Whenever a post is saved, such as through a contact form submission, transition_post_status is fired off, and if that occurs outside of the wp-admin/edit.php screens (OR happens on those screens but.. something or something... Unknown...) then edit-flow will fail a nonce check and kills the request.
|
if ( ! empty( $_POST['_wpnonce'] ) && ! wp_verify_nonce( $_POST['_wpnonce'], 'update-post_' . $post->ID ) ) { |
|
$this->print_ajax_response( 'error', $this->module->messages['nonce-failed'] ); |
|
} |
On WordCamp, this caused speaker contact form submissions to fail to save, because the nonce included was not for edit post, but rather for speaker_submission or somesuch.
This doesn't seem to affect every use case.. oh, because if _wpnonce isn't set, this nonce check doesn't even properly run.
Ref: https://wordpress.slack.com/archives/C08M59V3P/p1767945920176379
Earlier issues seem to have been related to, and resolved by, 7ee2706 (Ref: https://wordpress.slack.com/archives/C08M59V3P/p1767902122649419 https://wordpress.slack.com/archives/C08M59V3P/p1767896599567679 )
Suggested solution:
- Don't die like this in this handler; (edit: In any non-ajax handler)
- Include your own nonce.
- If nonce not set, OR nonce verification failed, return.
- Verify this isn't systematic.
if ( ! empty( $_GET['_wpnonce'] ) && ! wp_verify_nonce is rarely wanted. if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( is usually what's wanted. Claude should know better.
Whenever a post is saved, such as through a contact form submission,
transition_post_statusis fired off, and if that occurs outside of the wp-admin/edit.php screens (OR happens on those screens but.. something or something... Unknown...) then edit-flow will fail a nonce check and kills the request.edit-flow/modules/notifications/notifications.php
Lines 603 to 605 in 1d04754
On WordCamp, this caused speaker contact form submissions to fail to save, because the nonce included was not for edit post, but rather for speaker_submission or somesuch.
This doesn't seem to affect every use case.. oh, because if
_wpnonceisn't set, this nonce check doesn't even properly run.Ref: https://wordpress.slack.com/archives/C08M59V3P/p1767945920176379
Earlier issues seem to have been related to, and resolved by, 7ee2706 (Ref: https://wordpress.slack.com/archives/C08M59V3P/p1767902122649419 https://wordpress.slack.com/archives/C08M59V3P/p1767896599567679 )
Suggested solution:
if ( ! empty( $_GET['_wpnonce'] ) && ! wp_verify_nonceis rarely wanted.if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce(is usually what's wanted. Claude should know better.