CodeExplorer
You are a developer and looking for Shopware projects?
Apply Now!
check_ajax_referer example
/** * Handles Ajax request for adding custom background context to an attachment. * * Triggers when the user adds a new background image from the * Media Manager. * * @since 4.1.0 */
public function ajax_background_add() {
check_ajax_referer( 'background-add', 'nonce' );
if ( ! current_user_can( 'edit_theme_options' ) ) {
wp_send_json_error();
}
$attachment_id = absint( $_POST['attachment_id'] );
if ( $attachment_id < 1 ) {
wp_send_json_error();
}
update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', get_stylesheet() );
//
// GET-based Ajax handlers.
//
/** * Handles fetching a list table via AJAX. * * @since 3.1.0 */
function wp_ajax_fetch_list() {
$list_class = $_GET['list_args']['class'];
check_ajax_referer( "fetch-list-$list_class", '_ajax_fetch_list_nonce' );
$wp_list_table = _get_list_table( $list_class, array( 'screen' => $_GET['list_args']['screen']['id'] ) );
if ( ! $wp_list_table ) {
wp_die( 0 );
}
if ( ! $wp_list_table->ajax_user_can() ) {
wp_die( -1 );
}
$wp_list_table->ajax_response();
/** * Handles fetching a list table via AJAX. * * @since 3.1.0 */
function wp_ajax_fetch_list() {
$list_class = $_GET['list_args']['class'];
check_ajax_referer( "fetch-list-$list_class", '_ajax_fetch_list_nonce' );
$wp_list_table = _get_list_table( $list_class, array( 'screen' => $_GET['list_args']['screen']['id'] ) );
if ( ! $wp_list_table ) {
wp_die( 0 );
}
if ( ! $wp_list_table->ajax_user_can() ) {
wp_die( -1 );
}
$wp_list_table->ajax_response();
public function filter_nonces( $nonces ) {
$nonces['customize-menus'] = wp_create_nonce( 'customize-menus' );
return $nonces;
}
/** * Ajax handler for loading available menu items. * * @since 4.3.0 */
public function ajax_load_available_items() {
check_ajax_referer( 'customize-menus', 'customize-menus-nonce' );
if ( ! current_user_can( 'edit_theme_options' ) ) {
wp_die( -1 );
}
$all_items = array();
$item_types = array();
if ( isset( $_POST['item_types'] ) && is_array( $_POST['item_types'] ) ) {
$item_types = wp_unslash( $_POST['item_types'] );
} elseif ( isset( $_POST['type'] ) && isset( $_POST['object'] ) ) { // Back compat. $item_types[] = array(
$nonces['customize-menus'] = wp_create_nonce( 'customize-menus' );
return $nonces;
}
/** * Ajax handler for loading available menu items. * * @since 4.3.0 */
public function ajax_load_available_items() {
check_ajax_referer( 'customize-menus', 'customize-menus-nonce' );
if ( ! current_user_can( 'edit_theme_options' ) ) {
wp_die( -1 );
}
$all_items = array();
$item_types = array();
if ( isset( $_POST['item_types'] ) && is_array( $_POST['item_types'] ) ) {
$item_types = wp_unslash( $_POST['item_types'] );
} elseif ( isset( $_POST['type'] ) && isset( $_POST['object'] ) ) { // Back compat. $item_types[] = array(
return $attachment_id;
}
/** * Gets attachment uploaded by Media Manager, crops it, then saves it as a * new object. Returns JSON-encoded object details. * * @since 3.9.0 */
public function ajax_header_crop() {
check_ajax_referer( 'image_editor-' . $_POST['id'], 'nonce' );
if ( ! current_user_can( 'edit_theme_options' ) ) {
wp_send_json_error();
}
if ( ! current_theme_supports( 'custom-header', 'uploads' ) ) {
wp_send_json_error();
}
$crop_details = $_POST['cropDetails'];
}
/** * Gets attachment uploaded by Media Manager, crops it, then saves it as a * new object. Returns JSON-encoded object details. * * @since 3.9.0 */
public function ajax_header_crop() {
check_ajax_referer( 'image_editor-' . $_POST['id'], 'nonce' );
if ( ! current_user_can( 'edit_theme_options' ) ) {
wp_send_json_error();
}
if ( ! current_theme_supports( 'custom-header', 'uploads' ) ) {
wp_send_json_error();
}
$crop_details = $_POST['cropDetails'];
public function wp_ajax_update_widget() {
if ( ! is_user_logged_in() ) {
wp_die( 0 );
}
check_ajax_referer( 'update-widget', 'nonce' );
if ( ! current_user_can( 'edit_theme_options' ) ) {
wp_die( -1 );
}
if ( empty( $_POST['widget-id'] ) ) {
wp_send_json_error( 'missing_widget-id' );
}
/** This action is documented in wp-admin/includes/ajax-actions.php */
do_action( 'load-widgets.php' ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores
if ( isset( $this->_changeset_uuid ) && false !== $this->_changeset_uuid && ! wp_is_uuid( $this->_changeset_uuid ) ) {
$this->wp_die( -1, __( 'Invalid changeset UUID' ) );
}
/* * Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer * application will inject the customize_preview_nonce query parameter into all Ajax requests. * For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out * a user when a valid nonce isn't present. */
$has_post_data_nonce = (
check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
||
check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
||
