You are not inserting the nonce field in your form, so your script won’t recieve the nonce field and this code:
if ( !isset($_POST['nonce_name']))
Will be validated becasue $_POST['nonce_name']
is not set.
In your code, remove this line:
<input type="hidden" value="".wp_nonce_field("nonce_action','nonce_name')."'/>
And, where it said //TODO: set nonce
, you need to include:
$out .= wp_nonce_field( plugin_basename( __FILE__ ), 'nonce_name',true,false);
Note: set wp_nonce_field()
‘echo’ parameter to false to retrieve the nonce input field instead of printing it.
And then verify by:
if (!isset( $_POST['nonce_name'] ) || ! wp_verify_nonce( $_POST['nonce_name'], plugin_basename( __FILE__ ) ) )
return;
So, your function get_form()
should be:
function get_form( $post_id=null, $tax='category' ) {
if ( is_null($post_id) || ! taxonomy_exists($tax) )
return false;
$args = array( 'hide_empty' => false );
$args = apply_filters( 'mcc_get_terms_args', $args, $post_id, $tax );
$all_terms = get_terms( $tax, $args );
if ( ! $all_terms )
return false;
$post_terms = wp_get_object_terms( $post_id, $tax, array( 'fields' => 'ids' ) );
$permalink = get_permalink( $post_id );
$out = "<form id='crowd-cats' action='$permalink' method='POST' >
<ul >";
foreach ( $all_terms as $t ) :
$checked = in_array( $t->term_id, $post_terms) ? 'checked' : '';
$out .= "<li>
<input type="checkbox" id='crowd-cat-$t->term_id' name="crowd-cat-radio[]" value="$t->term_id" $checked />
<label for="crowd-cat-$t->term_id" >".esc_attr($t->name)."</label>
</li>";
endforeach;
$out .= "</ul>
<input type="submit" value="Submit" name="crowd-cats-submit"/>
<input type="hidden" value="".esc_attr($tax)."" name="crowd-cats-tax"/>
<input type="hidden" value="$post_id" name="crowd-cats-pid"/>";
$out .= wp_nonce_field( plugin_basename( __FILE__ ), 'nonce_name',true,false);
$out .= "</form>";
return $out;
}
And your function process_request()
should be:
function process_request(){
// check submission
if ( ! isset($_POST['crowd-cat-radio']) || ! is_array($_POST['crowd-cat-radio']) )
return;
if ( !isset($_POST['nonce_name']) || !wp_verify_nonce($_POST['nonce_name'],plugin_basename( __FILE__ )) )
{
print 'Sorry, your nonce did not verify.';
exit;
} else { // continue to process form data
// sanitize and check the input
$suggested_terms = array_map( 'absint', $_POST['crowd-cat-radio'] );
$post_id = absint( $_POST['crowd-cats-pid'] );
$tax = $_POST['crowd-cats-tax'];
if ( ! taxonomy_exists($tax) )
return;
// Allow only existing terms. Not sure if this is needed.
$args = array( 'hide_empty' => false );
$args = apply_filters( 'mcc_allowed_terms_args', $args, $post_id, $tax );
$args['fields'] = 'ids';
$allowed_terms = get_terms( $tax, $args );
foreach ( $suggested_terms as $key => $term_id )
if ( ! in_array( $term_id, $allowed_terms ) )
unset( $suggested_terms[$key] );
// Add terms to taxonomy
$affected_terms = wp_set_object_terms( $post_id, $suggested_terms, $tax, false );
update_term_cache($affected_terms);
return $affected_terms;
}
}