[wp-hackers] Nonce happy?

Thomas Belknap dragonfly at dragonflyeye.net
Mon Aug 12 18:50:28 UTC 2013 

Thank you all for your helpful and thoughtful responses. Kenneth, what you
say makes a lot of sense. I'm trying to create a more or less generic form
field generator for use across other plugins that I use all the time, just
because I'm so spoiled on the way CakePHP creates forms, and the nonce
thing was an open question.

You've all given me a lot to think about. Thank you.


On Mon, Aug 12, 2013 at 1:47 PM, Kenneth Newman <ken.adcstudio at gmail.com>wrote:

>
> On Aug 12, 2013, at 11:01 AM, Thomas Belknap <dragonfly at dragonflyeye.net>
> wrote:
>
> > Reading over a lot of documentation and example code concerning the
> > addition of custom fields to the Write Post screen, almost every single
> one
> > includes the requirement to include a nonce field with your data. An
> > abundance of caution isn't necessarily a bad thing, but does this not
> > strike anyone as a little too much caution?
> Nah, it turns out that using a wpnonce to identify your fields is easier
> then the alternatives, so for me, it's less about caution and more about
> pragmatism.
>
> >
> > In terms of what WordPress is using nonces for, the only goal is to make
> > sure the data is coming from the correct origin: your website and your
> > admin form. Once this task is out of the way, the rest of the POST data
> > should be trusted. Yet the convention, at least in terms of example code,
> > seems to be to include a nonce for every single custom field.
> wpnonces are (supposed) to be tied to a unique action string-key. Every
> action deserves it's own wpnonce.
> If a user uses the bulk edit feature on the post list screen, then for
> each post edited, the wpnonce for bulkedit will pass, and yet your fields
> aren't present and your handle shouldn't run.
> Further, there's no guarantee that 'save_posts' (which is where your
> action is hooked) was even triggered by an edit form submission (upgrades
> and unistalls update posts sometimes) and there's no guarantee that a
> related nonce check was performed at all (unless you do it yourself).
>
> >
> > If WP is making it's own checks on the "Write Post" screen data, don't
> the
> > additional nonces seem superfluous, or am I missing something?
> This wpnonce is tied to an action that does not necessarily cover your
> fields' purpose.
> Your nonce is supposed to indicate an action such as
> 'user_wants_to_update_my_metafields_for_book_cpts' (overlong because it's
> contrived).
> It's a way of assuring you are only taking action when the user intends
> for that action to occur.
>
> >
> > I perfectly understand their value in the context of a custom plugin
> > configuration page. But when extending the Write Post screen to
> incorporate
> > all the additional data a custom post type might require, this additional
> > nonce data seems like a bit of a headache with very little value.
> I find that using a unique nonce actually has quite a bit of utility, and
> it's only two lines of code: a line printing the nonce with your fields,
> and a line checking it's value.
>
> The most evident utility is that if my unique nonce is valid, my fields
> should at least be present. User actions involving the posting form on the
> dashboard, the bulk edit form, pressthis, among others, won't contain my
> fields, since I add them via metabox calls typically. Checking the nonce
> saves me the hassle of detecting the screen type and inspecting the $_POST
> object and detecting my fields.
>
> You should always use a unique string that describes the custom action you
> are handling, and specify a unique field name for the nonce (otherwise
> someone's _wpnonce is going to get trampled).
>
> I think of this system as effectively having multiple forms that are
> transmitted via the same html form. If I use my own unique nonces, I don't
> have to worry about what any other actions are doing.
>
> >
> > --
> > Tom Belknap
> > Owner/Editor, DragonFlyEye.Net
> > Join me:
> >
> >   - *Inbox:* http://dragonflyeye.net/subscribe
> >   - *Web*: http://dragonflyeye.net/
> >   - *Facebook*: https://www.facebook.com/DragonFlyEye.Net
> >   - *Twitter*: https://twitter.com/dragonflyeye
> >   - *Google*: https://plus.google.com/u/1/103251482414903117843/posts
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
Tom Belknap
Owner/Editor, DragonFlyEye.Net
Join me:

   - *Inbox:* http://dragonflyeye.net/subscribe
   - *Web*: http://dragonflyeye.net/
   - *Facebook*: https://www.facebook.com/DragonFlyEye.Net
   - *Twitter*: https://twitter.com/dragonflyeye
   - *Google*: https://plus.google.com/u/1/103251482414903117843/posts

More information about the wp-hackers mailing list