Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refreshing meta box nonce after re-authenticating following a wp_auth_check() #670

Merged
merged 1 commit into from
Jul 30, 2023
Merged

Refreshing meta box nonce after re-authenticating following a wp_auth_check() #670

merged 1 commit into from
Jul 30, 2023

Conversation

hrkhal
Copy link
Contributor

@hrkhal hrkhal commented Apr 15, 2019

Fixes #669

Filters wp_refresh_nonces to refresh the coauthors-edit nonce to prevent data loss after re-authenticating an expired session.

@rebeccahum
Copy link
Contributor

Thanks for the PR -- can we get some steps on how to reproduce the issue?

@hrkhal
Copy link
Contributor Author

hrkhal commented Apr 17, 2019

@rebeccahum To reproduce the issue you'll need an install with custom fields and meta boxes in the post editor and just the co-authors-plus plugin activated. Then:

  1. Open up the post edtior and add some content and fill in custom meta Save as normal.
  2. Open up wp-admin in a new tab and log out of wp-admin from it.
  3. Return to post editor tab and wait for the auth check modal and then reauthenticate by logging in
  4. Update the content and edit the custom meta.
  5. Now attempt to save the post and you'll hit the Link has expired screen instead of successful post save.
  6. Follow the please try again link and you’ll notice that post content has likely saved (due to autosave) but all the custom meta changes have been lost.

We get the Link has expired die screen because the check_admin_referrer check in co-authors-plus fails due to the expired nonce that wasn’t refreshed after re-authenticating. Thus any save_post actions after never fired and thus data lost.

By implementing this PR the main co-authors nonce is refreshed after re-authenticating which will prevent the data loss described above.

You may also notice that at step 4, you’ll be unable to search for new authors to add via the co-authors-plus meta box. This is because the nonce stored in the JS var coAuthorsPlus_ajax_suggest_link is also now invalid because of the re-authenticating. Due to the way it's stored wp_refresh_nonces doesn't fix it. This is a seperate issue I'll likely open an issue/pr for.

@GaryJones GaryJones added this to the 3.5.12 milestone Jul 27, 2023
GaryJones
GaryJones approved these changes Jul 30, 2023
View reviewed changes
Copy link
Contributor

@GaryJones GaryJones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Wonderful recreation instructions @hrkhal - much appreciated!

With the Classic Editor plugin active in WP 6.2.2, I was able to recreate this (though after "Please try again" the post meta did seem to be saved); the patch worked to remove the Link has expired die screen.

With the block editor in WP 6.2.2, this doesn't seem to be an issue. With other plugins activated, I got an "Updating failed" while following the procedure, but this persisted with the PR applied as well. On master and with this patch, after logging back in and editing content and post meta, the save worked correctly.

@GaryJones GaryJones merged commit 428a475 into Automattic:master Jul 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@GaryJones GaryJones GaryJones approved these changes

Assignees
No one assigned
Labels
Status: needs testing Type: bug
Projects
None yet
Milestone
3.5.12
Development

Successfully merging this pull request may close these issues.

Refresh meta box nonce after re-authenticating to prevent data loss
3 participants
@hrkhal @rebeccahum @GaryJones