bp_verify_nonce_request( string $action = '', string $query_arg = '_wpnonce' )

Makes sure the user requested an action from another page on this site.

Description

To avoid security exploits within the theme.

Parameters

$action

(Optional) Action nonce.

Default value: ''

$query_arg

(Optional) Where to look for nonce in $_REQUEST.

Default value: '_wpnonce'

Return

(bool) True if the nonce is verified, otherwise false.

Source

File: bp-core/bp-core-functions.php

function bp_verify_nonce_request( $action = '', $query_arg = '_wpnonce' ) {

	/* Home URL **************************************************************/

	// Parse home_url() into pieces to remove query-strings, strange characters,
	// and other funny things that plugins might to do to it.
	$parsed_home = parse_url( home_url( '/', ( is_ssl() ? 'https' : 'http' ) ) );

	// Maybe include the port, if it's included in home_url().
	if ( isset( $parsed_home['port'] ) ) {
		$parsed_host = $parsed_home['host'] . ':' . $parsed_home['port'];
	} else {
		$parsed_host = $parsed_home['host'];
	}

	// Set the home URL for use in comparisons.
	$home_url = trim( strtolower( $parsed_home['scheme'] . '://' . $parsed_host . $parsed_home['path'] ), '/' );

	/* Requested URL *********************************************************/

	// Maybe include the port, if it's included in home_url().
	if ( isset( $parsed_home['port'] ) && false === strpos( $_SERVER['HTTP_HOST'], ':' ) ) {
		$request_host = $_SERVER['HTTP_HOST'] . ':' . $_SERVER['SERVER_PORT'];
	} else {
		$request_host = $_SERVER['HTTP_HOST'];
	}

	// Build the currently requested URL.
	$scheme        = is_ssl() ? 'https://' : 'http://';
	$requested_url = strtolower( $scheme . $request_host . $_SERVER['REQUEST_URI'] );

	/* Look for match ********************************************************/

	/**
	 * Filters the requested URL being nonce-verified.
	 *
	 * Useful for configurations like reverse proxying.
	 *
	 * @since BuddyPress 1.9.0
	 *
	 * @param string $requested_url The requested URL.
	 */
	$matched_url = apply_filters( 'bp_verify_nonce_request_url', $requested_url );

	// Check the nonce.
	$result = isset( $_REQUEST[$query_arg] ) ? wp_verify_nonce( $_REQUEST[$query_arg], $action ) : false;

	// Nonce check failed.
	if ( empty( $result ) || empty( $action ) || ( strpos( $matched_url, $home_url ) !== 0 ) ) {
		$result = false;
	}

	/**
	 * Fires at the end of the nonce verification check.
	 *
	 * @since BuddyPress 1.6.0
	 *
	 * @param string $action Action nonce.
	 * @param bool   $result Boolean result of nonce verification.
	 */
	do_action( 'bp_verify_nonce_request', $action, $result );

	return $result;
}

Expand full source code Collapse full source code

Changelog

Changelog
Version	Description
BuddyPress 1.6.0	Introduced.

Uses

Uses
Uses	Description
bp-core/bp-core-functions.php: bp_verify_nonce_request_url	Filters the requested URL being nonce-verified.
bp-core/bp-core-functions.php: bp_verify_nonce_request	Fires at the end of the nonce verification check.

Used By
Used By	Description
bp-notifications/screens/read.php: bp_notifications_action_mark_unread()	Handle marking single notifications as unread.
bp-notifications/screens/unread.php: bp_notifications_action_mark_read()	Handle marking single notifications as read.
bp-notifications/actions/delete.php: bp_notifications_action_delete()	Handle deleting single notifications.
bp-messages/actions/unread.php: bp_messages_action_mark_unread()	Handle marking a single message thread as unread.
bp-messages/actions/read.php: bp_messages_action_mark_read()	Handle marking a single message thread as read.
bp-members/screens/register.php: bp_core_screen_signup()	Handle the loading of the signup screen.

Show 1 more used by Hide more used by

Questions?

We're always happy to help with code or other questions you might have! Search our developer docs, contact support, or connect with our sales team.

Contents