Changeset 37905 for trunk/src/wp-includes/rest-api.php

Timestamp:

06/29/2016 03:00:54 AM (9 years ago)

Author:

rachelbaker

Message:

REST API: Include a refreshed nonce in a X-WP-Nonce header when responding to an authenticated request.

Props adamsilverstein, welcher, markjaquith, aidvu.
Fixes #35662.

File:

• trunk/src/wp-includes/rest-api.php (modified) (3 diffs)

trunk/src/wp-includes/rest-api.php

@@ -549 +549 @@
  * @since 4.4.0
  *
- * @global mixed $wp_rest_auth_cookie
- *
- * @param WP_Error|mixed $result Error from another authentication handler, null if we should handle it,
- *                               or another value if not.
+ * @global mixed          $wp_rest_auth_cookie
+ * @global WP_REST_Server $wp_rest_server      REST server instance.
+ *
+ * @param WP_Error|mixed $result Error from another authentication handler,
+ *                               null if we should handle it, or another value
+ *                               if not.
  * @return WP_Error|mixed|bool WP_Error if the cookie is invalid, the $result, otherwise true.
  */
@@ -560 +562 @@
     }
 
-    global $wp_rest_auth_cookie;
+    global $wp_rest_auth_cookie, $wp_rest_server;
 
     /*
@@ -593 +595 @@
     }
 
+    // Send a refreshed nonce in header.
+    $wp_rest_server->send_header( 'X-WP-Nonce', wp_create_nonce( 'wp_rest' ) );
+
     return true;
 }