diff --git src/wp-admin/customize.php src/wp-admin/customize.php
index 51db8b3..2486b75 100644
--- src/wp-admin/customize.php
+++ src/wp-admin/customize.php
@@ -209,7 +209,8 @@ do_action( 'customize_controls_print_scripts' );
$login_url = add_query_arg( array(
'interim-login' => 1,
- 'customize-login' => 1
+ 'customize-login' => 1,
+ 'theme' => $wp_customize->get_stylesheet(),
), wp_login_url() );
// Prepare Customizer settings to pass to JavaScript.
diff --git src/wp-admin/js/customize-controls.js src/wp-admin/js/customize-controls.js
index d4acb7c..58d8cd9 100644
--- src/wp-admin/js/customize-controls.js
+++ src/wp-admin/js/customize-controls.js
@@ -2334,7 +2334,11 @@
messenger.targetWindow( iframe[0].contentWindow );
- messenger.bind( 'login', function() {
+ messenger.bind( 'login', function ( params ) {
+ $.extend( api.settings.nonce, params.nonce );
+ $.extend( previewer.nonce, params.nonce );
+ api.Widgets.data.nonce = params.nonce['update-widget'];
+
iframe.remove();
messenger.destroy();
delete previewer._login;
diff --git src/wp-login.php src/wp-login.php
index 62b182d..621a278 100644
--- src/wp-login.php
+++ src/wp-login.php
@@ -767,8 +767,13 @@ case 'login' :
default:
$secure_cookie = '';
$customize_login = isset( $_REQUEST['customize-login'] );
- if ( $customize_login )
+ $customize_theme = null;
+ if ( $customize_login ) {
wp_enqueue_script( 'customize-base' );
+ if ( ! empty( $_REQUEST['theme'] ) ) {
+ $customize_theme = wp_unslash( $_REQUEST['theme'] );
+ }
+ }
// If the user wants ssl but the session is not ssl, force a secure cookie.
if ( !empty($_POST['log']) && !force_ssl_admin() ) {
@@ -792,7 +797,21 @@ default:
$reauth = empty($_REQUEST['reauth']) ? false : true;
+ $GLOBALS['_wp_login_logged_in_cookie'] = null;
+
+ /**
+ * Workaround to obtain the LOGGED_IN_COOKIE when wp_signon() is called.
+ *
+ * @param string $cookie
+ * @private
+ */
+ function _capture_wp_login_logged_in_cookie( $cookie ) {
+ $GLOBALS['_wp_login_logged_in_cookie'] = $cookie;
+ }
+
+ add_action( 'set_logged_in_cookie', '_capture_wp_login_logged_in_cookie' );
$user = wp_signon( '', $secure_cookie );
+ remove_action( 'set_logged_in_cookie', '_capture_wp_login_logged_in_cookie' );
if ( empty( $_COOKIE[ LOGGED_IN_COOKIE ] ) ) {
if ( headers_sent() ) {
@@ -827,7 +846,38 @@ default:
/** This action is documented in wp-login.php */
do_action( 'login_footer' ); ?>
-
+ wp_customize_url(),
+ 'channel' => 'login',
+ );
+ $login_message = array();
+
+ // Update Customizer nonces
+ if ( ! $theme->errors() ) {
+ /*
+ * Set the current user and auth cookie so that wp_create_nonce() will succeed;
+ * wp_signon() calls wp_set_auth_cookie() which deos not set $_COOKIE, and
+ * wp_create_nonce() calls wp_get_session_token() which calls wp_parse_auth_cookie()
+ * which expects the $_COOKIE to be set.
+ */
+ wp_set_current_user( $user->ID );
+ $_COOKIE[ LOGGED_IN_COOKIE ] = $GLOBALS['_wp_login_logged_in_cookie'];
+ $login_message['nonce'] = array(
+ 'save' => wp_create_nonce( 'save-customize_' . $theme->get_stylesheet() ),
+ 'preview' => wp_create_nonce( 'preview-customize_' . $theme->get_stylesheet() ),
+ 'update-widget' => wp_create_nonce( 'update-widget' ),
+ );
+ }
+
+ ?>
+