add nonce in all wp ajax calls

magic-fields-team · Aug 3, 2016 · b8788a1 · b8788a1
1 parent 381326c
commit b8788a1
Show file tree

Hide file tree

Showing 8 changed files with 253 additions and 126 deletions.
diff --git a/admin/mf_ajax_call.php b/admin/mf_ajax_call.php
@@ -10,6 +10,14 @@ public function __construct(){
   }
 
   public function resolve($data){
+
+    if( !check_ajax_referer( 'mf_nonce_ajax', 'security', false ) ) {
+      mf_ajax_call::remove_upload_file();
+      $resp = array('success' => false, 'msg' => __('Sorry, your nonce did not verify..',$mf_domain) );
+      echo json_encode($resp);
+      die;
+    }
+
     $type = $data['type'];
     if(method_exists($this, $type)){
       $this->$type($data);
@@ -24,10 +32,14 @@ public function mf_sort_field($data){
       array_walk( $order, create_function( '&$v,$k', '$v =  str_replace("order_","",$v);' ));
 
       if( $thing =  mf_custom_fields::save_order_field( $data['group_id'], $order ) ) {
-        print "1";
+        $resp = array('success' => true);
+        echo json_encode($resp);
         die;
       }
-      print "0"; //error!
+
+      $resp = array('success' => false, 'msg' => __('Ups, something went wrong',$mf_domain) );
+      echo json_encode($resp);
+      die;
     }
   }
 
@@ -39,9 +51,9 @@ public function check_name_post_type($data){
     $check = mf_posttype::check_post_type($type,$id);
     if($check){
       // exist type(name) in the system
-      $resp = array('success' => 0, 'msg' => __('The Type(name) of Post type exist,Please choose a different type(name).',$mf_domain) );
+      $resp = array('success' => false, 'msg' => __('The Type(name) of Post type exist,Please choose a different type(name).',$mf_domain) );
     }else{
-      $resp = array('success' => 1);
+      $resp = array('success' => true);
     }
     echo json_encode($resp);
   }
@@ -52,11 +64,11 @@ public function check_name_custom_group($data){
     $name = $data['group_name'];
     $post_type = $data['post_type'];
     $id = $data['group_id'];
-    $resp = array('success' => 1);
+    $resp = array('success' => true);
 
     $check = mf_custom_group::check_group($name,$post_type,$id);
     if($check){
-      $resp = array('success' => 0, 'msg' => __('The name of Group exist in this post type, Please choose a different name.',$mf_domain) );
+      $resp = array('success' => false, 'msg' => __('The name of Group exist in this post type, Please choose a different name.',$mf_domain) );
     }
 
     echo json_encode($resp);
@@ -68,11 +80,11 @@ public function check_name_custom_field($data){
     $name = $data['field_name'];
     $post_type = $data['post_type'];
     $id = $data['field_id'];
-    $resp = array('success' => 1);
+    $resp = array('success' => true);
 
     $check = mf_custom_fields::check_group($name,$post_type,$id);
     if($check){
-      $resp = array('success' => 0, 'msg' => __('The name of Field exist in this post type, Please choose a different name.',$mf_domain) );
+      $resp = array('success' => false, 'msg' => __('The name of Field exist in this post type, Please choose a different name.',$mf_domain) );
     }
     echo json_encode($resp);
   }
@@ -151,10 +163,8 @@ public function set_default_categories($data){
       );
 		}
 		$wpdb->query($sql);
-		$resp = array('success' => 1);
-
+		$resp = array('success' => true);
 		//update_post_meta(-2, $post_type, $cats);
-
 		echo json_encode($resp);
 	}
 
@@ -172,13 +182,6 @@ public static function remove_upload_file() {
   public function upload_ajax($data){
     global $mf_domain;
 
-    if( !check_ajax_referer( 'mf_nonce_ajax', 'security', false ) ) {
-      mf_ajax_call::remove_upload_file();
-      $resp = array('success' => false, 'msg' => __('Sorry, your nonce did not verify..',$mf_domain) );
-      echo json_encode($resp);
-      die;
-    }
-
     if ( !current_user_can('upload_files') ){
       mf_ajax_call::remove_upload_file();
       $resp = array('success' => false, 'msg' => __('You do not have sufficient permissions to upload images.',$mf_domain) );

diff --git a/admin/mf_post.php b/admin/mf_post.php
@@ -403,13 +403,22 @@ function mf_get_post_values( $post_id ) {
 
   /* enqueue css and js base for post area*/
   public function load_js_css_base(){
-    global $mf_domain;
-
+
     wp_enqueue_style( 'mf_field_base', MF_BASENAME.'css/mf_field_base.css' );
     wp_enqueue_script( 'tmpl', MF_BASENAME.'js/third_party/jquery.tmpl.js');
     wp_enqueue_script( 'mf_field_base', MF_BASENAME.'js/mf_field_base.js');
     wp_enqueue_script( 'mf_sortable_groups', MF_BASENAME.'js/mf_sortable_groups.js', array( 'jquery-ui-sortable' ) );
 
+    mf_post::load_js_localize();
+
+  }
+
+  public static function load_js_localize() {
+
+    global $mf_domain;
+
+    wp_enqueue_script( 'mf_clean', MF_BASENAME.'js/mf_clean.js');
+
     $mceAddString = "mceAddControl";
     $mceRemoveString = "mceRemoveControl";
     if(is_wp39()){
@@ -427,8 +436,7 @@ public function load_js_css_base(){
       'mf_mceRemoveString' => $mceRemoveString,
       'mf_nonce_ajax' => wp_create_nonce( "mf_nonce_ajax" )
     );
-    wp_localize_script( 'mf_field_base', 'mf_js', $js_vars );
-
+    wp_localize_script( 'mf_clean', 'mf_js', $js_vars );
   }
 
   /* enqueue css and js of fields */