diff --git a/assets/js/network-activate.js b/assets/js/network-activate.js index 433f7f7b..264314ce 100644 --- a/assets/js/network-activate.js +++ b/assets/js/network-activate.js @@ -17,7 +17,7 @@ jQuery(function($) { var $btn = $(this); var $wrapper = $btn.closest('div'); - var nonce = $btn.data('nonce'); + var nonce = $btn.data('ajax-nonce'); var $spinner = $wrapper.find('.wu-network-activate-spinner'); var $message = $wrapper.find('.wu-network-activate-message'); var $fallback = $wrapper.find('.wu-network-activate-fallback'); @@ -30,7 +30,7 @@ jQuery(function($) { ajaxurl, { action: 'wu_setup_network_activate', - nonce: nonce, + _ajax_nonce: nonce, }, function(response) { diff --git a/inc/admin-pages/class-setup-wizard-admin-page.php b/inc/admin-pages/class-setup-wizard-admin-page.php index 6fa53152..269a1880 100644 --- a/inc/admin-pages/class-setup-wizard-admin-page.php +++ b/inc/admin-pages/class-setup-wizard-admin-page.php @@ -164,14 +164,18 @@ public function __construct() { */ public function ajax_network_activate(): void { - check_ajax_referer('wu_setup_network_activate', 'nonce'); - if ( ! current_user_can('manage_network')) { wp_send_json_error(new \WP_Error('not-allowed', __('Permission denied.', 'ultimate-multisite'))); exit; } + if ( ! check_ajax_referer('wu_setup_network_activate', false, false)) { + wp_send_json_error(new \WP_Error('bad-nonce', __('Security check failed. Please reload the page and try again.', 'ultimate-multisite'))); + + exit; + } + try { Multisite_Network_Installer::get_instance()->_install_network_activate(); } catch (\Throwable $e) { diff --git a/tests/WP_Ultimo/Admin_Pages/Setup_Wizard_Admin_Page_Test.php b/tests/WP_Ultimo/Admin_Pages/Setup_Wizard_Admin_Page_Test.php index dc41732c..095468c7 100644 --- a/tests/WP_Ultimo/Admin_Pages/Setup_Wizard_Admin_Page_Test.php +++ b/tests/WP_Ultimo/Admin_Pages/Setup_Wizard_Admin_Page_Test.php @@ -453,12 +453,12 @@ public function test_constructor_registers_network_activate_ajax_action(): void } // ------------------------------------------------------------------------- - // ajax_network_activate() — permission guard + // ajax_network_activate() — permission guard (checked before nonce) // ------------------------------------------------------------------------- public function test_ajax_network_activate_sends_json_error_without_permission(): void { - // Provide a valid nonce so the nonce check passes, isolating the permission check. - $_REQUEST['nonce'] = wp_create_nonce('wu_setup_network_activate'); + // Capability check fires before nonce check, so no nonce needed to + // isolate this path — an unauthenticated user is rejected immediately. wp_set_current_user(0); $this->expectException(\WPAjaxDieStopException::class); $this->page->ajax_network_activate(); diff --git a/views/wizards/setup/requirements_table.php b/views/wizards/setup/requirements_table.php index 8faf2eeb..6d98defe 100644 --- a/views/wizards/setup/requirements_table.php +++ b/views/wizards/setup/requirements_table.php @@ -77,7 +77,7 @@