WordPress.org

Making WordPress.org


Ignore:
Timestamp:
11/25/17 09:24:59 (3 weeks ago)
Author:
dd32
Message:

Trac: Require a nonce when subscribing/unsubscribing to a ticket.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordpress.org/public_html/wp-content/plugins/trac-notifications/trac-notifications.php

    r4305 r6168  
    124124        } 
    125125 
     126        if ( empty( $_POST['nonce'] ) || ! wp_verify_nonce( $_POST['nonce'], "manage_ticket_notifications" ) ) { 
     127            wp_send_json_error(); 
     128        } 
     129 
    126130        $username = wp_get_current_user()->user_login; 
    127131 
     
    180184        $tickets = array_intersect( $queried_tickets, $subscribed_tickets ); 
    181185        $tickets = array_map( 'intval', array_values( $tickets ) ); 
    182         wp_send_json_success( array( 'tickets' => $tickets ) ); 
     186        wp_send_json_success( array( 
     187            'tickets' => $tickets, 
     188            'nonce' => wp_create_nonce( 'manage_ticket_notifications' ) 
     189        ) ); 
    183190    } 
    184191 
     
    311318    <?php 
    312319        $this->ticket_notes( $ticket, $username, $meta ); 
    313         $send = array( 'notifications-box' => ob_get_clean() ); 
     320        $send = array( 
     321            'notifications-box' => ob_get_clean(), 
     322            'nonce' => wp_create_nonce( 'manage_ticket_notifications' ) 
     323        ); 
    314324        if ( isset( $this->components ) ) { 
    315325            $send['maintainers'] = $this->components->get_component_maintainers( $ticket['component'] ); 
Note: See TracChangeset for help on using the changeset viewer.