权限没有,则隐藏 function forum_list_access_filter($forumlist, $gid, $allow = 'allowread') { global $grouplist; if (empty($forumlist)) return array(); if (1 == $gid) return $forumlist; $forumlist_filter = $forumlist; $group = $grouplist[$gid]; foreach ($forumlist_filter as $fid => $forum) { if (empty($forum['accesson']) && empty($group[$allow]) || !empty($forum['accesson']) && empty($forum['accesslist'][$gid][$allow])) { unset($forumlist_filter[$fid]); } unset($forumlist_filter[$fid]['accesslist']); } return $forumlist_filter; } function forum_filter_moduid($moduids) { $moduids = trim($moduids); if (empty($moduids)) return ''; $arr = explode(',', $moduids); $r = array(); foreach ($arr as $_uid) { $_uid = intval($_uid); $_user = user_read($_uid); if (empty($_user)) continue; if ($_user['gid'] > 4) continue; $r[] = $_uid; } return implode(',', $r); } function forum_safe_info($forum) { //unset($forum['moduids']); return $forum; } function forum_filter($forumlist) { foreach ($forumlist as &$val) { unset($val['brief'], $val['announcement'], $val['seo_title'], $val['seo_keywords'], $val['create_date_fmt'], $val['icon_url'], $val['modlist']); } return $forumlist; } function forum_format_url($forum) { global $conf; if (0 == $forum['category']) { // 列表URL $url = url('list-' . $forum['fid'], '', FALSE); } elseif (1 == $forum['category']) { // 频道 $url = url('category-' . $forum['fid'], '', FALSE); } elseif (2 == $forum['category']) { // 单页 $url = url('read-' . trim($forum['brief']), '', FALSE); } if ($conf['url_rewrite_on'] > 1 && $forum['well_alias']) { if (0 == $forum['category'] || 1 == $forum['category']) { $url = url($forum['well_alias'], '', FALSE); } elseif (2 == $forum['category']) { // 单页 $url = ($forum['threads'] && $forum['brief']) ? url($forum['well_alias'] . '-' . trim($forum['brief']), '', FALSE) : url($forum['well_alias'], '', FALSE); } } return $url; } function well_forum_alias() { $forumlist = forum_list_cache(); if (empty($forumlist)) return ''; $key = 'forum-alias'; static $cache = array(); if (isset($cache[$key])) return $cache[$key]; $cache[$key] = array(); foreach ($forumlist as $val) { if ($val['well_alias']) $cache[$key][$val['fid']] = $val['well_alias']; } return array_flip($cache[$key]); } function well_forum_alias_cache() { global $conf; $key = 'forum-alias-cache'; static $cache = array(); // 用静态变量只能在当前 request 生命周期缓存,跨进程需要再加一层缓存:redis/memcached/xcache/apc if (isset($cache[$key])) return $cache[$key]; if ('mysql' == $conf['cache']['type']) { $arr = well_forum_alias(); } else { $arr = cache_get($key); if (NULL === $arr) { $arr = well_forum_alias(); !empty($arr) AND cache_set($key, $arr); } } $cache[$key] = empty($arr) ? '' : $arr; return $cache[$key]; } ?>ajax - WordPress is creating nonce as a logged in user but verifying it incorrectly
最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客

ajax - WordPress is creating nonce as a logged in user but verifying it incorrectly

programmeradmin8浏览0评论

I'm having trouble validating a nonce created with wp_create_nonce() inside a hidden input with the name nonce in an html form:

<input type="hidden" name="nonce" value="<?php echo wp_create_nonce('action_name'); ?>" />

The form submission is done via ajax and validated with check_ajax_referer('action_name','nonce'). This always returns -1. All REST endpoints have been tested without nonces and work 100% fine.

The issue seems to stem from wp's user identifcation.

My debugging so far

Nonce creation
Within wp-includes/pluggable.php wp_create_nonce('action_name') creates a nonce hashing various variables including the user id and the action.

