From bc77df078da835b722ae7bcd2477bf6aad6f350c Mon Sep 17 00:00:00 2001 From: Marcus Quinn Date: Sun, 16 Mar 2025 04:11:59 +0000 Subject: [PATCH] Fix AJAX nonce issues for plugins and theme loading --- admin/js/wp-allstars-admin.js | 60 ++++++++++++++--------------------- admin/settings.php | 24 ++++++++++++-- 2 files changed, 45 insertions(+), 39 deletions(-) diff --git a/admin/js/wp-allstars-admin.js b/admin/js/wp-allstars-admin.js index def69a8..7ca3167 100644 --- a/admin/js/wp-allstars-admin.js +++ b/admin/js/wp-allstars-admin.js @@ -165,7 +165,7 @@ jQuery(document).ready(function($) { data: { action: 'wp_allstars_get_plugins', category: category || 'minimal', - _ajax_nonce: wpAllstars.nonce + _wpnonce: wpAllstars.nonce }, success: function(response) { if (response.success) { @@ -199,7 +199,7 @@ jQuery(document).ready(function($) { type: 'GET', data: { action: 'wp_allstars_get_theme', - _ajax_nonce: wpAllstars.nonce + _wpnonce: wpAllstars.nonce }, success: function(response) { if (response.success) { @@ -222,41 +222,31 @@ jQuery(document).ready(function($) { // Initialize theme handlers function initThemeHandlers() { // Handle theme installation - $('.install-theme').on('click', function(e) { - e.preventDefault(); + $('.install-theme').on('click', function() { + var slug = $(this).data('slug'); var $button = $(this); - var slug = $button.data('slug'); - $button.addClass('updating-message').text('Installing...'); + $button.text('Installing...').prop('disabled', true); wp.updates.installTheme({ slug: slug, success: function(response) { - $button - .removeClass('updating-message install-theme') - .addClass('button-primary activate-theme') - .text('Activate'); - - // Refresh the theme display - loadTheme(); + $button.text('Activate').removeClass('install-theme').addClass('activate-theme'); + $button.prop('disabled', false); }, - error: function(error) { - $button.removeClass('updating-message'); - console.error('Theme installation failed:', error); - if (error.errorMessage) { - alert(error.errorMessage); - } + error: function(response) { + $button.text('Error').prop('disabled', false); + console.error('Theme installation error:', response); } }); }); // Handle theme activation - $('.activate-theme').on('click', function(e) { - e.preventDefault(); + $('.activate-theme').on('click', function() { + var slug = $(this).data('slug'); var $button = $(this); - var slug = $button.data('slug'); - $button.addClass('updating-message').text('Activating...'); + $button.text('Activating...').prop('disabled', true); $.ajax({ url: ajaxurl, @@ -264,27 +254,25 @@ jQuery(document).ready(function($) { data: { action: 'wp_allstars_activate_theme', theme: slug, - _ajax_nonce: wpAllstars.nonce + _wpnonce: wpAllstars.nonce }, success: function(response) { if (response.success) { - $button.removeClass('updating-message').text('Activated'); - setTimeout(function() { - if (response.data && response.data.customize_url) { + $button.text('Activated').prop('disabled', true); + // Optionally redirect to customizer + if (response.data && response.data.customize_url) { + setTimeout(function() { window.location.href = response.data.customize_url; - } else { - window.location.reload(); - } - }, 1000); + }, 1000); + } } else { - $button.removeClass('updating-message').text('Activate'); - alert(response.data || 'Theme activation failed. Please try again.'); + $button.text('Error').prop('disabled', false); + console.error('Theme activation error:', response); } }, error: function(xhr, status, error) { - $button.removeClass('updating-message').text('Activate'); - console.error('Theme activation failed:', error); - alert('Theme activation failed: ' + error); + $button.text('Error').prop('disabled', false); + console.error('Theme activation AJAX error:', error); } }); }); diff --git a/admin/settings.php b/admin/settings.php index 9f614ad..5043db2 100644 --- a/admin/settings.php +++ b/admin/settings.php @@ -189,7 +189,11 @@ function wp_allstars_set_cached_plugins($category, $data) { // Add AJAX endpoint for plugin list function wp_allstars_ajax_get_plugins() { - check_ajax_referer('updates'); + // Check nonce with the correct action name + if (!check_ajax_referer('wp-allstars-nonce', '_wpnonce', false)) { + wp_send_json_error('Invalid security token sent.'); + return; + } if (!current_user_can('install_plugins')) { wp_die(-1); @@ -395,7 +399,11 @@ function wp_allstars_set_cached_theme($data) { // Add AJAX endpoint for theme function wp_allstars_ajax_get_theme() { - check_ajax_referer('updates'); + // Check nonce with the correct action name + if (!check_ajax_referer('wp-allstars-nonce', '_wpnonce', false)) { + wp_send_json_error('Invalid security token sent.'); + return; + } if (!current_user_can('install_themes')) { error_log('WP ALLSTARS: User does not have permission to install themes'); @@ -566,7 +574,11 @@ add_action('switch_theme', 'wp_allstars_clear_theme_cache'); // Add AJAX handler for theme activation function wp_allstars_activate_theme() { - check_ajax_referer('updates'); + // Check nonce with the correct action name + if (!check_ajax_referer('wp-allstars-nonce', '_wpnonce', false)) { + wp_send_json_error('Invalid security token sent.'); + return; + } if (!current_user_can('switch_themes')) { wp_send_json_error('Permission denied'); @@ -1035,5 +1047,11 @@ function wp_allstars_admin_enqueue_scripts($hook) { wp_enqueue_style('wp-allstars-admin', plugins_url('css/wp-allstars-admin.css', __FILE__)); wp_enqueue_script('wp-allstars-admin', plugins_url('js/wp-allstars-admin.js', __FILE__), array('jquery'), WP_ALLSTARS_VERSION, true); + + // Localize the script with new data + wp_localize_script('wp-allstars-admin', 'wpAllstars', array( + 'nonce' => wp_create_nonce('wp-allstars-nonce'), + 'ajaxurl' => admin_url('admin-ajax.php') + )); } add_action('admin_enqueue_scripts', 'wp_allstars_admin_enqueue_scripts'); \ No newline at end of file