Make WordPress Core

Changeset 32054


Ignore:
Timestamp:
04/06/2015 03:09:21 PM (10 years ago)
Author:
ocean90
Message:

Customizer: Refresh nonces when a session expires and the user logs in again.

This was broken since 4.0 and the introduction of user session tokens. The nonces are now tied to session tokens as opposed to user IDs, and thus they change with each re-login.
Custom nonces can be added through the customize_refresh_nonces filter. On a successful refresh request the JavaScript API will trigger a nonce-refresh event. See widget's update nonce as an example.

props westonruter for initial patch.
fixes #31294.

Location:
trunk/src
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/js/customize-controls.js

    r32004 r32054  
    23592359            messenger.targetWindow( iframe[0].contentWindow );
    23602360
    2361             messenger.bind( 'login', function() {
    2362                 iframe.remove();
    2363                 messenger.destroy();
    2364                 delete previewer._login;
    2365                 deferred.resolve();
     2361            messenger.bind( 'login', function () {
     2362                var refreshNonces = previewer.refreshNonces();
     2363
     2364                refreshNonces.always( function() {
     2365                    iframe.remove();
     2366                    messenger.destroy();
     2367                    delete previewer._login;
     2368                });
     2369
     2370                refreshNonces.done( function() {
     2371                    deferred.resolve();
     2372                });
     2373
     2374                refreshNonces.fail( function() {
     2375                    previewer.cheatin();
     2376                    deferred.reject();
     2377                });
    23662378            });
    23672379
     
    23712383        cheatin: function() {
    23722384            $( document.body ).empty().addClass('cheatin').append( '<p>' + api.l10n.cheatin + '</p>' );
     2385        },
     2386
     2387        refreshNonces: function() {
     2388            var request, deferred = $.Deferred();
     2389
     2390            deferred.promise();
     2391
     2392            request = wp.ajax.post( 'customize_refresh_nonces', {
     2393                wp_customize: 'on',
     2394                theme: api.settings.theme.stylesheet
     2395            });
     2396
     2397            request.done( function( response ) {
     2398                api.trigger( 'nonce-refresh', response );
     2399                deferred.resolve();
     2400            });
     2401
     2402            request.fail( function() {
     2403                deferred.reject();
     2404            });
     2405
     2406            return deferred;
    23732407        }
    23742408    });
     
    25392573        });
    25402574
     2575        // Refresh the nonces if login sends updated nonces over.
     2576        api.bind( 'nonce-refresh', function( nonce ) {
     2577            $.extend( api.settings.nonce, nonce );
     2578            $.extend( api.previewer.nonce, nonce );
     2579        });
     2580
    25412581        // Create Settings
    25422582        $.each( api.settings.settings, function( id, data ) {
  • trunk/src/wp-admin/js/customize-widgets.js

    r32012 r32054  
    18991899    });
    19001900
     1901    // Refresh the nonce if login sends updated nonces over.
     1902    api.bind( 'nonce-refresh', function( nonces ) {
     1903        api.Widgets.data.nonce = nonces['update-widget'];
     1904    });
     1905
    19011906    /**
    19021907     * Init Customizer for widgets.
  • trunk/src/wp-includes/class-wp-customize-manager.php

    r32032 r32054  
    9292        add_filter( 'wp_die_handler', array( $this, 'wp_die_handler' ) );
    9393
    94         add_action( 'setup_theme',  array( $this, 'setup_theme' ) );
    95         add_action( 'wp_loaded',    array( $this, 'wp_loaded' ) );
     94        add_action( 'setup_theme', array( $this, 'setup_theme' ) );
     95        add_action( 'wp_loaded',   array( $this, 'wp_loaded' ) );
    9696
    9797        // Run wp_redirect_status late to make sure we override the status last.
     
    106106        remove_action( 'admin_init', '_maybe_update_themes' );
    107107
    108         add_action( 'wp_ajax_customize_save', array( $this, 'save' ) );
     108        add_action( 'wp_ajax_customize_save',           array( $this, 'save' ) );
     109        add_action( 'wp_ajax_customize_refresh_nonces', array( $this, 'refresh_nonces' ) );
    109110
    110111        add_action( 'customize_register',                 array( $this, 'register_controls' ) );
     
    782783        $response = apply_filters( 'customize_save_response', array(), $this );
    783784        wp_send_json_success( $response );
     785    }
     786
     787    /**
     788     * Refresh nonces for the current preview.
     789     *
     790     * @since 4.2.0
     791     */
     792    public function refresh_nonces() {
     793        if ( ! $this->is_preview() ) {
     794            wp_send_json_error( 'not_preview' );
     795        }
     796
     797        $nonces = array(
     798            'save'    => wp_create_nonce( 'save-customize_' . $this->get_stylesheet() ),
     799            'preview' => wp_create_nonce( 'preview-customize_' . $this->get_stylesheet() ),
     800        );
     801
     802        /**
     803         * Filter nonces for a customize_refresh_nonces AJAX request.
     804         *
     805         * @since 4.2.0
     806         *
     807         * @param array                $nonces Array of refreshed nonces for save and
     808         *                                     preview actions.
     809         * @param WP_Customize_Manager $this   WP_Customize_Manager instance.
     810         */
     811        $nonces = apply_filters( 'customize_refresh_nonces', $nonces, $this );
     812        wp_send_json_success( $nonces );
    784813    }
    785814
  • trunk/src/wp-includes/class-wp-customize-widgets.php

    r32036 r32054  
    9696        add_action( 'customize_controls_print_footer_scripts', array( $this, 'output_widget_control_templates' ) );
    9797        add_action( 'customize_preview_init',                  array( $this, 'customize_preview_init' ) );
     98        add_filter( 'customize_refresh_nonces',                array( $this, 'refresh_nonces' ) );
    9899
    99100        add_action( 'dynamic_sidebar',                         array( $this, 'tally_rendered_widgets' ) );
     
    890891
    891892    /**
     893     * Refresh nonce for widget updates.
     894     *
     895     * @since 4.2.0
     896     * @access public
     897     *
     898     * @param  array $nonces Array of nonces.
     899     * @return array $nonces Array of nonces.
     900     */
     901    public function refresh_nonces( $nonces ) {
     902        $nonces['update-widget'] = wp_create_nonce( 'update-widget' );
     903        return $nonces;
     904    }
     905
     906    /**
    892907     * When previewing, make sure the proper previewing widgets are used.
    893908     *
Note: See TracChangeset for help on using the changeset viewer.