成为VIP函数
rest_cookie_check_errors ( $result ) - 参数
-
-
(WP_Error|mixed)
$result
Error from another authentication handler, null if we should handle it, or another value if not.- Required: 是
-
(WP_Error|mixed)
- 返回值
-
- (WP_Error|mixed|bool) WP_Error if the cookie is invalid, the $result, otherwise true.
- 定义位置
-
-
wp-includes/rest-api.php
, line 1036
-
wp-includes/rest-api.php
- 引入
- 4.4.0
- 弃用
- –
Checks for errors when using cookie-based authentication.
WordPress’ built-in cookie authentication is always active
for logged in users. However, the API has to check nonces
for each request to ensure users are not vulnerable to CSRF.
function rest_cookie_check_errors( $result ) {
if ( ! empty( $result ) ) {
return $result;
}
global $wp_rest_auth_cookie;
/*
* Is cookie authentication being used? (If we get an auth
* error, but we're still logged in, another authentication
* must have been used).
*/
if ( true !== $wp_rest_auth_cookie && is_user_logged_in() ) {
return $result;
}
// Determine if there is a nonce.
$nonce = null;
if ( isset( $_REQUEST['_wpnonce'] ) ) {
$nonce = $_REQUEST['_wpnonce'];
} elseif ( isset( $_SERVER['HTTP_X_WP_NONCE'] ) ) {
$nonce = $_SERVER['HTTP_X_WP_NONCE'];
}
if ( null === $nonce ) {
// No nonce at all, so act as if it's an unauthenticated request.
wp_set_current_user( 0 );
return true;
}
// Check the nonce.
$result = wp_verify_nonce( $nonce, 'wp_rest' );
if ( ! $result ) {
return new WP_Error( 'rest_cookie_invalid_nonce', __( 'Cookie check failed' ), array( 'status' => 403 ) );
}
// Send a refreshed nonce in header.
rest_get_server()->send_header( 'X-WP-Nonce', wp_create_nonce( 'wp_rest' ) );
return true;
}
声明:本站所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。
