WordPress-C/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2025-02-17 20:15:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Refresh nonces in the customizer. props koopersmith. see #20876.

Browse Source 
git-svn-id: http://core.svn.wordpress.org/trunk@21135 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
nacin 2012-06-26 18:48:18 +00:00
parent 066794f548
commit 69112517ed
5 changed files with 60 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
wp-admin/customize.php
View File

@ -7,6 +7,8 @@
* @since 3.4.0 * @since 3.4.0
*/ */
define( 'IFRAME_REQUEST', true );
require_once( './admin.php' ); require_once( './admin.php' );
if ( ! current_user_can( 'edit_theme_options' ) ) if ( ! current_user_can( 'edit_theme_options' ) )
wp_die( __( 'Cheatin’ uh?' ) ); wp_die( __( 'Cheatin’ uh?' ) );
@ -65,7 +67,6 @@ do_action( 'customize_controls_print_scripts' );
<body class="<?php echo esc_attr( $body_class ); ?>"> <body class="<?php echo esc_attr( $body_class ); ?>">
<div class="wp-full-overlay expanded"> <div class="wp-full-overlay expanded">
<form id="customize-controls" class="wrap wp-full-overlay-sidebar"> <form id="customize-controls" class="wrap wp-full-overlay-sidebar">
<?php wp_nonce_field( 'customize_controls-' . $wp_customize->get_stylesheet() ); ?>
<div id="customize-header-actions" class="wp-full-overlay-header"> <div id="customize-header-actions" class="wp-full-overlay-header">
<?php <?php
$save_text = $wp_customize->is_theme_active() ? __( 'Save &amp; Publish' ) : __( 'Save &amp; Activate' ); $save_text = $wp_customize->is_theme_active() ? __( 'Save &amp; Publish' ) : __( 'Save &amp; Activate' );
@ -175,6 +176,10 @@ do_action( 'customize_controls_print_scripts' );
), ),
'settings' => array(), 'settings' => array(),
'controls' => array(), 'controls' => array(),
'nonce' => array(
'save' => wp_create_nonce( 'save-customize_' . $wp_customize->get_stylesheet() ),
'preview' => wp_create_nonce( 'preview-customize_' . $wp_customize->get_stylesheet() )
),
); );
foreach ( $wp_customize->settings() as $id => $setting ) { foreach ( $wp_customize->settings() as $id => $setting ) {

