check_admin_referer example

/** * Saves option for number of rows when listing posts, pages, comments, etc. * * @since 2.8.0 */
function set_screen_options() {
    if ( ! isset( $_POST['wp_screen_options'] ) || ! is_array( $_POST['wp_screen_options'] ) ) {
        return;
    }

    check_admin_referer( 'screen-options-nonce', 'screenoptionnonce' );

    $user = wp_get_current_user();

    if ( ! $user ) {
        return;
    }

    $option = $_POST['wp_screen_options']['option'];
    $value  = $_POST['wp_screen_options']['value'];

    if ( sanitize_key( $option ) !== $option ) {
        
'<p>' . __( 'Sorry, you are not allowed to edit comments.' ) . '</p>',
        403
    );
}

$wp_list_table = _get_list_table( 'WP_Comments_List_Table' );
$pagenum       = $wp_list_table->get_pagenum();

$doaction = $wp_list_table->current_action();

if ( $doaction ) {
    check_admin_referer( 'bulk-comments' );

    if ( 'delete_all' === $doaction && ! empty( $_REQUEST['pagegen_timestamp'] ) ) {
        /** * @global wpdb $wpdb WordPress database abstraction object. */
        global $wpdb;

        $comment_status = wp_unslash( $_REQUEST['comment_status'] );
        $delete_time    = wp_unslash( $_REQUEST['pagegen_timestamp'] );
        $comment_ids    = $wpdb->get_col(
            $wpdb->prepare(
                "

            );
            break;
        default:
            add_filter( 'attachment_fields_to_edit', 'media_post_single_attachment_fields_to_edit', 10, 2 );
            echo get_media_item( $id );
            break;
    }
    exit;
}

check_admin_referer( 'media-form' );

$post_id = 0;
if ( isset( $_REQUEST['post_id'] ) ) {
    $post_id = absint( $_REQUEST['post_id'] );
    if ( ! get_post( $post_id ) || ! current_user_can( 'edit_post', $post_id ) ) {
        $post_id = 0;
    }
}

$id = media_handle_upload( 'async-upload', $post_id );
if ( is_wp_error( $id ) ) {
    
&& ! empty( $new_admin_details['newemail'] )
    ) {
        update_option( 'admin_email', $new_admin_details['newemail'] );
        delete_option( 'adminhash' );
        delete_option( 'new_admin_email' );
        $redirect = 'options-general.php?updated=true';
    }

    wp_redirect( admin_url( $redirect ) );
    exit;
} elseif ( ! empty( $_GET['dismiss'] ) && 'new_admin_email' === $_GET['dismiss'] ) {
    check_admin_referer( 'dismiss-' . get_current_blog_id() . '-new_admin_email' );
    delete_option( 'adminhash' );
    delete_option( 'new_admin_email' );
    wp_redirect( admin_url( 'options-general.php?updated=true' ) );
    exit;
}

if ( is_multisite() && ! current_user_can( 'manage_network_options' ) && 'update' !== $action ) {
    wp_die(
        '<h1>' . __( 'You need a higher level of permission.' ) . '</h1>' .
        '<p>' . __( 'Sorry, you are not allowed to delete these items.' ) . '</p>',
        403
    );
'<p>' . __( 'The Privacy screen lets you either build a new privacy-policy page or choose one you already have to show.' ) . '</p>' .
                '<p>' . __( 'This screen includes suggestions to help you write your own privacy policy. However, it is your responsibility to use these resources correctly, to provide the information required by your privacy policy, and to keep this information current and accurate.' ) . '</p>',
    )
);

get_current_screen()->set_help_sidebar(
    '<p><strong>' . __( 'For more information:' ) . '</strong></p>' .
    '<p>' . __( '<a href="https://wordpress.org/documentation/article/settings-privacy-screen/">Documentation on Privacy Settings</a>' ) . '</p>'
);

if ( ! empty( $action ) ) {
    check_admin_referer( $action );

    if ( 'set-privacy-page' === $action ) {
        $privacy_policy_page_id = isset( $_POST['page_for_privacy_policy'] ) ? (int) $_POST['page_for_privacy_policy'] : 0;
        update_option( 'wp_page_for_privacy_policy', $privacy_policy_page_id );

        $privacy_page_updated_message = __( 'Privacy Policy page updated successfully.' );

        if ( $privacy_policy_page_id ) {
            /* * Don't always link to the menu customizer: * * - Unpublished pages can't be selected by default. * - `WP_Customize_Nav_Menus::__construct()` checks the user's capabilities. * - Themes might not "officially" support menus. */
// Don't restore if revisions are disabled and this is not an autosave.         if ( ! wp_revisions_enabled( $post ) && ! wp_is_post_autosave( $revision ) ) {
            $redirect = 'edit.php?post_type=' . $post->post_type;
            break;
        }

