if ( isset( $this->_changeset_uuid
) && false !==
$this->_changeset_uuid && !
wp_is_uuid( $this->_changeset_uuid
) ) { $this->
wp_die( -1,
__( 'Invalid changeset UUID'
) );
} /*
* Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
* application will inject the customize_preview_nonce query parameter into all Ajax requests.
* For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
* a user when a valid nonce isn't present.
*/
$has_post_data_nonce =
( check_ajax_referer( 'preview-customize_' .
$this->
get_stylesheet(), 'nonce', false
) ||
check_ajax_referer( 'save-customize_' .
$this->
get_stylesheet(), 'nonce', false
) ||
check_ajax_referer( 'preview-customize_' .
$this->
get_stylesheet(), 'customize_preview_nonce', false
) );
if ( !
current_user_can( 'customize'
) || !
$has_post_data_nonce ) { unset( $_POST['customized'
] );
unset( $_REQUEST['customized'
] );
} /*
* If unauthenticated then require a valid changeset UUID to load the preview.
* In this way, the UUID serves as a secret key. If the messenger channel is present,
* then send unauthenticated code to prompt re-auth.
*/