WordPress.org

Making WordPress.org


Ignore:
Timestamp:
11/25/2017 09:24:59 AM (8 months ago)
Author:
dd32
Message:

Trac: Require a nonce when subscribing/unsubscribing to a ticket.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordpress.org/public_html/wp-content/plugins/trac-notifications/trac-notifications.php

    r4305 r6168  
    124124        }
    125125
     126        if ( empty( $_POST['nonce'] ) || ! wp_verify_nonce( $_POST['nonce'], "manage_ticket_notifications" ) ) {
     127            wp_send_json_error();
     128        }
     129
    126130        $username = wp_get_current_user()->user_login;
    127131
     
    180184        $tickets = array_intersect( $queried_tickets, $subscribed_tickets );
    181185        $tickets = array_map( 'intval', array_values( $tickets ) );
    182         wp_send_json_success( array( 'tickets' => $tickets ) );
     186        wp_send_json_success( array(
     187            'tickets' => $tickets,
     188            'nonce' => wp_create_nonce( 'manage_ticket_notifications' )
     189        ) );
    183190    }
    184191
     
    311318    <?php
    312319        $this->ticket_notes( $ticket, $username, $meta );
    313         $send = array( 'notifications-box' => ob_get_clean() );
     320        $send = array(
     321            'notifications-box' => ob_get_clean(),
     322            'nonce' => wp_create_nonce( 'manage_ticket_notifications' )
     323        );
    314324        if ( isset( $this->components ) ) {
    315325            $send['maintainers'] = $this->components->get_component_maintainers( $ticket['component'] );
Note: See TracChangeset for help on using the changeset viewer.