        // Don't restore if the post is locked.         if ( wp_check_post_lock( $post->ID ) ) {
            break;
        }

        check_admin_referer( "restore-post_{$revision->ID});

        /* * Ensure the global $post remains the same after revision is restored. * Because wp_insert_post() and wp_transition_post_status() are called * during the process, plugins can unexpectedly modify $post. */
        $backup_global_post = clone $post;

        wp_restore_post_revision( $revision->ID );

        // Restore the global $post as it was before.
if ( isset( $_GET['action'] ) ) {
    $plugin = isset( $_REQUEST['plugin'] ) ? trim( $_REQUEST['plugin'] ) : '';
    $theme  = isset( $_REQUEST['theme'] ) ? urldecode( $_REQUEST['theme'] ) : '';
    $action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';

    if ( 'update-selected' === $action ) {
        if ( ! current_user_can( 'update_plugins' ) ) {
            wp_die( __( 'Sorry, you are not allowed to update plugins for this site.' ) );
        }

        check_admin_referer( 'bulk-update-plugins' );

        if ( isset( $_GET['plugins'] ) ) {
            $plugins = explode( ',', stripslashes( $_GET['plugins'] ) );
        } elseif ( isset( $_POST['checked'] ) ) {
            $plugins = (array) $_POST['checked'];
        } else {
            $plugins = array();
        }

        $plugins = array_map( 'urldecode', $plugins );

        

        $dashboard_widgets = apply_filters( 'wp_dashboard_widgets', array() );
    }

    foreach ( $dashboard_widgets as $widget_id ) {
        $name = empty( $wp_registered_widgets[ $widget_id ]['all_link'] ) ? $wp_registered_widgets[ $widget_id ]['name'] : $wp_registered_widgets[ $widget_id ]['name'] . " <a href='{$wp_registered_widgets[$widget_id]['all_link']}' class='edit-box open-box'>" . __( 'View all' ) . '</a>';
        wp_add_dashboard_widget( $widget_id$name$wp_registered_widgets[ $widget_id ]['callback']$wp_registered_widget_controls[ $widget_id ]['callback'] );
    }

    if ( 'POST' === $_SERVER['REQUEST_METHOD'] && isset( $_POST['widget_id'] ) ) {
        check_admin_referer( 'edit-dashboard-widget_' . $_POST['widget_id'], 'dashboard-widget-nonce' );
        ob_start(); // Hack - but the same hack wp-admin/widgets.php uses.         wp_dashboard_trigger_widget_control( $_POST['widget_id'] );
        ob_end_clean();
        wp_redirect( remove_query_arg( 'edit' ) );
        exit;
    }

    /** This action is documented in wp-admin/includes/meta-boxes.php */
    do_action( 'do_meta_boxes', $screen->id, 'normal', '' );

    /** This action is documented in wp-admin/includes/meta-boxes.php */
    

            else {
                ++$result_counts['error'];
            }
        }

        return $result_counts;
    }

    // Adds an 'x' link next to author URLs, clicking will remove the author URL and show an undo link     public static function remove_comment_author_url() {
        if ( !empty( $_POST['id'] ) && check_admin_referer( 'comment_author_url_nonce' ) ) {
            $comment_id = intval( $_POST['id'] );
            $comment = get_comment( $comment_id, ARRAY_A );
            if ( $comment && current_user_can( 'edit_comment', $comment['comment_ID'] ) ) {
                $comment['comment_author_url'] = '';
                do_action( 'comment_remove_author_url' );
                print( wp_update_comment( $comment ) );
                die();
            }
        }
    }

    
'<p>' . __( 'If the admin email for the new site does not exist in the database, a new user will also be created.' ) . '</p>',
    )
);

get_current_screen()->set_help_sidebar(
    '<p><strong>' . __( 'For more information:' ) . '</strong></p>' .
    '<p>' . __( '<a href="https://wordpress.org/documentation/article/network-admin-sites-screen/">Documentation on Site Management</a>' ) . '</p>' .
    '<p>' . __( '<a href="https://wordpress.org/support/forum/multisite/">Support forums</a>' ) . '</p>'
);

if ( isset( $_REQUEST['action'] ) && 'add-site' === $_REQUEST['action'] ) {
    check_admin_referer( 'add-blog', '_wpnonce_add-blog' );

    if ( ! is_array( $_POST['blog'] ) ) {
        wp_die( __( 'Cannot create an empty site.' ) );
    }

    $blog   = $_POST['blog'];
    $domain = '';

