From 1ee477dbe47b51d0084602b995d715fa854e88e7 Mon Sep 17 00:00:00 2001
From: isabel_brison <isabel_brison@git.wordpress.org>
Date: Tue, 11 Jul 2023 05:03:23 +0000
Subject: [PATCH] General: add nonce for block theme preview activation.

Adds a nonce so that activation works for block theme previews. Temporary fix until there is a REST API endpoint for activating themes.

Props scruffian, peterwilsoncc, nithins53, nithi22, jomonthomaslobo1, poena, syamraj24, vivekawsm, mrinal013.
Fixes #58712.

Built from https://develop.svn.wordpress.org/trunk@56199


git-svn-id: http://core.svn.wordpress.org/trunk@55711 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/includes/admin-filters.php  |  7 -------
 wp-admin/includes/admin.php          |  1 -
 wp-admin/includes/theme-previews.php | 28 ++++++++++++++++++++++++++++
 wp-includes/version.php              |  2 +-
 wp-settings.php                      |  1 +
 5 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/wp-admin/includes/admin-filters.php b/wp-admin/includes/admin-filters.php
index 8f364360fd..33354cb073 100644
--- a/wp-admin/includes/admin-filters.php
+++ b/wp-admin/includes/admin-filters.php
@@ -168,10 +168,3 @@ add_action( 'post_updated', array( 'WP_Privacy_Policy_Content', '_policy_page_up
 
 // Append '(Draft)' to draft page titles in the privacy page dropdown.
 add_filter( 'list_pages', '_wp_privacy_settings_filter_draft_page_titles', 10, 2 );
-
-// Attaches filters to enable theme previews in the Site Editor.
-if ( ! empty( $_GET['wp_theme_preview'] ) ) {
-	add_filter( 'stylesheet', 'wp_get_theme_preview_path' );
-	add_filter( 'template', 'wp_get_theme_preview_path' );
-	add_action( 'init', 'wp_attach_theme_preview_middleware' );
-}
diff --git a/wp-admin/includes/admin.php b/wp-admin/includes/admin.php
index 4930e92b71..ce2ec0c68b 100644
--- a/wp-admin/includes/admin.php
+++ b/wp-admin/includes/admin.php
@@ -71,7 +71,6 @@ require_once ABSPATH . 'wp-admin/includes/list-table.php';
 
 /** WordPress Theme Administration API */
 require_once ABSPATH . 'wp-admin/includes/theme.php';
-require_once ABSPATH . 'wp-admin/includes/theme-previews.php';
 
 /** WordPress Privacy Functions */
 require_once ABSPATH . 'wp-admin/includes/privacy-tools.php';
diff --git a/wp-admin/includes/theme-previews.php b/wp-admin/includes/theme-previews.php
index 55a3679096..d9325ddbf3 100644
--- a/wp-admin/includes/theme-previews.php
+++ b/wp-admin/includes/theme-previews.php
@@ -54,3 +54,31 @@ function wp_attach_theme_preview_middleware() {
 		'after'
 	);
 }
+
+/**
+ * Set a JavaScript constant for theme activation.
+ *
+ * Sets the JavaScript global WP_BLOCK_THEME_ACTIVATE_NONCE containing the nonce
+ * required to activate a theme. For use within the site editor.
+ *
+ * @see https://github.com/WordPress/gutenberg/pull/41836.
+ *
+ * @since 6.3.0
+ * @private
+ */
+function wp_block_theme_activate_nonce() {
+	$nonce_handle = 'switch-theme_' . wp_get_theme_preview_path();
+	?>
+	<script type="text/javascript">
+		window.WP_BLOCK_THEME_ACTIVATE_NONCE = '<?php echo wp_create_nonce( $nonce_handle ); ?>';
+	</script>
+	<?php
+}
+
+// Attaches filters to enable theme previews in the Site Editor.
+if ( ! empty( $_GET['wp_theme_preview'] ) ) {
+	add_filter( 'stylesheet', 'wp_get_theme_preview_path' );
+	add_filter( 'template', 'wp_get_theme_preview_path' );
+	add_action( 'init', 'wp_attach_theme_preview_middleware' );
+	add_action( 'admin_head', 'wp_block_theme_activate_nonce' );
+}
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 1943b71ead..d8963e5cf1 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.3-beta3-56198';
+$wp_version = '6.3-beta3-56199';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
diff --git a/wp-settings.php b/wp-settings.php
index 08651606bc..52e7209f86 100644
--- a/wp-settings.php
+++ b/wp-settings.php
@@ -181,6 +181,7 @@ require ABSPATH . WPINC . '/class-wp-block-template.php';
 require ABSPATH . WPINC . '/block-template-utils.php';
 require ABSPATH . WPINC . '/block-template.php';
 require ABSPATH . WPINC . '/theme-templates.php';
+require ABSPATH . WPINC . '/theme-previews.php';
 require ABSPATH . WPINC . '/template.php';
 require ABSPATH . WPINC . '/https-detection.php';
 require ABSPATH . WPINC . '/https-migration.php';