Ticket #7283 (new defect)

Opened 3 months ago

Last modified 3 months ago

Generic POST handler

Reported by: ryan Assigned to: anonymous
Priority: normal Milestone: 2.9
Component: General Version:
Severity: normal Keywords:
Cc:

Description

Provide admin-post.php as a handler for POST requests made by plugins. admin-post.php handles setup and auth. Plugins pass an "action" argument via POST or GET and admin-post.php issues an "admin_post_$action" action. Functions registered by the plugin for that action will be kicked off. This will obviate the need for plugins to provide their own file for POST handling that has to search for the location of wp-config.php/wp-load.php.

Attachments

admin-post.php (394 bytes) - added by ryan on 07/11/08 18:55:53.
admin_post_action.diff (318 bytes) - added by ryan on 07/11/08 19:08:41.
Alternative that Issues action from admin.php
admin_post_action.2.diff (1.1 kB) - added by ryan on 07/11/08 19:43:55.
Both
admin_post_action.3.diff (1.1 kB) - added by ryan on 07/11/08 19:55:03.
No need to die '0'

Change History

07/11/08 18:55:53 changed by ryan

  • attachment admin-post.php added.

07/11/08 18:58:41 changed by ryan

  • milestone changed from 2.7 to 2.6.

07/11/08 19:01:16 changed by ryan

  • summary changed from admin-post.php POST handler to Generic POST handler.

07/11/08 19:04:35 changed by ryan

Alternative is to just issue the action from admin.php. There's stuff in admin.php we don't really need in a pure POST handler, but we don't necessarily need to provide a pure POST handler. Using admin.php provides some menu, CSS, and JS setup needed if a plugin wants to display a form or other UI in their handler.

07/11/08 19:05:14 changed by technosailor

+1.

Not to mention a huge boon for security as we can now handle *all* POST data and sanitize as appropriate before it hits to the *silly plugin authors* function that doesn't pay attention. :)

07/11/08 19:06:49 changed by technosailor

Of course, the file would have to be filled out more with means to do so. Right now, you're just adding the hooks and that wouldn't be enough, imho.

07/11/08 19:08:41 changed by ryan

  • attachment admin_post_action.diff added.

Alternative that Issues action from admin.php

07/11/08 19:43:55 changed by ryan

  • attachment admin_post_action.2.diff added.

Both

07/11/08 19:46:18 changed by ryan

Why pick one when you can do both. admin-post.php for pure POST handling. admin_action_$action in admin.php in case your hook needs some of the setup done there.

07/11/08 19:55:03 changed by ryan

  • attachment admin_post_action.3.diff added.

No need to die '0'

07/11/08 20:24:35 changed by ryan

(In [8315]) Generic POST handler. see #7283

07/11/08 20:26:11 changed by ryan

There's a start. We can consider other checks to put in. Maybe something to make sure there's a nonce being passed. That will likely need to wait for 2.7 though. Right now we just need something to help plugin authors deal with WP_CONTENT_DIR relocating the plugins dir.

07/12/08 01:39:52 changed by DD32

Maybe something to make sure there's a nonce being passed.

Well.. If you want a nonce on it, Better get it in for 2.6 before plugin authors change over to using it IMO.

A simple nonce based on "admin_post_$action" would be enough i'd have thought.

That way In the instructions on how to mention it, It can simply be mentioned that something like this neeeds to be included: 

<input type="hidden" name="action" value="plugin-action" />
<?php wp_nonce_field('admin_post_plugin-action') ?>

It'll mean that any plugin authors not allready using nonces will get a bump in that direction & the rest who do use them will be allright.