Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Refresh nonces in the customizer. props koopersmith. see #20876 for 3.4.

git-svn-id: http://core.svn.wordpress.org/branches/3.4@21136 1a063a9b-81f0-0310-95a4-ce76da25c4cd
  • Loading branch information...
commit edd1b41c662b7feda772c0c95bcf71b9888a24f4 1 parent 52a69fa
nacin authored
View
7 wp-admin/customize.php
@@ -7,6 +7,8 @@
* @since 3.4.0
*/
+define( 'IFRAME_REQUEST', true );
+
require_once( './admin.php' );
if ( ! current_user_can( 'edit_theme_options' ) )
wp_die( __( 'Cheatin’ uh?' ) );
@@ -65,7 +67,6 @@
<body class="<?php echo esc_attr( $body_class ); ?>">
<div class="wp-full-overlay expanded">
<form id="customize-controls" class="wrap wp-full-overlay-sidebar">
- <?php wp_nonce_field( 'customize_controls-' . $wp_customize->get_stylesheet() ); ?>
<div id="customize-header-actions" class="wp-full-overlay-header">
<?php
$save_text = $wp_customize->is_theme_active() ? __( 'Save &amp; Publish' ) : __( 'Save &amp; Activate' );
@@ -175,6 +176,10 @@
),
'settings' => array(),
'controls' => array(),
+ 'nonce' => array(
+ 'save' => wp_create_nonce( 'save-customize_' . $wp_customize->get_stylesheet() ),
+ 'preview' => wp_create_nonce( 'preview-customize_' . $wp_customize->get_stylesheet() )
+ ),
);
foreach ( $wp_customize->settings() as $id => $setting ) {
View
33 wp-admin/js/customize-controls.dev.js
@@ -294,7 +294,8 @@
// This is the promise object.
deferred.promise( this );
- this.previewer = params.previewer;
+ this.container = params.container;
+ this.signature = params.signature;
$.extend( params, { channel: api.PreviewFrame.uuid() });
@@ -338,7 +339,7 @@
this.request.done( function( response ) {
var location = self.request.getResponseHeader('Location'),
- signature = 'WP_CUSTOMIZER_SIGNATURE',
+ signature = self.signature,
index;
// Check if the location response header differs from the current URL.
@@ -371,7 +372,7 @@
response = response.slice( 0, index ) + response.slice( index + signature.length );
// Create the iframe and inject the html content.
- self.iframe = $('<iframe />').appendTo( self.previewer.container );
+ self.iframe = $('<iframe />').appendTo( self.container );
// Bind load event after the iframe has been added to the page;
// otherwise it will fire when injected into the DOM.
@@ -416,7 +417,7 @@
reject();
iframe = $('<iframe src="' + self.previewUrl() + '" />').hide();
- iframe.appendTo( self.previewer.container );
+ iframe.appendTo( self.container );
iframe.load( function() {
self.triedLogin = true;
@@ -497,6 +498,7 @@
this.container = api.ensure( params.container );
this.allowedUrls = params.allowedUrls;
+ this.signature = params.signature;
params.url = window.location.href;
@@ -570,7 +572,8 @@
url: this.url(),
previewUrl: this.previewUrl(),
query: this.query() || {},
- previewer: this
+ container: this.container,
+ signature: this.signature
});
this.loading.done( function() {
@@ -583,6 +586,8 @@
self.targetWindow( this.targetWindow() );
self.channel( this.channel() );
+
+ self.send( 'active' );
});
this.send( 'sync', {
@@ -683,23 +688,26 @@
container: '#customize-preview',
form: '#customize-controls',
previewUrl: api.settings.url.preview,
- allowedUrls: api.settings.url.allowed
+ allowedUrls: api.settings.url.allowed,
+ signature: 'WP_CUSTOMIZER_SIGNATURE'
}, {
+
+ nonce: api.settings.nonce,
+
query: function() {
return {
wp_customize: 'on',
theme: api.settings.theme.stylesheet,
- customized: JSON.stringify( api.get() )
+ customized: JSON.stringify( api.get() ),
+ nonce: this.nonce.preview
};
},
- nonce: $('#_wpnonce').val(),
-
save: function() {
var self = this,
query = $.extend( this.query(), {
action: 'customize_save',
- nonce: this.nonce
+ nonce: this.nonce.save
}),
request = $.post( api.settings.url.ajax, query );
@@ -733,6 +741,11 @@
}
});
+ // Refresh the nonces if the preview sends updated nonces over.
