Make WordPress Core


Ignore:
Timestamp:
04/06/2015 03:09:21 PM (9 years ago)
Author:
ocean90
Message:

Customizer: Refresh nonces when a session expires and the user logs in again.

This was broken since 4.0 and the introduction of user session tokens. The nonces are now tied to session tokens as opposed to user IDs, and thus they change with each re-login.
Custom nonces can be added through the customize_refresh_nonces filter. On a successful refresh request the JavaScript API will trigger a nonce-refresh event. See widget's update nonce as an example.

props westonruter for initial patch.
fixes #31294.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-customize-manager.php

    r32032 r32054  
    9292        add_filter( 'wp_die_handler', array( $this, 'wp_die_handler' ) );
    9393
    94         add_action( 'setup_theme',  array( $this, 'setup_theme' ) );
    95         add_action( 'wp_loaded',    array( $this, 'wp_loaded' ) );
     94        add_action( 'setup_theme', array( $this, 'setup_theme' ) );
     95        add_action( 'wp_loaded',   array( $this, 'wp_loaded' ) );
    9696
    9797        // Run wp_redirect_status late to make sure we override the status last.
     
    106106        remove_action( 'admin_init', '_maybe_update_themes' );
    107107
    108         add_action( 'wp_ajax_customize_save', array( $this, 'save' ) );
     108        add_action( 'wp_ajax_customize_save',           array( $this, 'save' ) );
     109        add_action( 'wp_ajax_customize_refresh_nonces', array( $this, 'refresh_nonces' ) );
    109110
    110111        add_action( 'customize_register',                 array( $this, 'register_controls' ) );
     
    782783        $response = apply_filters( 'customize_save_response', array(), $this );
    783784        wp_send_json_success( $response );
     785    }
     786
     787    /**
     788     * Refresh nonces for the current preview.
     789     *
     790     * @since 4.2.0
     791     */
     792    public function refresh_nonces() {
     793        if ( ! $this->is_preview() ) {
     794            wp_send_json_error( 'not_preview' );
     795        }
     796
     797        $nonces = array(
     798            'save'    => wp_create_nonce( 'save-customize_' . $this->get_stylesheet() ),
     799            'preview' => wp_create_nonce( 'preview-customize_' . $this->get_stylesheet() ),
     800        );
     801
     802        /**
     803         * Filter nonces for a customize_refresh_nonces AJAX request.
     804         *
     805         * @since 4.2.0
     806         *
     807         * @param array                $nonces Array of refreshed nonces for save and
     808         *                                     preview actions.
     809         * @param WP_Customize_Manager $this   WP_Customize_Manager instance.
     810         */
     811        $nonces = apply_filters( 'customize_refresh_nonces', $nonces, $this );
     812        wp_send_json_success( $nonces );
    784813    }
    785814
Note: See TracChangeset for help on using the changeset viewer.