Making WordPress.org

Changeset 8220


Ignore:
Timestamp:
02/11/2019 03:43:41 PM (6 years ago)
Author:
iandunn
Message:

WordCamp Post Type: Bypass nonce verification when saving programatically.

Nonce verification was added to the save_post callback for WordCamp/Meetup post types in r8085. That had the side-effect of breaking the process of manually sending Organizer Reminders, because that process saves data to the corresponding WordCamp post. Because the save_post callback is called programatically in that scenario, there is no nonce to verify, and the Unable to verify nonce. error would be triggered.

We previously attempted to fix this in r8133 / r8135, but it turns out that the problem was the missing nonce rather than the post type check.

Location:
sites/trunk/wordcamp.org/public_html/wp-content/plugins
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordcamp.org/public_html/wp-content/plugins/wcpt/wcpt-event/class-event-admin.php

    r8135 r8220  
    403403
    404404    /**
    405      * Save metadata from form
     405     * Save metadata from form.
     406     *
     407     * @param int     $post_id      The ID of the post being saved.
     408     * @param WP_Post $post         The post being saved.
     409     * @param bool    $verify_nonce Whether or not to verify the nonce. Set to false when calling manually, leave
     410     *                              true when calling via `save_post` hook.
    406411     *
    407412     * @hook save_post
    408413     */
    409     public function metabox_save( $post_id, $post ) {
     414    public function metabox_save( $post_id, $post, $verify_nonce = true ) {
    410415        // Don't add/remove meta on revisions and auto-saves.
    411416        if ( wp_is_post_autosave( $post_id ) || wp_is_post_revision( $post_id ) ) {
     
    418423
    419424        // Make sure the request came from the edit post screen.
    420         if ( empty( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], 'update-post_' . $post_id ) ) {
    421             die( 'Unable to verify nonce' );
     425        if ( $verify_nonce ) {
     426            if ( empty( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], 'update-post_' . $post_id ) ) {
     427                wp_die( 'Unable to verify nonce.' );
     428            }
    422429        }
    423430
  • sites/trunk/wordcamp.org/public_html/wp-content/plugins/wordcamp-organizer-reminders/wcor-mailer.php

    r8105 r8220  
    163163        // Make sure postmeta is synced with $_POST when this is called in the middle of updating a post
    164164        if ( did_action( 'transition_post_status' ) || did_action( 'save_post' ) ) {
    165             $wordcamp_admin->metabox_save( $wordcamp->ID, $wordcamp );
     165            $wordcamp_admin->metabox_save( $wordcamp->ID, $wordcamp, false );
    166166        }
    167167
Note: See TracChangeset for help on using the changeset viewer.