Generic POST handler

[ryan]

Provide admin-post.php as a handler for POST requests made by plugins. admin-post.php handles setup and auth. Plugins pass an "action" argument via POST or GET and admin-post.php issues an "admin_post_$action" action. Functions registered by the plugin for that action will be kicked off. This will obviate the need for plugins to provide their own file for POST handling that has to search for the location of wp-config.php/wp-load.php.

[ryan]

Alternative is to just issue the action from admin.php. There's stuff in admin.php we don't really need in a pure POST handler, but we don't necessarily need to provide a pure POST handler. Using admin.php provides some menu, CSS, and JS setup needed if a plugin wants to display a form or other UI in their handler.

[technosailor]

+1.

Not to mention a huge boon for security as we can now handle *all* POST data and sanitize as appropriate before it hits to the *silly plugin authors* function that doesn't pay attention. :)

[technosailor]

Of course, the file would have to be filled out more with means to do so. Right now, you're just adding the hooks and that wouldn't be enough, imho.

[ryan]

Alternative that Issues action from admin.php

[ryan]

Both

[ryan]

Why pick one when you can do both. admin-post.php for pure POST handling. admin_action_$action in admin.php in case your hook needs some of the setup done there.

[ryan]

No need to die '0'

[ryan]

(In [8315]) Generic POST handler. see #7283

[ryan]

There's a start. We can consider other checks to put in. Maybe something to make sure there's a nonce being passed. That will likely need to wait for 2.7 though. Right now we just need something to help plugin authors deal with WP_CONTENT_DIR relocating the plugins dir.

[DD32]

Maybe something to make sure there's a nonce being passed.

Well.. If you want a nonce on it, Better get it in for 2.6 before plugin authors change over to using it IMO.

A simple nonce based on "admin_post_$action" would be enough i'd have thought.

That way In the instructions on how to mention it, It can simply be mentioned that something like this neeeds to be included:

<input type="hidden" name="action" value="plugin-action" />
<?php wp_nonce_field('admin_post_plugin-action') ?>

It'll mean that any plugin authors not allready using nonces will get a bump in that direction & the rest who do use them will be allright.

[DD32]

Should this have been marked fixed in 2.6?

[DD32]

Resolving as fixed in 2.6, If a nonce check is wanted, I guess a new ticket should be made.