'wp_rest' ); 264 $user_and_nonce = is_user_logged_in() && $nonce_is_valid; 265 253 266 /** 267 * Filter whether the REST API should send a refreshed nonce header in responses to 268 * authenticated requests that include a valid nonce. 269 * 270 * @since 4.5.0 271 * 272 * @param bool $rest_send_refreshed_nonce Whether to send a refreshed nonce in the response headers. 273 * Defaults to true if the user is logged in and the the 274 * existing request nonce is valid. 275 */ 276 $rest_send_refreshed_nonce = apply_filters( 'rest_send_refreshed_nonce', $user_and_nonce ); 277 if ( $rest_send_refreshed_nonce ) { 278 $this->send_header( 'X-WP-Nonce', wp_create_nonce( 'wp_rest' ) ); 279 } 280 281 /** 254 282 * Filter whether the REST API is enabled. 255 283 * 256 284 * @since 4.4.0