← Back to branch summary

~canonical-sysadmins/wordpress/4.9.1

« back to all changes in this revision

Viewing changes to wp-includes/class-wp-customize-manager.php

  • Committer: Barry Price
  • Date: 2017-05-17 04:15:55 UTC
  • mfrom: (1.1.25 upstream)
  • Revision ID: barry.price@canonical.com-20170517041555-7m1fj11y429dsu9n
Merge WP4.7.5 from upstream

Show diffs side-by-side

added added

removed removed

Lines of Context:
wp-includes/class-wp-customize-manager.php
485
485
                }
486
486
 
487
487
                /*
 
488
                 * Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
 
489
                 * application will inject the customize_preview_nonce query parameter into all Ajax requests.
 
490
                 * For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
 
491
                 * a user when a valid nonce isn't present.
 
492
                 */
 
493
                $has_post_data_nonce = (
 
494
                        check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
 
495
                        ||
 
496
                        check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
 
497
                        ||
 
498
                        check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
 
499
                );
 
500
                if ( ! current_user_can( 'customize' ) || ! $has_post_data_nonce ) {
 
501
                        unset( $_POST['customized'] );
 
502
                        unset( $_REQUEST['customized'] );
 
503
                }
 
504
 
 
505
                /*
488
506
                 * If unauthenticated then require a valid changeset UUID to load the preview.
489
507
                 * In this way, the UUID serves as a secret key. If the messenger channel is present,
490
508
                 * then send unauthenticated code to prompt re-auth.