WordPress.org

Make WordPress Core

Opened 10 months ago

Last modified 6 months ago

#41387 new defect (bug)

Avoid 403's from AJAX requests from postbox.js

Reported by: bobbingwide Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Administration Keywords: has-patch reporter-feedback
Focuses: javascript Cc:

Description

While making some improvements to a plugin's admin pages I changed the HTML in my meta boxes to be more inline with WordPress core. I then noticed that I was getting 403's from the closed-postboxes AJAX request each time I toggled the display of the postbox.

Since I don't have a requirement for the open/closed state of my postboxes to persist I don't need the AJAX requests. Consequently I don't have a #closedpostboxesnonce.

So, to avoid the 403's I changed postbox.js to not perform the AJAX request if the nonce isn't set.

Attachments (1)

41387.patch (819 bytes) - added by bobbingwide 10 months ago.
Don't post the AJAX request if there isn't a nonce

Download all attachments as: .zip

Change History (5)

@bobbingwide
10 months ago

Don't post the AJAX request if there isn't a nonce

#1 @bobbingwide
10 months ago

  • Keywords has-patch added

#2 @ocean90
7 months ago

  • Focuses javascript added
  • Keywords reporter-feedback added
  • Version 4.9 deleted

Why is your admin page enqueuing postbox.js? Just for the opening/closing functionality? If you want to be inline with other core meta boxes I'd expect that the state is saved as well.

#3 @bobbingwide
6 months ago

Yes. I’m using postbox.js to be consistent with core. But as stated, I don’t feel I have a requirement to support saving the state. Therefore there is no need for the extra admin logic and the associated nonce. You can change this to an enhancement if you like.

#4 @adamsilverstein
6 months ago

@bobbingwide Your use case seems out of scope for using the postbox.js script. Eg, it wasn't designed for this. Instead of changing core to fit your use, I'd suggest you overwrite the postbox script functionality after it loads to get it to more closely match what you want it to do.

Since postboxes is exposed as a global, you can overwrite the save functionality. Something like this should work, make sure it runs immediately after postbox.js loads, and ideally prevent interaction with the toggles until your code runs:

postboxes.save_order = function() {};

Can you give that a try and see if it resolves your issue?

Last edited 6 months ago by adamsilverstein (previous) (diff)
Note: See TracTickets for help on using tickets.