RequestRouter: Scope maybe_redirect to the DataView's own admin page#45
Closed
titus-toia wants to merge 1 commit into
Closed
RequestRouter: Scope maybe_redirect to the DataView's own admin page#45titus-toia wants to merge 1 commit into
titus-toia wants to merge 1 commit into
Conversation
maybe_redirect() is hooked on the global admin_init (#35), so it runs on every admin request. For a singular DataView it called handle_settings_submit() on ANY admin POST without checking the request targeted its own page — so Gutenberg meta-box saves (post.php?meta-box-loader=1) were routed into the settings handler, failed the DataView nonce check, and wp_die('Security check failed.'), breaking every meta-box save on the site. Bail unless $_GET['page'] matches the DataView's menu page before doing any capability check or submit handling.
Contributor
|
Sorry, already fixed by #43 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
RequestRouter::maybe_redirect()is hooked on the globaladmin_init(#35), so it runs on every admin request. For a singular DataView it callshandle_settings_submit()on any admin POST with no check that the request actually targets its own page.As a result, Gutenberg meta-box saves (
post.php?meta-box-loader=1) get routed into the DataView's settings handler, fail its nonce check, andwp_die( 'Security check failed.' )— breaking every meta-box save on the site (HTTP 500) for any install that registers a singular DataView.Same hazard applies to plural DataViews if a stray POST carries a
create/edit/deleteaction.Fix
Bail out of
maybe_redirect()unless$_GET['page']matches the DataView's ownmenu_page, before any capability check or submit handling. Real settings/create/edit submits post to?page=<menu_page>&…, so they still pass; unrelated admin POSTs (meta-box saves, other plugins' forms) are now ignored.Testing
Reproduced on a course edit screen (block editor): meta-box save returned 500
Security check failed, traced tomaybe_redirect()→handle_settings_submit()→ nonce fail. With this guard, the meta-box save completes and the DataView settings form still saves normally.