WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 6 years ago

#7283 closed enhancement (fixed)

Generic POST handler

Reported by: ryan Owned by:
Milestone: 2.6 Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:

Description

Provide admin-post.php as a handler for POST requests made by plugins. admin-post.php handles setup and auth. Plugins pass an "action" argument via POST or GET and admin-post.php issues an "admin_post_$action" action. Functions registered by the plugin for that action will be kicked off. This will obviate the need for plugins to provide their own file for POST handling that has to search for the location of wp-config.php/wp-load.php.

Attachments (4)

admin-post.php (394 bytes) - added by ryan 7 years ago.
admin_post_action.diff (318 bytes) - added by ryan 7 years ago.
Alternative that Issues action from admin.php
admin_post_action.2.diff (1.1 KB) - added by ryan 7 years ago.
Both
admin_post_action.3.diff (1.1 KB) - added by ryan 7 years ago.
No need to die '0'

Download all attachments as: .zip

Change History (15)

@ryan7 years ago

comment:1 @ryan7 years ago

  • Milestone changed from 2.7 to 2.6

comment:2 @ryan7 years ago

  • Summary changed from admin-post.php POST handler to Generic POST handler

comment:3 @ryan7 years ago

Alternative is to just issue the action from admin.php. There's stuff in admin.php we don't really need in a pure POST handler, but we don't necessarily need to provide a pure POST handler. Using admin.php provides some menu, CSS, and JS setup needed if a plugin wants to display a form or other UI in their handler.

comment:4 @technosailor7 years ago

+1.

Not to mention a huge boon for security as we can now handle *all* POST data and sanitize as appropriate before it hits to the *silly plugin authors* function that doesn't pay attention. :)

comment:5 @technosailor7 years ago

Of course, the file would have to be filled out more with means to do so. Right now, you're just adding the hooks and that wouldn't be enough, imho.

@ryan7 years ago

Alternative that Issues action from admin.php

@ryan7 years ago

Both

comment:6 @ryan7 years ago

Why pick one when you can do both. admin-post.php for pure POST handling. admin_action_$action in admin.php in case your hook needs some of the setup done there.

@ryan7 years ago

No need to die '0'

comment:7 @ryan7 years ago

(In [8315]) Generic POST handler. see #7283

comment:8 @ryan7 years ago

There's a start. We can consider other checks to put in. Maybe something to make sure there's a nonce being passed. That will likely need to wait for 2.7 though. Right now we just need something to help plugin authors deal with WP_CONTENT_DIR relocating the plugins dir.

comment:9 @DD327 years ago

Maybe something to make sure there's a nonce being passed.

Well.. If you want a nonce on it, Better get it in for 2.6 before plugin authors change over to using it IMO.

A simple nonce based on "admin_post_$action" would be enough i'd have thought.

That way In the instructions on how to mention it, It can simply be mentioned that something like this neeeds to be included:

<input type="hidden" name="action" value="plugin-action" />
<?php wp_nonce_field('admin_post_plugin-action') ?>

It'll mean that any plugin authors not allready using nonces will get a bump in that direction & the rest who do use them will be allright.

comment:10 @DD326 years ago

Should this have been marked fixed in 2.6?

comment:11 @DD326 years ago

  • Milestone changed from 2.9 to 2.6
  • Resolution set to fixed
  • Status changed from new to closed
  • Type changed from defect to enhancement

Resolving as fixed in 2.6, If a nonce check is wanted, I guess a new ticket should be made.

Note: See TracTickets for help on using tickets.