WordPress.org
Get WordPress

Making WordPress.org

Changeset 1820


Ignore:
Timestamp:
08/10/2015 08:16:43 PM (10 years ago)
Author:
iandunn
Message:

WordCamp Payments: Move nonce verification for Mark as Incomplete metabox.

It was introduced in r1816 and placed in save_payment() along with the other nonce checks, but that was incorrect, because the action for this metabox actually occurs in update_request_status().

A side-effect of that mistake was that requests would not be saved if the metabox was not being displayed, because the nonce only exists when the box is displayed. Since the box is only displayed for users with manage_network, the saving process was broken for all normal admins.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • sites/trunk/wordcamp.org/public_html/wp-content/plugins/wordcamp-payments/classes/payment-request.php

    r1819 r1820  
    637637    public function update_request_status( $post_data, $post_data_raw ) {
    638638        if ( $this->post_edit_is_actionable( $post_data ) ) {
    639 
    640             if ( isset( $_POST['wcp_mark_incomplete_checkbox'] ) && 'on' == $_POST['wcp_mark_incomplete_checkbox'] && ! empty( $_POST['wcp_mark_incomplete_notes'] ) ) {
     639            if ( $this->should_mark_request_incomplete() ) {
    641640                $post_data['post_status'] = 'incomplete';
    642641                $this->notify_requester_request_incomplete( $post_data_raw['ID'], $post_data, $post_data_raw );
     
    655654
    656655    /**
     656     * Determine if the user wants to mark a payment request as incomplete, and if that is valid
     657     *
     658     * @return bool
     659     */
     660    protected function should_mark_request_incomplete() {
     661        $mark_incomplete = false;
     662
     663        if ( isset( $_POST['wcp_mark_incomplete_checkbox'] ) && 'on' == $_POST['wcp_mark_incomplete_checkbox'] && ! empty( $_POST['wcp_mark_incomplete_notes'] ) ) {
     664            if ( isset( $_POST['mark_incomplete_nonce'] ) && wp_verify_nonce( $_POST['mark_incomplete_nonce'], 'mark_incomplete' ) ) {
     665                if ( current_user_can( 'manage_network' ) ) {
     666                    $mark_incomplete = true;
     667                }
     668            }
     669        }
     670
     671        return $mark_incomplete;
     672    }
     673
     674    /**
    657675     * Notify the payment requester that it has been marked as paid.
    658676     *
     
    730748
    731749        // Verify nonces
    732         $nonces = array( 'status_nonce', 'mark_incomplete_nonce', 'general_info_nonce', 'payment_details_nonce', 'vendor_details_nonce' );    // todo add prefix to all of these
     750        $nonces = array( 'status_nonce', 'general_info_nonce', 'payment_details_nonce', 'vendor_details_nonce' );    // todo add prefix to all of these
    733751
    734752        foreach ( $nonces as $nonce ) {
Note: See TracChangeset for help on using the changeset viewer.