[wp-hackers] Nonce happy?

Jaime Martínez info at jaimemartinez.nl
Mon Aug 12 21:23:41 UTC 2013


I know writing it youself is fun, still If you are looking for a generic way of creating back-end forms, maybe you could check scb-framework and the scbForm part.
https://github.com/scribu/wp-scb-framework
http://scribu.net/wordpress/scb-framework/

Good luck and have fun

Jaime


On 12 aug. 2013, at 20:50, Thomas Belknap <dragonfly at dragonflyeye.net> wrote:

> Thank you all for your helpful and thoughtful responses. Kenneth, what you
> say makes a lot of sense. I'm trying to create a more or less generic form
> field generator for use across other plugins that I use all the time, just
> because I'm so spoiled on the way CakePHP creates forms, and the nonce
> thing was an open question.
> 
> You've all given me a lot to think about. Thank you.
> 
> 
> On Mon, Aug 12, 2013 at 1:47 PM, Kenneth Newman <ken.adcstudio at gmail.com>wrote:
> 
>> 
>> On Aug 12, 2013, at 11:01 AM, Thomas Belknap <dragonfly at dragonflyeye.net>
>> wrote:
>> 
>>> Reading over a lot of documentation and example code concerning the
>>> addition of custom fields to the Write Post screen, almost every single
>> one
>>> includes the requirement to include a nonce field with your data. An
>>> abundance of caution isn't necessarily a bad thing, but does this not
>>> strike anyone as a little too much caution?
>> Nah, it turns out that using a wpnonce to identify your fields is easier
>> then the alternatives, so for me, it's less about caution and more about
>> pragmatism.
>> 
>>> 
>>> In terms of what WordPress is using nonces for, the only goal is to make
>>> sure the data is coming from the correct origin: your website and your
>>> admin form. Once this task is out of the way, the rest of the POST data
>>> should be trusted. Yet the convention, at least in terms of example code,
>>> seems to be to include a nonce for every single custom field.
>> wpnonces are (supposed) to be tied to a unique action string-key. Every
>> action deserves it's own wpnonce.
>> If a user uses the bulk edit feature on the post list screen, then for
>> each post edited, the wpnonce for bulkedit will pass, and yet your fields
>> aren't present and your handle shouldn't run.
>> Further, there's no guarantee that 'save_posts' (which is where your
>> action is hooked) was even triggered by an edit form submission (upgrades
>> and unistalls update posts sometimes) and there's no guarantee that a
>> related nonce check was performed at all (unless you do it yourself).
>> 
>>> 
>>> If WP is making it's own checks on the "Write Post" screen data, don't
>> the
>>> additional nonces seem superfluous, or am I missing something?
>> This wpnonce is tied to an action that does not necessarily cover your
>> fields' purpose.
>> Your nonce is supposed to indicate an action such as
>> 'user_wants_to_update_my_metafields_for_book_cpts' (overlong because it's
>> contrived).
>> It's a way of assuring you are only taking action when the user intends
>> for that action to occur.
>> 
>>> 
>>> I perfectly understand their value in the context of a custom plugin
>>> configuration page. But when extending the Write Post screen to
>> incorporate
>>> all the additional data a custom post type might require, this additional
>>> nonce data seems like a bit of a headache with very little value.
>> I find that using a unique nonce actually has quite a bit of utility, and
>> it's only two lines of code: a line printing the nonce with your fields,
>> and a line checking it's value.
>> 
>> The most evident utility is that if my unique nonce is valid, my fields
>> should at least be present. User actions involving the posting form on the
>> dashboard, the bulk edit form, pressthis, among others, won't contain my
>> fields, since I add them via metabox calls typically. Checking the nonce
>> saves me the hassle of detecting the screen type and inspecting the $_POST
>> object and detecting my fields.
>> 
>> You should always use a unique string that describes the custom action you
>> are handling, and specify a unique field name for the nonce (otherwise
>> someone's _wpnonce is going to get trampled).
>> 
>> I think of this system as effectively having multiple forms that are
>> transmitted via the same html form. If I use my own unique nonces, I don't
>> have to worry about what any other actions are doing.
>> 
>>> 
>>> --
>>> Tom Belknap
>>> Owner/Editor, DragonFlyEye.Net
>>> Join me:
>>> 
>>> - *Inbox:* http://dragonflyeye.net/subscribe
>>> - *Web*: http://dragonflyeye.net/
>>> - *Facebook*: https://www.facebook.com/DragonFlyEye.Net
>>> - *Twitter*: https://twitter.com/dragonflyeye
>>> - *Google*: https://plus.google.com/u/1/103251482414903117843/posts
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> 
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> 
> 
> 
> 
> -- 
> Tom Belknap
> Owner/Editor, DragonFlyEye.Net
> Join me:
> 
>  - *Inbox:* http://dragonflyeye.net/subscribe
>  - *Web*: http://dragonflyeye.net/
>  - *Facebook*: https://www.facebook.com/DragonFlyEye.Net
>  - *Twitter*: https://twitter.com/dragonflyeye
>  - *Google*: https://plus.google.com/u/1/103251482414903117843/posts
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list