Skip to content

fix: correct nonce action for Classic Editor post saves#873

Merged
GaryJones merged 1 commit intodevelopfrom
fix/classic-editor-nonce-check
Jan 7, 2026
Merged

fix: correct nonce action for Classic Editor post saves#873
GaryJones merged 1 commit intodevelopfrom
fix/classic-editor-nonce-check

Conversation

@GaryJones
Copy link
Copy Markdown
Contributor

@GaryJones GaryJones commented Jan 7, 2026

Summary

  • Fixes nonce verification in save_post_subscriptions() that was using the wrong action string
  • Classic Editor uses update-post_{$post_id} as the nonce action, not editpost
  • Adds integration tests to verify Classic Editor nonce handling

Problem

After upgrading to 0.10.0, users with Editor role were getting "Cheatin' uh?" errors when saving posts in Classic Editor. This was caused by the PHPCS fixes in PR #866 which added a nonce check using an incorrect action string.

Solution

Changed the nonce verification from:

wp_verify_nonce( $_POST['_wpnonce'], 'editpost' )

To:

wp_verify_nonce( $_POST['_wpnonce'], 'update-post_' . $post->ID )

Test plan

  • Integration tests added (NotificationsClassicEditorTest.php)
  • Manual testing with Classic Editor - saving posts works
  • All existing integration tests pass

Fixes: https://wordpress.org/support/topic/upgrading-to-0-10-0-breaks-funtionality-for-editor-role/

🤖 Generated with Claude Code

@GaryJones GaryJones requested a review from a team as a code owner January 7, 2026 12:33
@GaryJones GaryJones self-assigned this Jan 7, 2026
@GaryJones GaryJones added this to the Next milestone Jan 7, 2026
@GaryJones @claude
fix: correct nonce action for Classic Editor post saves
7ee2706 
The nonce verification in save_post_subscriptions() was using the wrong
action string ('editpost'), which caused WordPress to reject legitimate
save requests from users with Editor role when using Classic Editor.
Classic Editor's edit form nonces use 'update-post_{$post_id}' as the
action, so the verification must match this to prevent "Cheatin' uh?"
errors on post save.

This regression was introduced in the PHPCS fixes (PR #866) and broke
existing functionality for Editor role users, as reported on the
WordPress.org support forums.

The fix ensures compatibility with Classic Editor whilst maintaining
the security benefits of nonce verification. Integration tests verify
the nonce check now correctly accepts Classic Editor nonces and rejects
those created with the wrong action.

Fixes: https://wordpress.org/support/topic/upgrading-to-0-10-0-breaks-funtionality-for-editor-role/

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@GaryJones GaryJones force-pushed the fix/classic-editor-nonce-check branch from 2e18199 to 7ee2706 Compare January 7, 2026 12:39
@GaryJones GaryJones merged commit f4fad90 into develop Jan 7, 2026
14 checks passed
@GaryJones GaryJones deleted the fix/classic-editor-nonce-check branch January 7, 2026 12:44
This was referenced Jan 7, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@GaryJones GaryJones

Labels

type: bug

Projects

None yet

Milestone

0.10.1

Development

Successfully merging this pull request may close these issues.

1 participant

@GaryJones