Fixes published-post autosave-previews in calypso (#6530)

* Fixes published-post autosave-previews in calypso The wpcom endpoint cannot predict whether the user is logged in or not on the remote site. So it cannot pass the appropriate nonce that gets verified in `/wp-includes/revision.php`. This patch detects the frame-nonce parameter for a caypso preview falls back to the existing frame-nonce validation when it exists. * fixes spacing and adds textdomain for translation
Automattic · Feb 28, 2017 · facdba6 · facdba6
1 parent fee5812
commit facdba6
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/class.frame-nonce-preview.php b/class.frame-nonce-preview.php
@@ -25,6 +25,12 @@ function __construct() {
 		if ( isset( $_GET['frame-nonce'] ) && ! is_admin() ) {
 			add_filter( 'pre_get_posts', array( $this, 'maybe_display_post' ) );
 		}
+
+		// autosave previews are validated differently
+		if ( isset( $_GET[ 'frame-nonce' ] ) && isset( $_GET[ 'preview_id' ] ) && isset( $_GET[ 'preview_nonce' ] ) ) {
+			remove_action( 'init', '_show_post_preview' );
+			add_action( 'init', array( $this, 'handle_autosave_nonce_validation' ) );
+		}
 	}
 
 	/**
@@ -95,6 +101,19 @@ public function set_post_to_publish( $posts ) {
 
 		return $posts;
 	}
+
+	/**
+	 * Handle validation for autosave preview request
+	 *
+	 * @since 4.7.0
+	 *
+	 */
+	public function handle_autosave_nonce_validation() {
+		if ( ! $this->is_frame_nonce_valid() ) {
+			wp_die( __( 'Sorry, you are not allowed to preview drafts.', 'jetpack' ) );
+		}
+		add_filter( 'the_preview', '_set_preview' );
+	}
 }
 
 Jetpack_Frame_Nonce_Preview::get_instance();