+ previewer.bind( 'nonce', function( nonce ) {
+ $.extend( this.nonce, nonce );
+ });
+
$.each( api.settings.settings, function( id, data ) {
api.create( id, id, data.value, {
transport: data.transport,
View
13 wp-includes/class-wp-customize-manager.php
@@ -17,6 +17,8 @@
protected $sections = array();
protected $controls = array();
+ protected $nonce_tick;
+
protected $customized;
private $_post_values;
@@ -308,6 +310,8 @@ public function post_value( $setting ) {
* @since 3.4.0
*/
public function customize_preview_init() {
+ $this->nonce_tick = check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce' );
+
$this->prepare_controls();
wp_enqueue_script( 'customize-preview' );
@@ -362,6 +366,13 @@ public function customize_preview_settings() {
'channel' => esc_js( $_POST['customize_messenger_channel'] ),
);
+ if ( 2 == $this->nonce_tick ) {
+ $settings['nonce'] = array(
+ 'save' => wp_create_nonce( 'save-customize_' . $this->get_stylesheet() ),
+ 'preview' => wp_create_nonce( 'preview-customize_' . $this->get_stylesheet() )
+ );
+ }
+
foreach ( $this->settings as $id => $setting ) {
$settings['values'][ $id ] = $setting->js_value();
}
@@ -468,7 +479,7 @@ public function save() {
if ( ! $this->is_preview() )
die;
- check_ajax_referer( 'customize_controls-' . $this->get_stylesheet(), 'nonce' );
+ check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce' );
// Do we have to switch themes?
if ( ! $this->is_theme_active() ) {
View
7 wp-includes/js/customize-preview.dev.js
@@ -88,7 +88,12 @@
preview.trigger( event, args );
});
preview.send( 'synced' );
- })
+ });
+
+ preview.bind( 'active', function() {
+ if ( api.settings.nonce )
+ preview.send( 'nonce', api.settings.nonce );
+ });
preview.send( 'ready' );
View
32 wp-login.php
@@ -39,7 +39,7 @@
* @param WP_Error $wp_error Optional. WordPress Error Object
*/
function login_header($title = 'Log In', $message = '', $wp_error = '') {
- global $error, $interim_login, $current_site, $customize_login;
+ global $error, $interim_login, $current_site;
// Don't index any of these forms
add_action( 'login_head', 'wp_no_robots' );
@@ -68,9 +68,6 @@ function login_header($title = 'Log In', $message = '', $wp_error = '') {
<meta name="viewport" content="width=320; initial-scale=0.9; maximum-scale=1.0; user-scalable=0;" /><?php
}
- if ( $customize_login )
- wp_enqueue_script( 'customize-base' );
-
do_action( 'login_enqueue_scripts' );
do_action( 'login_head' );
@@ -568,6 +565,8 @@ function register_new_user( $user_login, $user_email ) {
$secure_cookie = '';
$interim_login = isset($_REQUEST['interim-login']);
$customize_login = isset( $_REQUEST['customize-login'] );
+ if ( $customize_login )
+ wp_enqueue_script( 'customize-base' );
// If the user wants ssl but the session is not ssl, force a secure cookie.
if ( !empty($_POST['log']) && !force_ssl_admin() ) {
@@ -604,21 +603,18 @@ function register_new_user( $user_login, $user_email ) {
if ( !is_wp_error($user) && !$reauth ) {
if ( $interim_login ) {
$message = '<p class="message">' . __('You have logged in successfully.') . '</p>';
- login_header( '', $message );
-
- if ( ! $customize_login ) : ?>
- <script type="text/javascript">setTimeout( function(){window.close()}, 8000);</script>
- <p class="alignright">
- <input type="button" class="button-primary" value="<?php esc_attr_e('Close'); ?>" onclick="window.close()" /></p>
-<?php endif;
-
- ?></div><?php
-
- do_action('login_footer');
-
- if ( $customize_login ) : ?>
+ login_header( '', $message ); ?>
+
+ <?php if ( ! $customize_login ) : ?>
+ <script type="text/javascript">setTimeout( function(){window.close()}, 8000);</script>
+ <p class="alignright">
+ <input type="button" class="button-primary" value="<?php esc_attr_e('Close'); ?>" onclick="window.close()" /></p>
+ <?php endif; ?>
+ </div>
+ <?php do_action( 'login_footer' ); ?>
+ <?php if ( $customize_login ) : ?>
<script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script>
-<?php endif; ?>
+ <?php endif; ?>
</body></html>
<?php exit;
}
Please sign in to comment.
Something went wrong with that request. Please try again.