Changeset 27966

Timestamp:

04/06/2014 06:47:46 PM (11 years ago)

Author:

ocean90

Message:

WP_Widget: Introduce is_preview() method.

With the Widget Customizer it's possible that previewed widgets can leak data outside of Customizer, when the widget uses the cache API.
The Customizer calls the regular update callback which should already refresh the cache. Since cache additions aren't blocked yet the cache can be filled with preview data.
To prevent this issue WP_Widget::is_preview() will return true, when $wp_customize->is_preview() returns true. If is_preview() is true, cache additions are suspended via wp_suspend_cache_addition(). Make sure your object cache drop-in has implemented wp_suspend_cache_addition().

is_preview() can/should also be used inside WP_Widget::widget(), see WP_Widget_Recent_Posts or WP_Widget_Recent_Comments for examples.

For more info see IRC logs: ​http://irclogs.wordpress.org/chanlog.php?channel=wordpress-dev&day=2014-04-02&sort=asc#m824279

props westonruter.
fixes #27538.

Location:

trunk/src/wp-includes

Files:

• default-widgets.php (modified) (4 diffs)
• widgets.php (modified) (4 diffs)

trunk/src/wp-includes/default-widgets.php

@@ -661 +661 @@
 
     function widget($args, $instance) {
-        $cache = wp_cache_get('widget_recent_posts', 'widget');
-
-        if ( !is_array($cache) )
+        $cache = array();
+        if ( ! $this->is_preview() ) {
+            $cache = wp_cache_get( 'widget_recent_posts', 'widget' );
+        }
+
+        if ( ! is_array( $cache ) ) {
             $cache = array();
-
-        if ( ! isset( $args['widget_id'] ) )
+        }
+
+        if ( ! isset( $args['widget_id'] ) ) {
             $args['widget_id'] = $this->id;
+        }
 
         if ( isset( $cache[ $args['widget_id'] ] ) ) {
@@ -724 +729 @@
         endif;
 
-        $cache[$args['widget_id']] = ob_get_flush();
-        wp_cache_set('widget_recent_posts', $cache, 'widget');
+        if ( ! $this->is_preview() ) {
+            $cache[ $args['widget_id'] ] = ob_get_flush();
+            wp_cache_set( 'widget_recent_posts', $cache, 'widget' );
+        } else {
+            ob_flush();
+        }
     }
 
@@ -808 +817 @@
         global $comments, $comment;
 
-        $cache = wp_cache_get('widget_recent_comments', 'widget');
-
-        if ( ! is_array( $cache ) )
+        $cache = array();
+        if ( ! $this->is_preview() ) {
+            $cache = wp_cache_get('widget_recent_comments', 'widget');
+        }
+        if ( ! is_array( $cache ) ) {
             $cache = array();
+        }
 
         if ( ! isset( $args['widget_id'] ) )
@@ -866 +878 @@
 
         echo $output;
-        $cache[$args['widget_id']] = $output;
-        wp_cache_set('widget_recent_comments', $cache, 'widget');
+
+        if ( ! $this->is_preview() ) {
+            $cache[ $args['widget_id'] ] = $output;
+            wp_cache_set( 'widget_recent_comments', $cache, 'widget' );
+        }
     }
 

trunk/src/wp-includes/widgets.php

@@ -162 +162 @@
     function _get_form_callback() {
         return array($this, 'form_callback');
+    }
+
+    /**
+     * Determine if we're in the Customizer; if true, then the object cache gets
+     * suspended and widgets should check this to decide whether they should
+     * store anything persistently to the object cache, to transients, or
+     * anywhere else.
+     *
+     * @since 3.9.0
+     *
+     * @return bool True if Customizer is on, false if not.
+     */
+    function is_preview() {
+        global $wp_customize;
+        return ( isset( $wp_customize ) && $wp_customize->is_preview() ) ;
     }
 
@@ -190 +205 @@
              */
             $instance = apply_filters( 'widget_display_callback', $instance, $this, $args );
-            if ( false !== $instance )
-                $this->widget($args, $instance);
+
+            if ( false === $instance ) {
+                return;
+            }
+
+            $was_cache_addition_suspended = wp_suspend_cache_addition();
+            if ( $this->is_preview() && ! $was_cache_addition_suspended ) {
+                wp_suspend_cache_addition( true );
+            }
+
+            $this->widget( $args, $instance );
+
+            if ( $this->is_preview() ) {
+                wp_suspend_cache_addition( $was_cache_addition_suspended );
+            }
         }
     }
@@ -242 +270 @@
                 $old_instance = isset($all_instances[$number]) ? $all_instances[$number] : array();
 
-                $instance = $this->update($new_instance, $old_instance);
+                $was_cache_addition_suspended = wp_suspend_cache_addition();
+                if ( $this->is_preview() && ! $was_cache_addition_suspended ) {
+                    wp_suspend_cache_addition( true );
+                }
+
+                $instance = $this->update( $new_instance, $old_instance );
+
+                if ( $this->is_preview() ) {
+                    wp_suspend_cache_addition( $was_cache_addition_suspended );
+                }
 
                 /**
@@ -258 +295 @@
                  */
                 $instance = apply_filters( 'widget_update_callback', $instance, $new_instance, $old_instance, $this );
-                if ( false !== $instance )
+                if ( false !== $instance ) {
                     $all_instances[$number] = $instance;
+                }
 
                 break; // run only once