33
wp-admin/js/customize-controls.dev.js
View File

@ -294,7 +294,8 @@
// This is the promise object. // This is the promise object.
deferred.promise( this ); deferred.promise( this );
this.previewer = params.previewer; this.container = params.container;
this.signature = params.signature;
$.extend( params, { channel: api.PreviewFrame.uuid() }); $.extend( params, { channel: api.PreviewFrame.uuid() });
@ -338,7 +339,7 @@
this.request.done( function( response ) { this.request.done( function( response ) {
var location = self.request.getResponseHeader('Location'), var location = self.request.getResponseHeader('Location'),
signature = 'WP_CUSTOMIZER_SIGNATURE', signature = self.signature,
index; index;
// Check if the location response header differs from the current URL. // Check if the location response header differs from the current URL.
@ -371,7 +372,7 @@
response = response.slice( 0, index ) + response.slice( index + signature.length ); response = response.slice( 0, index ) + response.slice( index + signature.length );
// Create the iframe and inject the html content. // Create the iframe and inject the html content.
self.iframe = $('<iframe />').appendTo( self.previewer.container ); self.iframe = $('<iframe />').appendTo( self.container );
// Bind load event after the iframe has been added to the page; // Bind load event after the iframe has been added to the page;
// otherwise it will fire when injected into the DOM. // otherwise it will fire when injected into the DOM.
@ -416,7 +417,7 @@
reject(); reject();
iframe = $('<iframe src="' + self.previewUrl() + '" />').hide(); iframe = $('<iframe src="' + self.previewUrl() + '" />').hide();
iframe.appendTo( self.previewer.container ); iframe.appendTo( self.container );
iframe.load( function() { iframe.load( function() {
self.triedLogin = true; self.triedLogin = true;
@ -497,6 +498,7 @@
this.container = api.ensure( params.container ); this.container = api.ensure( params.container );
this.allowedUrls = params.allowedUrls; this.allowedUrls = params.allowedUrls;
this.signature = params.signature;
params.url = window.location.href; params.url = window.location.href;
@ -570,7 +572,8 @@
url: this.url(), url: this.url(),
previewUrl: this.previewUrl(), previewUrl: this.previewUrl(),
query: this.query() || {}, query: this.query() || {},
previewer: this container: this.container,
signature: this.signature
}); });
this.loading.done( function() { this.loading.done( function() {
@ -583,6 +586,8 @@
self.targetWindow( this.targetWindow() ); self.targetWindow( this.targetWindow() );
self.channel( this.channel() ); self.channel( this.channel() );
self.send( 'active' );
}); });
this.send( 'sync', { this.send( 'sync', {
@ -683,23 +688,26 @@
container: '#customize-preview', container: '#customize-preview',
form: '#customize-controls', form: '#customize-controls',
previewUrl: api.settings.url.preview, previewUrl: api.settings.url.preview,
allowedUrls: api.settings.url.allowed allowedUrls: api.settings.url.allowed,
signature: 'WP_CUSTOMIZER_SIGNATURE'
}, { }, {
nonce: api.settings.nonce,
query: function() { query: function() {
return { return {
wp_customize: 'on', wp_customize: 'on',
theme: api.settings.theme.stylesheet, theme: api.settings.theme.stylesheet,
customized: JSON.stringify( api.get() ) customized: JSON.stringify( api.get() ),
nonce: this.nonce.preview
}; };
}, },
nonce: $('#_wpnonce').val(),
save: function() { save: function() {
var self = this, var self = this,
query = $.extend( this.query(), { query = $.extend( this.query(), {
action: 'customize_save', action: 'customize_save',
nonce: this.nonce nonce: this.nonce.save
}), }),
request = $.post( api.settings.url.ajax, query ); request = $.post( api.settings.url.ajax, query );
@ -733,6 +741,11 @@
} }
}); });
// Refresh the nonces if the preview sends updated nonces over.
previewer.bind( 'nonce', function( nonce ) {
$.extend( this.nonce, nonce );
});
$.each( api.settings.settings, function( id, data ) { $.each( api.settings.settings, function( id, data ) {
api.create( id, id, data.value, { api.create( id, id, data.value, {
transport: data.transport, transport: data.transport,

13
wp-includes/class-wp-customize-manager.php
View File

@ -17,6 +17,8 @@ final class WP_Customize_Manager {
protected $sections = array(); protected $sections = array();
protected $controls = array(); protected $controls = array();
protected $nonce_tick;
protected $customized; protected $customized;
private $_post_values; private $_post_values;
@ -308,6 +310,8 @@ final class WP_Customize_Manager {
* @since 3.4.0 * @since 3.4.0
*/ */
public function customize_preview_init() { public function customize_preview_init() {
$this->nonce_tick = check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce' );
$this->prepare_controls(); $this->prepare_controls();
wp_enqueue_script( 'customize-preview' ); wp_enqueue_script( 'customize-preview' );
@ -362,6 +366,13 @@ final class WP_Customize_Manager {
'channel' => esc_js( $_POST['customize_messenger_channel'] ), 'channel' => esc_js( $_POST['customize_messenger_channel'] ),
); );
if ( 2 == $this->nonce_tick ) {
$settings['nonce'] = array(
'save' => wp_create_nonce( 'save-customize_' . $this->get_stylesheet() ),
'preview' => wp_create_nonce( 'preview-customize_' . $this->get_stylesheet() )
);
}
foreach ( $this->settings as $id => $setting ) { foreach ( $this->settings as $id => $setting ) {
$settings['values'][ $id ] = $setting->js_value(); $settings['values'][ $id ] = $setting->js_value();
} }
@ -468,7 +479,7 @@ final class WP_Customize_Manager {
if ( ! $this->is_preview() ) if ( ! $this->is_preview() )
die; die;
check_ajax_referer( 'customize_controls-' . $this->get_stylesheet(), 'nonce' ); check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce' );
// Do we have to switch themes? // Do we have to switch themes?
if ( ! $this->is_theme_active() ) { if ( ! $this->is_theme_active() ) {

