WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 2 weeks ago

#15394 new defect (bug)

Ancient "Are you sure you want to do this" now confusing

Reported by: ozh Owned by:
Milestone: Future Release Priority: normal
Severity: trivial Version: 3.1
Component: Security Keywords: ux-feedback 3.2-early needs-patch
Focuses: Cc:

Description

The default failing nonce message did not pass the wife test. Asking "Are you sure you want to do this?" now that there is no longer "OK" and "Cancel" buttons is confusing and my wife just asked me "How do I tell I'm sure?"

Not sure about the best wording, I took the same approach as Twitter's expired OAuth token links with a message that does not let user think there is something to confirm.

Attachments (1)

ays-message.diff (759 bytes) - added by ozh 3 years ago.

Download all attachments as: .zip

Change History (13)

ozh3 years ago

comment:1 ozh3 years ago

  • Version set to 3.1

comment:2 ocean903 years ago

  • Keywords ux-feedback added; semantics removed

comment:3 nacin3 years ago

  • Keywords 3.2-early added
  • Milestone changed from Awaiting Review to Future Release

+1.

comment:4 hakre3 years ago

+1 to fix, the old message was misleading.

comment:5 azaozz3 years ago

The "Link has expired" message is better than "Are you sure" but IMHO still quite vague for the average user. Perhaps it can be "This action has failed" as suggested in http://core.trac.wordpress.org/ticket/8552#comment:3.

Also it doesn't offer an action for the user to continue. As far as I can see nearly all legitimate nonce errors are caused by expired user login. Perhaps we can add a link to [site]/wp-admin (needs to be audited) or even go further and check if the user is logged in when generating the "nonce failed" message and show alternate explanation:

User logged in: "This action has failed. [Back to WordPress admin]
Login expired: "Your login has expired. Please [log in] again.

comment:6 hakre3 years ago

"That Request has expired and is not valid any longer. Please go back and start over."

If a login expires, isn't the user redirected to the login form already? "Reauth"

Related: #14060

comment:7 ramiy3 years ago

Related: #18218

comment:8 toscho22 months ago

  • Cc info@… added

comment:9 scribu19 months ago

  • Keywords needs-patch added; has-patch ays removed

As azaozz said, the wording in the current patch isn't too much of an improvement. It can be shown when submitting a form, for instance.

I don't think we need to provide any link. The Back button should be good enough.

comment:10 c3mdigital8 months ago

#21189 was marked as a duplicate.

comment:11 nacin3 months ago

  • Component changed from Warnings/Notices to Security

comment:12 ericlewis2 weeks ago

It sounds like we have two ways to go here.

We go down the rabbit hole, and attempt to give the user as much detail as we can about the issue. Whether they're logged in, whether the nonce failed, perhaps even what nonce, etc.

We give a blanket "this thing broke" error, and point them in the right direction of where to go from here.

Note: See TracTickets for help on using tickets.