wp-plugins/twilio-wp-plugin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix frontend shortcode AJAX nonce validation issues

Browse Source 
- Added verify_ajax_nonce() helper method to check both admin and frontend nonces
- Updated ajax_generate_capability_token() to accept frontend nonce
- Updated ajax_get_phone_numbers() to accept frontend nonce
- Updated ajax_get_waiting_calls() to accept frontend nonce
- Updated ajax_accept_next_queue_call() to accept frontend nonce
- Resolves 403 AJAX errors when using shortcode on frontend

The shortcode creates 'twp_frontend_nonce' while admin uses 'twp_ajax_nonce'
Now both are accepted by the AJAX handlers for proper frontend functionality

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
jknapp
2025-08-13 13:50:56 -07:00
parent 4c353096fe
commit 9bef599406
1 changed files with 37 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
admin/class-twp-admin.php
View File

@@ -15,6 +15,23 @@ class TWP_Admin {
$this->version = $version; $this->version = $version;
} }
/**
* Verify AJAX nonce - checks both admin and frontend nonces
*/
private function verify_ajax_nonce() {
// Try admin nonce first
if (wp_verify_nonce($_POST['nonce'] ?? '', 'twp_ajax_nonce')) {
return true;
}
// Try frontend nonce
if (wp_verify_nonce($_POST['nonce'] ?? '', 'twp_frontend_nonce')) {
return true;
}
return false;
}
/** /**
* Register admin menu * Register admin menu
*/ */
@@ -3088,7 +3105,11 @@ class TWP_Admin {
* AJAX handler for getting phone numbers * AJAX handler for getting phone numbers
*/ */
public function ajax_get_phone_numbers() { public function ajax_get_phone_numbers() {
check_ajax_referer('twp_ajax_nonce', 'nonce'); // Check for either admin or frontend nonce
if (!$this->verify_ajax_nonce()) {
wp_send_json_error('Invalid nonce');
return;
}
if (!current_user_can('manage_options') && !current_user_can('twp_access_phone_numbers')) { if (!current_user_can('manage_options') && !current_user_can('twp_access_phone_numbers')) {
wp_send_json_error('Unauthorized - Phone number access required'); wp_send_json_error('Unauthorized - Phone number access required');
@@ -3873,7 +3894,11 @@ class TWP_Admin {
* AJAX handler for accepting next call from a queue * AJAX handler for accepting next call from a queue
*/ */
public function ajax_accept_next_queue_call() { public function ajax_accept_next_queue_call() {
check_ajax_referer('twp_ajax_nonce', 'nonce'); // Check for either admin or frontend nonce
if (!$this->verify_ajax_nonce()) {
wp_send_json_error('Invalid nonce');
return;
}
$queue_id = intval($_POST['queue_id']); $queue_id = intval($_POST['queue_id']);
$user_id = get_current_user_id(); $user_id = get_current_user_id();
@@ -3922,7 +3947,11 @@ class TWP_Admin {
* AJAX handler for getting waiting calls * AJAX handler for getting waiting calls
*/ */
public function ajax_get_waiting_calls() { public function ajax_get_waiting_calls() {
check_ajax_referer('twp_ajax_nonce', 'nonce'); // Check for either admin or frontend nonce
if (!$this->verify_ajax_nonce()) {
wp_send_json_error('Invalid nonce');
return;
}
global $wpdb; global $wpdb;
$calls_table = $wpdb->prefix . 'twp_queued_calls'; $calls_table = $wpdb->prefix . 'twp_queued_calls';
@@ -4121,7 +4150,11 @@ class TWP_Admin {
* AJAX handler for generating capability tokens for Browser Phone * AJAX handler for generating capability tokens for Browser Phone
*/ */
public function ajax_generate_capability_token() { public function ajax_generate_capability_token() {
check_ajax_referer('twp_ajax_nonce', 'nonce'); // Check for either admin or frontend nonce
if (!$this->verify_ajax_nonce()) {
wp_send_json_error('Invalid nonce');
return;
}
if (!current_user_can('manage_options') && !current_user_can('twp_access_browser_phone')) { if (!current_user_can('manage_options') && !current_user_can('twp_access_browser_phone')) {
wp_send_json_error('Insufficient permissions'); wp_send_json_error('Insufficient permissions');