7
wp-includes/js/customize-preview.dev.js
View File

@ -88,7 +88,12 @@
preview.trigger( event, args ); preview.trigger( event, args );
}); });
preview.send( 'synced' ); preview.send( 'synced' );
}) });
preview.bind( 'active', function() {
if ( api.settings.nonce )
preview.send( 'nonce', api.settings.nonce );
});
preview.send( 'ready' ); preview.send( 'ready' );

30
wp-login.php
View File

@ -39,7 +39,7 @@ if ( force_ssl_admin() && !is_ssl() ) {
* @param WP_Error $wp_error Optional. WordPress Error Object * @param WP_Error $wp_error Optional. WordPress Error Object
*/ */
function login_header($title = 'Log In', $message = '', $wp_error = '') { function login_header($title = 'Log In', $message = '', $wp_error = '') {
global $error, $interim_login, $current_site, $customize_login; global $error, $interim_login, $current_site;
// Don't index any of these forms // Don't index any of these forms
add_action( 'login_head', 'wp_no_robots' ); add_action( 'login_head', 'wp_no_robots' );
@ -68,9 +68,6 @@ function login_header($title = 'Log In', $message = '', $wp_error = '') {
<meta name="viewport" content="width=320; initial-scale=0.9; maximum-scale=1.0; user-scalable=0;" /><?php <meta name="viewport" content="width=320; initial-scale=0.9; maximum-scale=1.0; user-scalable=0;" /><?php
} }
if ( $customize_login )
wp_enqueue_script( 'customize-base' );
do_action( 'login_enqueue_scripts' ); do_action( 'login_enqueue_scripts' );
do_action( 'login_head' ); do_action( 'login_head' );
@ -568,6 +565,8 @@ default:
$secure_cookie = ''; $secure_cookie = '';
$interim_login = isset($_REQUEST['interim-login']); $interim_login = isset($_REQUEST['interim-login']);
$customize_login = isset( $_REQUEST['customize-login'] ); $customize_login = isset( $_REQUEST['customize-login'] );
if ( $customize_login )
wp_enqueue_script( 'customize-base' );
// If the user wants ssl but the session is not ssl, force a secure cookie. // If the user wants ssl but the session is not ssl, force a secure cookie.
if ( !empty($_POST['log']) && !force_ssl_admin() ) { if ( !empty($_POST['log']) && !force_ssl_admin() ) {
@ -604,21 +603,18 @@ default:
if ( !is_wp_error($user) && !$reauth ) { if ( !is_wp_error($user) && !$reauth ) {
if ( $interim_login ) { if ( $interim_login ) {
$message = '<p class="message">' . __('You have logged in successfully.') . '</p>'; $message = '<p class="message">' . __('You have logged in successfully.') . '</p>';
login_header( '', $message ); login_header( '', $message ); ?>
if ( ! $customize_login ) : ?> <?php if ( ! $customize_login ) : ?>
<script type="text/javascript">setTimeout( function(){window.close()}, 8000);</script> <script type="text/javascript">setTimeout( function(){window.close()}, 8000);</script>
<p class="alignright"> <p class="alignright">
<input type="button" class="button-primary" value="<?php esc_attr_e('Close'); ?>" onclick="window.close()" /></p> <input type="button" class="button-primary" value="<?php esc_attr_e('Close'); ?>" onclick="window.close()" /></p>
<?php endif; <?php endif; ?>
</div>
?></div><?php <?php do_action( 'login_footer' ); ?>
<?php if ( $customize_login ) : ?>
do_action('login_footer');
if ( $customize_login ) : ?>
<script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script> <script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script>
<?php endif; ?> <?php endif; ?>
</body></html> </body></html>
<?php exit; <?php exit;
} }