check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
);
if ( ! current_user_can( 'customize' ) || ! $has_post_data_nonce ) {
unset( $_POST['customized'] );
unset( $_REQUEST['customized'] );
}
/* * If unauthenticated then require a valid changeset UUID to load the preview. * In this way, the UUID serves as a secret key. If the messenger channel is present, * then send unauthenticated code to prompt re-auth. */
$this->wp_die( -1, __( 'Invalid changeset UUID' ) );
}
/* * Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer * application will inject the customize_preview_nonce query parameter into all Ajax requests. * For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out * a user when a valid nonce isn't present. */
$has_post_data_nonce = (
check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
||
check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
||
check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
);
if ( ! current_user_can( 'customize' ) || ! $has_post_data_nonce ) {
unset( $_POST['customized'] );
unset( $_REQUEST['customized'] );
}
/* * If unauthenticated then require a valid changeset UUID to load the preview. * In this way, the UUID serves as a secret key. If the messenger channel is present, * then send unauthenticated code to prompt re-auth. */
$file = validate_file_to_edit( $file, $plugin_files );
$real_file = WP_PLUGIN_DIR . '/' . $file;
// Handle fallback editing of file when JavaScript is not available. $edit_error = null;
$posted_content = null;
if ( 'POST' === $_SERVER['REQUEST_METHOD'] ) {
$r = wp_edit_theme_plugin_file( wp_unslash( $_POST ) );
if ( is_wp_error( $r ) ) {
$edit_error = $r;
if ( check_ajax_referer( 'edit-plugin_' . $file, 'nonce', false ) && isset( $_POST['newcontent'] ) ) {
$posted_content = wp_unslash( $_POST['newcontent'] );
}
} else {
wp_redirect(
add_query_arg(
array(
'a' => 1, // This means "success" for some reason. 'plugin' => $plugin,
'file' => $file,
),
admin_url( 'plugin-editor.php' )
)
$real_file = WP_PLUGIN_DIR . '/' . $file;
// Handle fallback editing of file when JavaScript is not available. $edit_error = null;
$posted_content = null;
if ( 'POST' === $_SERVER['REQUEST_METHOD'] ) {
$r = wp_edit_theme_plugin_file( wp_unslash( $_POST ) );
if ( is_wp_error( $r ) ) {
$edit_error = $r;
if ( check_ajax_referer( 'edit-plugin_' . $file, 'nonce', false ) && isset( $_POST['newcontent'] ) ) {
$posted_content = wp_unslash( $_POST['newcontent'] );
}
} else {
wp_redirect(
add_query_arg(
array(
'a' => 1, // This means "success" for some reason. 'plugin' => $plugin,
'file' => $file,
),
admin_url( 'plugin-editor.php' )
)
validate_file_to_edit( $file, $allowed_files );
// Handle fallback editing of file when JavaScript is not available. $edit_error = null;
$posted_content = null;
if ( 'POST' === $_SERVER['REQUEST_METHOD'] ) {
$r = wp_edit_theme_plugin_file( wp_unslash( $_POST ) );
if ( is_wp_error( $r ) ) {
$edit_error = $r;
if ( check_ajax_referer( 'edit-theme_' . $stylesheet . '_' . $relative_file, 'nonce', false ) && isset( $_POST['newcontent'] ) ) {
$posted_content = wp_unslash( $_POST['newcontent'] );
}
} else {
wp_redirect(
add_query_arg(
array(
'a' => 1, // This means "success" for some reason. 'theme' => $stylesheet,
'file' => $relative_file,
),
admin_url( 'theme-editor.php' )
)
// Handle fallback editing of file when JavaScript is not available. $edit_error = null;
$posted_content = null;
if ( 'POST' === $_SERVER['REQUEST_METHOD'] ) {
$r = wp_edit_theme_plugin_file( wp_unslash( $_POST ) );
if ( is_wp_error( $r ) ) {
$edit_error = $r;
if ( check_ajax_referer( 'edit-theme_' . $stylesheet . '_' . $relative_file, 'nonce', false ) && isset( $_POST['newcontent'] ) ) {
$posted_content = wp_unslash( $_POST['newcontent'] );
}
} else {
wp_redirect(
add_query_arg(
array(
'a' => 1, // This means "success" for some reason. 'theme' => $stylesheet,
'file' => $relative_file,
),
admin_url( 'theme-editor.php' )
)
/** See filter documentation in init_hooks(). */
$akismet_nonce_option = apply_filters( 'akismet_comment_nonce', get_option( 'akismet_comment_nonce' ) );
$comment['akismet_comment_nonce'] = 'inactive';
if ( $akismet_nonce_option == 'true' || $akismet_nonce_option == '' ) {
$comment['akismet_comment_nonce'] = 'failed';
if ( isset( $_POST['akismet_comment_nonce'] ) && wp_verify_nonce( $_POST['akismet_comment_nonce'], 'akismet_comment_nonce_' . $comment['comment_post_ID'] ) )
$comment['akismet_comment_nonce'] = 'passed';
// comment reply in wp-admin if ( isset( $_POST['_ajax_nonce-replyto-comment'] ) && check_ajax_referer( 'replyto-comment', '_ajax_nonce-replyto-comment' ) )
$comment['akismet_comment_nonce'] = 'passed';
}
if ( self::is_test_mode() )
$comment['is_test'] = 'true';
foreach( $_POST as $key => $value ) {
if ( is_string( $value ) )
$comment["POST_{$key}"] = $value;
}