Cancelling an admin email address change on Multisite lacks a nonce

[johnbillion]

The change of admin email address on a site in Multisite requires the link in a confirmation email to be clicked before it's activated. The "Cancel" link shown next to the "Email Address" field on the General Settings screen during that process lacks a nonce.

[scottbasgaard]

The change of admin email address on a site in Multisite requires the link in a confirmation email to be clicked before it's activated. The "Cancel" link shown next to the "Email Address" field on the General Settings screen during that process lacks a nonce.

Nice find @johnbillion, gave it a quick go.

[scottbasgaard]

@jeremyfelt thanks! Let me know what you think and if any changes are needed.

[jeremyfelt]

@scottbasgaard Looks good! I made a small change in 36954.2.diff​ so that the nonce is unique based on the site ID. Otherwise the same "cancel" URL would work on multiple sites.

[jeremyfelt]

In 38006:

Multisite: Add a nonce to the "Cancel" URL when changing a site's admin email.

Props scottbasgaard.
Fixes #36954.

[scottbasgaard]

@jeremyfelt doh, nice catch I should have thought of that.

Thanks for the tweaks and happy to have helped.

Great work on 4.6!