AJAX nonce verification enabled

2017-12-09 16:05:09 +01:00 · 2017-12-09 16:05:09 +01:00 · f10e9c63e0
commit f10e9c63e0
parent de347e1f81
2 changed files with 8 additions and 5 deletions
--- a/includes/class-wpliveticker2.php
+++ b/includes/class-wpliveticker2.php
@ -248,6 +248,7 @@ class WPLiveticker2 {
 			'ajax_object',
 			array(
 				'ajax_url'      => admin_url( 'admin-ajax.php' ),
 				'nonce'         => wp_create_nonce( 'wplt2_update-ticks' ),
 				'poll_interval' => self::$_options['poll_interval'] * 1000,
 			)
 		);
@ -259,8 +260,8 @@ class WPLiveticker2 {
 	 * @return void
 	 */
 	public static function ajax_update() {
-		// TODO: re-enable security checks.
+		// Verify AJAX nonce.
-		// check_ajax_referer( 'wplt2_update-ticks' );
+		check_ajax_referer( 'wplt2_update-ticks' );
 		// Extract update requests.
 		if ( isset( $_POST['update'] ) && is_array( $_POST['update'] ) ) {
@ -284,7 +285,7 @@ class WPLiveticker2 {
 						),
 						'date_query'     => array(
 							'after' => date( 'c', $last_poll ),
-						)
+						),
 					);
 					$query = new WP_Query( $query_args );
--- a/scripts/wp-liveticker2.js
+++ b/scripts/wp-liveticker2.js
@ -12,6 +12,7 @@ WPLT2.init = function () {
 	});
 	// Extract AJAX settings.
 	WPLT2.ajaxURL = ajax_object.ajax_url;
 	WPLT2.nonce = ajax_object.nonce;
 	WPLT2.pollInterval = ajax_object.poll_interval;
 	// Trigger update, if necessary.
 	if (WPLT2.ticker.length > 0 && WPLT2.pollInterval > 0) {
@ -32,8 +33,9 @@ WPLT2.update = function () {
 	jQuery.post(
 		WPLT2.ajaxURL,
 		{
-			'action': 'wplt2_update-ticks',
+			'action'  : 'wplt2_update-ticks',
-			'update': updateReq
+			'_ajax_nonce': WPLT2.nonce,
 			'update'     : updateReq
 		},
 		function (res) {
 			try {