check_ajax_referer example



    /** * Handles Ajax request for adding custom background context to an attachment. * * Triggers when the user adds a new background image from the * Media Manager. * * @since 4.1.0 */
    public function ajax_background_add() {
        check_ajax_referer( 'background-add', 'nonce' );

        if ( ! current_user_can( 'edit_theme_options' ) ) {
            wp_send_json_error();
        }

        $attachment_id = absint( $_POST['attachment_id'] );
        if ( $attachment_id < 1 ) {
            wp_send_json_error();
        }

        update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', get_stylesheet() );

        
// // GET-based Ajax handlers. //
/** * Handles fetching a list table via AJAX. * * @since 3.1.0 */
function wp_ajax_fetch_list() {
    $list_class = $_GET['list_args']['class'];
    check_ajax_referer( "fetch-list-$list_class", '_ajax_fetch_list_nonce' );

    $wp_list_table = _get_list_table( $list_class, array( 'screen' => $_GET['list_args']['screen']['id'] ) );
    if ( ! $wp_list_table ) {
        wp_die( 0 );
    }

    if ( ! $wp_list_table->ajax_user_can() ) {
        wp_die( -1 );
    }

    $wp_list_table->ajax_response();

    
public function filter_nonces( $nonces ) {
        $nonces['customize-menus'] = wp_create_nonce( 'customize-menus' );
        return $nonces;
    }

    /** * Ajax handler for loading available menu items. * * @since 4.3.0 */
    public function ajax_load_available_items() {
        check_ajax_referer( 'customize-menus', 'customize-menus-nonce' );

        if ( ! current_user_can( 'edit_theme_options' ) ) {
            wp_die( -1 );
        }

        $all_items  = array();
        $item_types = array();
        if ( isset( $_POST['item_types'] ) && is_array( $_POST['item_types'] ) ) {
            $item_types = wp_unslash( $_POST['item_types'] );
        } elseif ( isset( $_POST['type'] ) && isset( $_POST['object'] ) ) { // Back compat.             $item_types[] = array(
                
return $attachment_id;
    }

    /** * Gets attachment uploaded by Media Manager, crops it, then saves it as a * new object. Returns JSON-encoded object details. * * @since 3.9.0 */
    public function ajax_header_crop() {
        check_ajax_referer( 'image_editor-' . $_POST['id'], 'nonce' );

        if ( ! current_user_can( 'edit_theme_options' ) ) {
            wp_send_json_error();
        }

        if ( ! current_theme_supports( 'custom-header', 'uploads' ) ) {
            wp_send_json_error();
        }

        $crop_details = $_POST['cropDetails'];

        

    public function wp_ajax_update_widget() {

        if ( ! is_user_logged_in() ) {
            wp_die( 0 );
        }

        check_ajax_referer( 'update-widget', 'nonce' );

        if ( ! current_user_can( 'edit_theme_options' ) ) {
            wp_die( -1 );
        }

        if ( empty( $_POST['widget-id'] ) ) {
            wp_send_json_error( 'missing_widget-id' );
        }

        /** This action is documented in wp-admin/includes/ajax-actions.php */
        do_action( 'load-widgets.php' ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores
        if ( isset( $this->_changeset_uuid ) && false !== $this->_changeset_uuid && ! wp_is_uuid( $this->_changeset_uuid ) ) {
            $this->wp_die( -1, __( 'Invalid changeset UUID' ) );
        }

        /* * Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer * application will inject the customize_preview_nonce query parameter into all Ajax requests. * For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out * a user when a valid nonce isn't present. */
        $has_post_data_nonce = (
            check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
            ||
            check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
            ||
            check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
        );
        if ( ! current_user_can( 'customize' ) || ! $has_post_data_nonce ) {
            unset( $_POST['customized'] );
            unset( $_REQUEST['customized'] );
        }

        /* * If unauthenticated then require a valid changeset UUID to load the preview. * In this way, the UUID serves as a secret key. If the messenger channel is present, * then send unauthenticated code to prompt re-auth. */
$file      = validate_file_to_edit( $file$plugin_files );
$real_file = WP_PLUGIN_DIR . '/' . $file;

// Handle fallback editing of file when JavaScript is not available. $edit_error     = null;
$posted_content = null;

if ( 'POST' === $_SERVER['REQUEST_METHOD'] ) {
    $r = wp_edit_theme_plugin_file( wp_unslash( $_POST ) );
    if ( is_wp_error( $r ) ) {
        $edit_error = $r;
        if ( check_ajax_referer( 'edit-plugin_' . $file, 'nonce', false ) && isset( $_POST['newcontent'] ) ) {
            $posted_content = wp_unslash( $_POST['newcontent'] );
        }
    } else {
        wp_redirect(
            add_query_arg(
                array(
                    'a'      => 1, // This means "success" for some reason.                     'plugin' => $plugin,
                    'file'   => $file,
                ),
                admin_url( 'plugin-editor.php' )
            )
validate_file_to_edit( $file$allowed_files );

// Handle fallback editing of file when JavaScript is not available. $edit_error     = null;
$posted_content = null;

if ( 'POST' === $_SERVER['REQUEST_METHOD'] ) {
    $r = wp_edit_theme_plugin_file( wp_unslash( $_POST ) );
    if ( is_wp_error( $r ) ) {
        $edit_error = $r;
        if ( check_ajax_referer( 'edit-theme_' . $stylesheet . '_' . $relative_file, 'nonce', false ) && isset( $_POST['newcontent'] ) ) {
            $posted_content = wp_unslash( $_POST['newcontent'] );
        }
    } else {
        wp_redirect(
            add_query_arg(
                array(
                    'a'     => 1, // This means "success" for some reason.                     'theme' => $stylesheet,
                    'file'  => $relative_file,
                ),
                admin_url( 'theme-editor.php' )
            )


        /** See filter documentation in init_hooks(). */
        $akismet_nonce_option = apply_filters( 'akismet_comment_nonce', get_option( 'akismet_comment_nonce' ) );
        $comment['akismet_comment_nonce'] = 'inactive';
        if ( $akismet_nonce_option == 'true' || $akismet_nonce_option == '' ) {
            $comment['akismet_comment_nonce'] = 'failed';
            if ( isset( $_POST['akismet_comment_nonce'] ) && wp_verify_nonce( $_POST['akismet_comment_nonce'], 'akismet_comment_nonce_' . $comment['comment_post_ID'] ) )
                $comment['akismet_comment_nonce'] = 'passed';

            // comment reply in wp-admin             if ( isset( $_POST['_ajax_nonce-replyto-comment'] ) && check_ajax_referer( 'replyto-comment', '_ajax_nonce-replyto-comment' ) )
                $comment['akismet_comment_nonce'] = 'passed';

        }

        if ( self::is_test_mode() )
            $comment['is_test'] = 'true';

        foreach( $_POST as $key => $value ) {
            if ( is_string( $value ) )
                $comment["POST_{$key}"] = $value;
        }

        
Home | Imprint | This part of the site doesn't use cookies.