Make WordPress Core


Ignore:
Timestamp:
04/06/2015 03:09:21 PM (9 years ago)
Author:
ocean90
Message:

Customizer: Refresh nonces when a session expires and the user logs in again.

This was broken since 4.0 and the introduction of user session tokens. The nonces are now tied to session tokens as opposed to user IDs, and thus they change with each re-login.
Custom nonces can be added through the customize_refresh_nonces filter. On a successful refresh request the JavaScript API will trigger a nonce-refresh event. See widget's update nonce as an example.

props westonruter for initial patch.
fixes #31294.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-customize-widgets.php

    r32036 r32054  
    9696        add_action( 'customize_controls_print_footer_scripts', array( $this, 'output_widget_control_templates' ) );
    9797        add_action( 'customize_preview_init',                  array( $this, 'customize_preview_init' ) );
     98        add_filter( 'customize_refresh_nonces',                array( $this, 'refresh_nonces' ) );
    9899
    99100        add_action( 'dynamic_sidebar',                         array( $this, 'tally_rendered_widgets' ) );
     
    890891
    891892    /**
     893     * Refresh nonce for widget updates.
     894     *
     895     * @since 4.2.0
     896     * @access public
     897     *
     898     * @param  array $nonces Array of nonces.
     899     * @return array $nonces Array of nonces.
     900     */
     901    public function refresh_nonces( $nonces ) {
     902        $nonces['update-widget'] = wp_create_nonce( 'update-widget' );
     903        return $nonces;
     904    }
     905
     906    /**
    892907     * When previewing, make sure the proper previewing widgets are used.
    893908     *
Note: See TracChangeset for help on using the changeset viewer.