Opened 10 years ago
Closed 10 years ago
#31294 closed defect (bug) (fixed)
Customizer no longer gracefully handles session expiration
Reported by: | westonruter | Owned by: | ocean90 |
---|---|---|---|
Milestone: | 4.2 | Priority: | normal |
Severity: | major | Version: | 4.0 |
Component: | Customize | Keywords: | has-patch commit |
Focuses: | javascript | Cc: |
Description (last modified by )
Reported by ocean90:
In r31370 you've changed
doing_ajax()
to return only true fordefined( 'DOING_AJAX' ) && DOING_AJAX
, and notisset( $_POST['customized'] )
anymore. This breaks the preview if you're logged out because you get a regularwp_die()
with HTML instead of the0
.
https://wordpress.slack.com/archives/core-customize/p1423601418000599
Issue introduced (at least partially) by changes introduced in #30936.
Attachments (5)
Change History (17)
This ticket was mentioned in Slack in #core-customize by westonruter. View the logs.
10 years ago
#2
@
10 years ago
- Keywords has-patch added; needs-patch removed
31294.diff restores the auth behavior from 4.1, but even in 4.1 it is still broken. Steps to reproduce:
- Log-in to Customizer
- Open WP Admin in another tab and log-out
- Go back to Customizer and try navigating around the preview.
- See preview window update with a login prompt.
- After logging-in, the whole Customizer will refresh with a Cheatin' message instead of allowing the user to continue using the Customizer as expected.
- Reloading the whole page then allows the Customizer to be used as expected, but after having lost all of their settings.
This ticket was mentioned in Slack in #core-customize by ocean90. View the logs.
10 years ago
#7
@
10 years ago
- Keywords needs-patch added; has-patch removed
- Version changed from trunk to 4.0
That comment from @ocean90 on Slack:
"Cheatin’ uh?" exists in 4.0 too, so 3.9 is the latest version where it worked.
So I'm moving version back.
#8
@
10 years ago
- Keywords has-patch added; needs-patch removed
- Owner set to ocean90
- Status changed from new to reviewing
In 31294.2.diff, the Customizer login now updates nonces upon successful login.
Prevent cheatin' message after re-authenticating in Customizer. If the user's session expired while in the Customizer, and they were prompted to re-authenticate inside the Preview, before this the Customizer would throw up a cheatin message because the nonce used to get request the preview or to save the settings was tied to the user's previous session which is no longer valid.
As noted by @ocean90, the regression started in 4.0. I see that the regression is due to the introduction of the user session tokens since the nonces are now tied to session tokens as opposed to user IDs, and thus they change with each re-login.
This is a nasty bug because it can result in a user losing their changes, and getting an unhelpful cheatin' message to boot.
This ticket was mentioned in Slack in #core-customize by ocean90. View the logs.
10 years ago
#10
follow-up:
↓ 11
@
10 years ago
@westonruter Instead of hacking wp-login.php I would like to propose to do an AJAX request which fetches refreshed nonces, see 31294.4.diff. This makes it more generic and future-proof (in terms of the heartbeat API). Thoughts?
#11
in reply to:
↑ 10
@
10 years ago
- Focuses javascript added
- Keywords commit added
Replying to ocean90:
@westonruter Instead of hacking wp-login.php I would like to propose to do an AJAX request which fetches refreshed nonces, see 31294.4.diff. This makes it more generic and future-proof (in terms of the heartbeat API). Thoughts?
Nice work! I agree this is a better approach, especially considering the current state of wp_signon
in how it doesn't set the expected $_COOKIE
variables in the current request. It's also unfortunate that an additional Ajax request is then required, but like you said it will be used in a future heartbeat “keep-alive” of the Customizer, so that preview refreshing isn't the only mechanism for keeping nonces up to date (nevermind it doesn't also refresh the update-widget
nonce). I just opened #31897 to implement heartbeat-updating for the nonces for 4.3.
https://github.com/xwp/wordpress-develop/pull/69