Skip to:
Content

Opened 2 years ago

Closed 2 years ago

#2999 closed regression (invalid)

Regression - bug from ticket 2864 has recurred in 2.5.10

Reported by: kona Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: General Keywords:
Cc:

Description

I reported a bug with user autocompletion in 2.5.8:
https://bbpress.org/forums/topic/ajax-validation-issue-for-user-auto-complete/#post-166543

A ticket was opened for it here, and marked as fixed:
https://bbpress.trac.wordpress.org/ticket/2864

However, I'm seeing the same problem again now in 2.5.10, with the same workaround (disabling the nonce verification.) This is running on WordPress 4.6.1 Multisite, bbPress 2.5.10.

For reference, here's the details from the previous bug report:


Context:
On the “Edit Topic” screen, there’s an “Author Information” box including an ID field. When you begin to type text into this box, the admin-ajax action “bbp_suggest_user” should auto-suggest potentially matching users.

Issue:
The user autosuggest is not returning any users, just “-1”. Having dug into the code, the step that’s failing is wp_verify_nonce() in check_ajax_referrer(), which is invoked on line 745 of bbPress file includes/admin/admin.php. The nonce is making it into wp_verify_nonce, but is not matching any expected/acceptable value – so wp_verify_nonce falls out the bottom with a failure.

If I remove the check_ajax_referrer step, the Edit Topic user auto-suggestion works perfectly so it’s definitely the nonce validation step that’s the problem.

Change History (1)

#1 @thebrandonallen
2 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Resolving #2864 as fixed was probably a little misleading. This was never fixed on the 2.5 branch. Barring any security releases, there will likely be no more 2.5.x releases, so removing or commenting out the check_ajax_referer( 'bbp_suggest_user_nonce' ); line should be safe until bbPress 2.6 is released.

Note: See TracTickets for help on using tickets.