WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Refresh nonces in the customizer. props koopersmith. see #20876. 

git-svn-id: http://core.svn.wordpress.org/trunk@21135 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
nacin 2012-06-26 18:48:18 +00:00
parent 066794f548
commit 69112517ed
5 changed files with 60 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
wp-admin/customize.php
View File

@ -7,6 +7,8 @@
* @since 3.4.0
*/
define( 'IFRAME_REQUEST', true );
require_once( './admin.php' );
if ( ! current_user_can( 'edit_theme_options' ) )
wp_die( __( 'Cheatin’ uh?' ) );
@ -65,7 +67,6 @@ do_action( 'customize_controls_print_scripts' );
<body class="<?php echo esc_attr( $body_class ); ?>">
<div class="wp-full-overlay expanded">
<form id="customize-controls" class="wrap wp-full-overlay-sidebar">
<?php wp_nonce_field( 'customize_controls-' . $wp_customize->get_stylesheet() ); ?>
<div id="customize-header-actions" class="wp-full-overlay-header">
<?php
$save_text = $wp_customize->is_theme_active() ? __( 'Save &amp; Publish' ) : __( 'Save &amp; Activate' );
@ -175,6 +176,10 @@ do_action( 'customize_controls_print_scripts' );
),
'settings' => array(),
'controls' => array(),
'nonce' => array(
'save' => wp_create_nonce( 'save-customize_' . $wp_customize->get_stylesheet() ),
'preview' => wp_create_nonce( 'preview-customize_' . $wp_customize->get_stylesheet() )
),
);
foreach ( $wp_customize->settings() as $id => $setting ) {

33
wp-admin/js/customize-controls.dev.js
View File

@ -294,7 +294,8 @@
// This is the promise object.
deferred.promise( this );
this.previewer = params.previewer;
this.container = params.container;
this.signature = params.signature;
$.extend( params, { channel: api.PreviewFrame.uuid() });
@ -338,7 +339,7 @@
this.request.done( function( response ) {
var location = self.request.getResponseHeader('Location'),
signature = 'WP_CUSTOMIZER_SIGNATURE',
signature = self.signature,
index;
// Check if the location response header differs from the current URL.
@ -371,7 +372,7 @@
response = response.slice( 0, index ) + response.slice( index + signature.length );
// Create the iframe and inject the html content.
self.iframe = $('<iframe />').appendTo( self.previewer.container );
self.iframe = $('<iframe />').appendTo( self.container );
// Bind load event after the iframe has been added to the page;
// otherwise it will fire when injected into the DOM.
@ -416,7 +417,7 @@
reject();
iframe = $('<iframe src="' + self.previewUrl() + '" />').hide();
iframe.appendTo( self.previewer.container );
iframe.appendTo( self.container );
iframe.load( function() {
self.triedLogin = true;
@ -497,6 +498,7 @@
this.container = api.ensure( params.container );
this.allowedUrls = params.allowedUrls;
this.signature = params.signature;
params.url = window.location.href;
@ -570,7 +572,8 @@
url: this.url(),
previewUrl: this.previewUrl(),
query: this.query() || {},
previewer: this
container: this.container,
signature: this.signature
});
this.loading.done( function() {
@ -583,6 +586,8 @@
self.targetWindow( this.targetWindow() );
self.channel( this.channel() );
self.send( 'active' );
});
this.send( 'sync', {
@ -683,23 +688,26 @@
container: '#customize-preview',
form: '#customize-controls',
previewUrl: api.settings.url.preview,
allowedUrls: api.settings.url.allowed
allowedUrls: api.settings.url.allowed,
signature: 'WP_CUSTOMIZER_SIGNATURE'
}, {
nonce: api.settings.nonce,
query: function() {
return {
wp_customize: 'on',
theme: api.settings.theme.stylesheet,
customized: JSON.stringify( api.get() )
customized: JSON.stringify( api.get() ),
nonce: this.nonce.preview
};
},
nonce: $('#_wpnonce').val(),
save: function() {
var self = this,
query = $.extend( this.query(), {
action: 'customize_save',
nonce: this.nonce
nonce: this.nonce.save
}),
request = $.post( api.settings.url.ajax, query );
@ -733,6 +741,11 @@
}
});
// Refresh the nonces if the preview sends updated nonces over.
previewer.bind( 'nonce', function( nonce ) {
$.extend( this.nonce, nonce );
});
$.each( api.settings.settings, function( id, data ) {
api.create( id, id, data.value, {
transport: data.transport,

