Fix updating of nonces on the Edit Post screen after the log in expires and the user logs in again.

Props iseulde, azaozz. Fixes #33098.
Built from https://develop.svn.wordpress.org/trunk@33468


git-svn-id: http://core.svn.wordpress.org/trunk@33435 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Andrew Ozz 2015-07-28 22:07:25 +00:00
parent 49ac027038
commit fa25fe82ef
8 changed files with 46 additions and 38 deletions

View File

@ -58,7 +58,7 @@ add_action( 'update_option_page_on_front', 'update_home_siteurl', 10, 2 );
add_filter( 'heartbeat_received', 'wp_check_locked_posts', 10, 3 );
add_filter( 'heartbeat_received', 'wp_refresh_post_lock', 10, 3 );
add_filter( 'heartbeat_received', 'wp_refresh_post_nonces', 10, 3 );
add_filter( 'wp_refresh_nonces', 'wp_refresh_post_nonces', 10, 3 );
add_filter( 'heartbeat_received', 'heartbeat_autosave', 500, 2 );
add_filter( 'heartbeat_settings', 'wp_heartbeat_set_suspension' );

View File

@ -2571,26 +2571,35 @@ function wp_ajax_send_link_to_editor() {
* @since 3.6.0
*/
function wp_ajax_heartbeat() {
if ( empty( $_POST['_nonce'] ) )
if ( empty( $_POST['_nonce'] ) ) {
wp_send_json_error();
$response = array();
if ( false === wp_verify_nonce( $_POST['_nonce'], 'heartbeat-nonce' ) ) {
// User is logged in but nonces have expired.
$response['nonces_expired'] = true;
wp_send_json($response);
}
$response = $data = array();
$nonce_state = wp_verify_nonce( $_POST['_nonce'], 'heartbeat-nonce' );
// screen_id is the same as $current_screen->id and the JS global 'pagenow'.
if ( ! empty($_POST['screen_id']) )
if ( ! empty( $_POST['screen_id'] ) ) {
$screen_id = sanitize_key($_POST['screen_id']);
else
} else {
$screen_id = 'front';
}
if ( ! empty($_POST['data']) ) {
if ( ! empty( $_POST['data'] ) ) {
$data = wp_unslash( (array) $_POST['data'] );
}
if ( 1 !== $nonce_state ) {
$response = apply_filters( 'wp_refresh_nonces', $response, $data, $screen_id );
if ( false === $nonce_state ) {
// User is logged in but nonces have expired.
$response['nonces_expired'] = true;
wp_send_json( $response );
}
}
if ( ! empty( $data ) ) {
/**
* Filter the Heartbeat response received.
*
@ -2628,7 +2637,7 @@ function wp_ajax_heartbeat() {
// Send the current time according to the server
$response['server_time'] = time();
wp_send_json($response);
wp_send_json( $response );
}
/**

View File

@ -771,24 +771,24 @@ function wp_refresh_post_nonces( $response, $data, $screen_id ) {
$received = $data['wp-refresh-post-nonces'];
$response['wp-refresh-post-nonces'] = array( 'check' => 1 );
if ( ! $post_id = absint( $received['post_id'] ) )
if ( ! $post_id = absint( $received['post_id'] ) ) {
return $response;
if ( ! current_user_can( 'edit_post', $post_id ) || empty( $received['post_nonce'] ) )
return $response;
if ( 2 === wp_verify_nonce( $received['post_nonce'], 'update-post_' . $post_id ) ) {
$response['wp-refresh-post-nonces'] = array(
'replace' => array(
'getpermalinknonce' => wp_create_nonce('getpermalink'),
'samplepermalinknonce' => wp_create_nonce('samplepermalink'),
'closedpostboxesnonce' => wp_create_nonce('closedpostboxes'),
'_ajax_linking_nonce' => wp_create_nonce( 'internal-linking' ),
'_wpnonce' => wp_create_nonce( 'update-post_' . $post_id ),
),
'heartbeatNonce' => wp_create_nonce( 'heartbeat-nonce' ),
);
}
if ( ! current_user_can( 'edit_post', $post_id ) ) {
return $response;
}
$response['wp-refresh-post-nonces'] = array(
'replace' => array(
'getpermalinknonce' => wp_create_nonce('getpermalink'),
'samplepermalinknonce' => wp_create_nonce('samplepermalink'),
'closedpostboxesnonce' => wp_create_nonce('closedpostboxes'),
'_ajax_linking_nonce' => wp_create_nonce( 'internal-linking' ),
'_wpnonce' => wp_create_nonce( 'update-post_' . $post_id ),
),
'heartbeatNonce' => wp_create_nonce( 'heartbeat-nonce' ),
);
}
return $response;

View File

@ -170,13 +170,13 @@ $(document).on( 'heartbeat-send.refresh-lock', function( e, data ) {
}
$(document).on( 'heartbeat-send.wp-refresh-nonces', function( e, data ) {
var nonce, post_id;
var post_id,
$authCheck = $('#wp-auth-check-wrap');
if ( check ) {
if ( ( post_id = $('#post_ID').val() ) && ( nonce = $('#_wpnonce').val() ) ) {
if ( check || ( $authCheck.length && ! $authCheck.hasClass( 'hidden' ) ) ) {
if ( ( post_id = $('#post_ID').val() ) && $('#_wpnonce').val() ) {
data['wp-refresh-post-nonces'] = {
post_id: post_id,
post_nonce: nonce
post_id: post_id
};
}
}

File diff suppressed because one or more lines are too long

View File

@ -389,7 +389,6 @@
if ( response.nonces_expired ) {
$document.trigger( 'heartbeat-nonces-expired' );
return;
}
// Change the interval from PHP

File diff suppressed because one or more lines are too long

View File

@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
$wp_version = '4.3-beta4-33467';
$wp_version = '4.3-beta4-33468';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.