Avoid 403's from AJAX requests from postbox.js

[bobbingwide]

While making some improvements to a plugin's admin pages I changed the HTML in my meta boxes to be more inline with WordPress core. I then noticed that I was getting 403's from the closed-postboxes AJAX request each time I toggled the display of the postbox.

Since I don't have a requirement for the open/closed state of my postboxes to persist I don't need the AJAX requests. Consequently I don't have a #closedpostboxesnonce.

So, to avoid the 403's I changed postbox.js to not perform the AJAX request if the nonce isn't set.

[bobbingwide]

Don't post the AJAX request if there isn't a nonce

[ocean90]

Why is your admin page enqueuing postbox.js? Just for the opening/closing functionality? If you want to be inline with other core meta boxes I'd expect that the state is saved as well.

[bobbingwide]

Yes. I’m using postbox.js to be consistent with core.
But as stated, I don’t feel I have a requirement to support saving the state.
Therefore there is no need for the extra admin logic and the associated nonce.

You can change this to an enhancement if you like.

[adamsilverstein]

@bobbingwide Your use case seems out of scope for using the postbox.js script. Eg, it wasn't designed for this. Instead of changing core to fit your use, I'd suggest you overwrite the postbox script functionality after it loads to get it to more closely match what you want it to do.

Since postboxes is exposed as a global, you can overwrite the save functionality. Something like this should work, make sure it runs immediately after postbox.js loads, and ideally prevent interaction with the toggles until your code runs:

postboxes.save_order = function() {};

Can you give that a try and see if it resolves your issue?

[mindctrl]

Hi @bobbingwide, since this isn't what the script was designed for, and because there hasn't been any activity on this in over 8 years, I'm going to close it to help clean up Trac.

Feel free to reopen if you disagree and the suggested fixes don't work for you.

[bobbingwide]

@adamsilverstein Hi Adam. Better late than never? I'm in the process of revisiting this as I've recently started to make accessibility improvements to my code. I came across a Color Contrast issue with the screen reader text for Toggle panel. Believing that the core postbox code didn't suffer from this problem I started to change my code to more closely match core's output. After I'd changed it to more closely emulate the postbox logic I once again noticed the 403's.
I have now seen your suggestion to override the postboxes Javascript.
It seems I need to override both save_order() and save_state().

PS. It appears that core suffers from the Color Contrast problem as well.