Opened 7 years ago
Last modified 3 years ago
#41387 new defect (bug)
Avoid 403's from AJAX requests from postbox.js
Reported by: | bobbingwide | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Administration | Keywords: | has-patch reporter-feedback |
Focuses: | javascript | Cc: |
Description
While making some improvements to a plugin's admin pages I changed the HTML in my meta boxes to be more inline with WordPress core. I then noticed that I was getting 403's from the closed-postboxes AJAX request each time I toggled the display of the postbox.
Since I don't have a requirement for the open/closed state of my postboxes to persist I don't need the AJAX requests. Consequently I don't have a #closedpostboxesnonce.
So, to avoid the 403's I changed postbox.js to not perform the AJAX request if the nonce isn't set.
Attachments (1)
Change History (5)
#2
@
7 years ago
- Focuses javascript added
- Keywords reporter-feedback added
- Version 4.9 deleted
Why is your admin page enqueuing postbox.js
? Just for the opening/closing functionality? If you want to be inline with other core meta boxes I'd expect that the state is saved as well.
#3
@
7 years ago
Yes. I’m using postbox.js to be consistent with core.
But as stated, I don’t feel I have a requirement to support saving the state.
Therefore there is no need for the extra admin logic and the associated nonce.
You can change this to an enhancement if you like.
#4
@
7 years ago
@bobbingwide Your use case seems out of scope for using the postbox.js script. Eg, it wasn't designed for this. Instead of changing core to fit your use, I'd suggest you overwrite the postbox script functionality after it loads to get it to more closely match what you want it to do.
Since postboxes is exposed as a global, you can overwrite the save functionality. Something like this should work, make sure it runs immediately after postbox.js loads, and ideally prevent interaction with the toggles until your code runs:
postboxes.save_order = function() {};
Can you give that a try and see if it resolves your issue?
Don't post the AJAX request if there isn't a nonce