Ajax call
I submit an ajax call which calls check_ajax_referer('action_name','nonce'). This in turn calls wp_verify_nonce($nonce,$action) which verifies the nonce by hashing the same variables and comparing the two.

Reverse engineering to locate problem
My problem is that wp_create_nonce('action_name') is being created with the correct user id. However, when I run check_ajax_referer('action_name','nonce') which calls wp_verify_nonce($nonce,$action) which in turn calls wp_get_current_user(); no user is found (user id is 0).

Evidence the problem is to do with user id

If I temporarily edit wp-includes/pluggable.php to force my user id, the nonce validation works fine. It's as if ajax requests to a known and valid endpoint are being treated as if the user is logged out regardless of whether they are or not.

I'm clearly missing something here, but I have no idea what.

If it helps, this is the REST point registration. As mentioned it works fine without the involvement of a nonce.

    register_rest_route(
        'my-namespace', //namespace
        'my-namespace-route-1', //route
        ['methods'=>'POST',
         'callback'=>['Another_Class',//class
             'a_static_function'] //static function
        ] //params
    );

I'm having trouble validating a nonce created with wp_create_nonce() inside a hidden input with the name nonce in an html form:

<input type="hidden" name="nonce" value="<?php echo wp_create_nonce('action_name'); ?>" />

The form submission is done via ajax and validated with check_ajax_referer('action_name','nonce'). This always returns -1. All REST endpoints have been tested without nonces and work 100% fine.

The issue seems to stem from wp's user identifcation.

My debugging so far

Nonce creation
Within wp-includes/pluggable.php wp_create_nonce('action_name') creates a nonce hashing various variables including the user id and the action.

Ajax call
I submit an ajax call which calls check_ajax_referer('action_name','nonce'). This in turn calls wp_verify_nonce($nonce,$action) which verifies the nonce by hashing the same variables and comparing the two.

Reverse engineering to locate problem
My problem is that wp_create_nonce('action_name') is being created with the correct user id. However, when I run check_ajax_referer('action_name','nonce') which calls wp_verify_nonce($nonce,$action) which in turn calls wp_get_current_user(); no user is found (user id is 0).

Evidence the problem is to do with user id

If I temporarily edit wp-includes/pluggable.php to force my user id, the nonce validation works fine. It's as if ajax requests to a known and valid endpoint are being treated as if the user is logged out regardless of whether they are or not.

I'm clearly missing something here, but I have no idea what.

If it helps, this is the REST point registration. As mentioned it works fine without the involvement of a nonce.

    register_rest_route(
        'my-namespace', //namespace
        'my-namespace-route-1', //route
        ['methods'=>'POST',
         'callback'=>['Another_Class',//class
             'a_static_function'] //static function
        ] //params
    );
Share Improve this question edited Sep 19, 2020 at 0:51 dewd asked Sep 18, 2020 at 22:41 dewddewd 17911 bronze badges 2
  • i don't see the code for your AJAX endpooint can you edit your question to include it? Is there a reason you went for the old admin-ajax.php api rather than the a newer REST API endpoint via register_rest_route? – Tom J Nowell Commented Sep 19, 2020 at 0:32
  • I added an example. I think this is the newest API right? – dewd Commented Sep 19, 2020 at 0:52
Add a comment  | 

1 Answer 1

Reset to default 1

This is happening because a separate nonce with the action wp_rest is not being sent by the server to the client and received back from the client in an HTTP request header called X-WP-Nonce with every REST request.

To get this working, you will have to generate a nonce like this:

wp_create_nonce('wp_rest')

...and provide it to the client making the rest call. Once your client has the nonce value, you need to add it to every REST request e.g.:

headers: {
    'X-WP-Nonce': nonce,
}

Creating the nonce on the server and accessing it on the client can be done several ways. Using wp_localize_script() is the most common and probably best practice for WordPress. wp_localize_script() addds a global variable to the client for a script to access. See https://developer.wordpress/reference/functions/wp_localize_script/.

发布评论

评论列表(0)

  1. 暂无评论