13
wp-includes/class-wp-customize-manager.php
View File

@ -17,6 +17,8 @@ final class WP_Customize_Manager {
protected $sections = array();
protected $controls = array();
protected $nonce_tick;
protected $customized;
private $_post_values;
@ -308,6 +310,8 @@ final class WP_Customize_Manager {
* @since 3.4.0
*/
public function customize_preview_init() {
$this->nonce_tick = check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce' );
$this->prepare_controls();
wp_enqueue_script( 'customize-preview' );
@ -362,6 +366,13 @@ final class WP_Customize_Manager {
'channel' => esc_js( $_POST['customize_messenger_channel'] ),
);
if ( 2 == $this->nonce_tick ) {
$settings['nonce'] = array(
'save' => wp_create_nonce( 'save-customize_' . $this->get_stylesheet() ),
'preview' => wp_create_nonce( 'preview-customize_' . $this->get_stylesheet() )
);
}
foreach ( $this->settings as $id => $setting ) {
$settings['values'][ $id ] = $setting->js_value();
}
@ -468,7 +479,7 @@ final class WP_Customize_Manager {
if ( ! $this->is_preview() )
die;
check_ajax_referer( 'customize_controls-' . $this->get_stylesheet(), 'nonce' );
check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce' );
// Do we have to switch themes?
if ( ! $this->is_theme_active() ) {

7
wp-includes/js/customize-preview.dev.js
View File

@ -88,7 +88,12 @@
preview.trigger( event, args );
});
preview.send( 'synced' );
})
});
preview.bind( 'active', function() {
if ( api.settings.nonce )
preview.send( 'nonce', api.settings.nonce );
});
preview.send( 'ready' );

30
wp-login.php
View File

@ -39,7 +39,7 @@ if ( force_ssl_admin() && !is_ssl() ) {
* @param WP_Error $wp_error Optional. WordPress Error Object
*/
function login_header($title = 'Log In', $message = '', $wp_error = '') {
global $error, $interim_login, $current_site, $customize_login;
global $error, $interim_login, $current_site;
// Don't index any of these forms
add_action( 'login_head', 'wp_no_robots' );
@ -68,9 +68,6 @@ function login_header($title = 'Log In', $message = '', $wp_error = '') {
<meta name="viewport" content="width=320; initial-scale=0.9; maximum-scale=1.0; user-scalable=0;" /><?php
}
if ( $customize_login )
wp_enqueue_script( 'customize-base' );
do_action( 'login_enqueue_scripts' );
do_action( 'login_head' );
@ -568,6 +565,8 @@ default:
$secure_cookie = '';
$interim_login = isset($_REQUEST['interim-login']);
$customize_login = isset( $_REQUEST['customize-login'] );
if ( $customize_login )
wp_enqueue_script( 'customize-base' );
// If the user wants ssl but the session is not ssl, force a secure cookie.
if ( !empty($_POST['log']) && !force_ssl_admin() ) {
@ -604,21 +603,18 @@ default:
if ( !is_wp_error($user) && !$reauth ) {
if ( $interim_login ) {
$message = '<p class="message">' . __('You have logged in successfully.') . '</p>';
login_header( '', $message );
login_header( '', $message ); ?>
if ( ! $customize_login ) : ?>
<script type="text/javascript">setTimeout( function(){window.close()}, 8000);</script>
<p class="alignright">
<input type="button" class="button-primary" value="<?php esc_attr_e('Close'); ?>" onclick="window.close()" /></p>
<?php endif;
?></div><?php
do_action('login_footer');
if ( $customize_login ) : ?>
<?php if ( ! $customize_login ) : ?>
<script type="text/javascript">setTimeout( function(){window.close()}, 8000);</script>
<p class="alignright">
<input type="button" class="button-primary" value="<?php esc_attr_e('Close'); ?>" onclick="window.close()" /></p>
<?php endif; ?>
</div>
<?php do_action( 'login_footer' ); ?>
<?php if ( $customize_login ) : ?>
<script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script>
<?php endif; ?>
<?php endif; ?>
</body></html>
<?php exit;
}