Theme Customizer should trigger the frontend if logged-in cookie is missing
|Reported by:||nacin||Owned by:||ryan|
A remote-login script is typically used in a domain mapping situation. This allows logins and administration to occur on the non-mapped domain, but for the logged-in cookie to be issued when the frontend is browsed. Both WP.com and the de facto official domain mapping plugin do this.
The customizer implements an is_user_logged_in() check during previews. This happens in two situations:
- When the person's cookies expire.
- When the person never had a front-end cookie.
We already handle point 1 by catching die( '0' ) and sending them to wp-login.php.
In the case of point 2, they will see an unmapped wp-login.php screen, which will allow them to log in over and over again.
To fix point 2, we can check if the person has a front-end cookie when we receive a die( '0' ). To do this, we can check if they have an admin cookie via admin-ajax. If they don't, we know they are just not logged in and need to visit wp-login.php.
If they do, then we know they are just missing a front-end cookie, which means we can hit the front page the front-page with an ajax request, with the hope of triggering a remote-login. If it doesn't work, we can send just them back to the potentially infinite loop that is wp-login.php, in case they have a *mapped* wp-login.php, which can likely happen if you roll your own mapping.
Attached patch implements a simple admin-ajax.php?action=logged-in handler that dies with either 1 or 0.