WordPress.org

Make WordPress Core

Opened 22 months ago

Closed 22 months ago

Last modified 22 months ago

#20926 closed defect (bug) (fixed)

Theme Customizer should trigger the frontend if logged-in cookie is missing

Reported by: nacin Owned by: ryan
Milestone: 3.4 Priority: normal
Severity: normal Version: 3.4
Component: Appearance Keywords: has-patch needs-testing
Focuses: Cc:

Description

A remote-login script is typically used in a domain mapping situation. This allows logins and administration to occur on the non-mapped domain, but for the logged-in cookie to be issued when the frontend is browsed. Both WP.com and the de facto official domain mapping plugin do this.

The customizer implements an is_user_logged_in() check during previews. This happens in two situations:

  1. When the person's cookies expire.
  2. When the person never had a front-end cookie.

We already handle point 1 by catching die( '0' ) and sending them to wp-login.php.

In the case of point 2, they will see an unmapped wp-login.php screen, which will allow them to log in over and over again.

To fix point 2, we can check if the person has a front-end cookie when we receive a die( '0' ). To do this, we can check if they have an admin cookie via admin-ajax. If they don't, we know they are just not logged in and need to visit wp-login.php.

If they do, then we know they are just missing a front-end cookie, which means we can hit the front page the front-page with an ajax request, with the hope of triggering a remote-login. If it doesn't work, we can send just them back to the potentially infinite loop that is wp-login.php, in case they have a *mapped* wp-login.php, which can likely happen if you roll your own mapping.

Attached patch implements a simple admin-ajax.php?action=logged-in handler that dies with either 1 or 0.

Attachments (2)

logged-in.diff (800 bytes) - added by nacin 22 months ago.
20926.diff (3.6 KB) - added by koopersmith 22 months ago.

Download all attachments as: .zip

Change History (6)

nacin22 months ago

koopersmith22 months ago

comment:1 koopersmith22 months ago

  • Keywords has-patch needs-testing added

Patch enhances the PreviewFrame to check if the user has admin cookies, load the front page, and then attempt the request again. If the request still fails, it will defer to the login form.

comment:2 ryan22 months ago

Looks good.

comment:3 ryan22 months ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In [21071]:

Customize: If the preview is not logged in but the admin is, perform a front page request to setup any mapped domain cookies and then retry loading the preview.

Props nacin, koopersmith
fixes #20926

comment:4 ryan22 months ago

  • Milestone changed from Awaiting Review to 3.4
Note: See TracTickets for help on using tickets.