    $blog['domain'] = trim( $blog['domain'] );
    if ( preg_match( '|^([a-zA-Z0-9-])+$|', $blog['domain'] ) ) {
        $domain = strtolower( $blog['domain'] );
    }

function use_block_editor_for_post( $post ) {
    $post = get_post( $post );

    if ( ! $post ) {
        return false;
    }

    // We're in the meta box loader, so don't use the block editor.     if ( is_admin() && isset( $_GET['meta-box-loader'] ) ) {
        check_admin_referer( 'meta-box-loader', 'meta-box-loader-nonce' );
        return false;
    }

    $use_block_editor = use_block_editor_for_post_type( $post->post_type );

    /** * Filters whether a post is able to be edited in the block editor. * * @since 5.0.0 * * @param bool $use_block_editor Whether the post can be edited or not. * @param WP_Post $post The post being checked. */
if ( ! empty( $_POST['move'] ) ) {
    $action = 'move';
}
if ( ! empty( $_POST['linkcheck'] ) ) {
    $linkcheck = $_POST['linkcheck'];
}

$this_file = admin_url( 'link-manager.php' );

switch ( $action ) {
    case 'deletebookmarks':
        check_admin_referer( 'bulk-bookmarks' );

        // For each link id (in $linkcheck[]) change category to selected value.         if ( count( $linkcheck ) === 0 ) {
            wp_redirect( $this_file );
            exit;
        }

        $deleted = 0;
        foreach ( $linkcheck as $link_id ) {
            $link_id = (int) $link_id;

            
'<p>' . __( '<a href="https://wordpress.org/support/forums/">Support forums</a>' ) . '</p>'
);

require_once ABSPATH . 'wp-admin/admin-header.php';
?> <div class="wrap"> <h1><?php echo esc_html( $title ); ?></h1> <?php if ( $_POST ) {

    check_admin_referer( 'install-network-1' );

    require_once ABSPATH . 'wp-admin/includes/upgrade.php';
    // Create network tables.     install_network();
    $base              = parse_url( trailingslashit( get_option( 'home' ) ), PHP_URL_PATH );
    $subdomain_install = allow_subdomain_install() ? ! empty( $_POST['subdomain_install'] ) : false;
    if ( ! network_domain_check() ) {
        $result = populate_network( 1, get_clean_basedomain()sanitize_email( $_POST['email'] )wp_unslash( $_POST['sitename'] )$base$subdomain_install );
        if ( is_wp_error( $result ) ) {
            if ( 1 === count( $result->get_error_codes() ) && 'no_wildcard_dns' === $result->get_error_code() ) {
                network_step2( $result );
            }
return add_query_arg( 'TB_iframe', true, $upload_iframe_src );
}

/** * Handles form submissions for the legacy media uploader. * * @since 2.5.0 * * @return null|array|void Array of error messages keyed by attachment ID, null or void on success. */
function media_upload_form_handler() {
    check_admin_referer( 'media-form' );

    $errors = null;

    if ( isset( $_POST['send'] ) ) {
        $keys    = array_keys( $_POST['send'] );
        $send_id = (int) reset( $keys );
    }

    if ( ! empty( $_POST['attachments'] ) ) {
        foreach ( $_POST['attachments'] as $attachment_id => $attachment ) {
            $post  = get_post( $attachment_id, ARRAY_A );
            
// Used in the HTML title tag. $title       = __( 'Delete Site' );
$parent_file = 'tools.php';

require_once ABSPATH . 'wp-admin/admin-header.php';

echo '<div class="wrap">';
echo '<h1>' . esc_html( $title ) . '</h1>';

if ( isset( $_POST['action'] ) && 'deleteblog' === $_POST['action'] && isset( $_POST['confirmdelete'] ) && '1' === $_POST['confirmdelete'] ) {
    check_admin_referer( 'delete-blog' );

    $hash = wp_generate_password( 20, false );
    update_option( 'delete_blog_hash', $hash );

    $url_delete = esc_url( admin_url( 'ms-delete-site.php?h=' . $hash ) );

    $switched_locale = switch_to_locale( get_locale() );

    /* translators: Do not translate USERNAME, URL_DELETE, SITENAME, SITEURL: those are placeholders. */
    $content = __(
        "Howdy ###USERNAME###, You recently clicked the 'Delete Site' link on your site and filled in a form on that page. If you really want to delete your site, click the link below. You will not be asked to confirm again so only click this link if you are absolutely certain: ###URL_DELETE### If you delete your site, please consider opening a new site here some time in the future! (But remember that your current site and username are gone forever.) Thank you for using the site, All at ###SITENAME### ###SITEURL###"
Home | Imprint | This part of the site doesn't use cookies.