php 403错误当使用我的WordPress插件删除评论

7fhtutme  于 2023-02-28  发布在  PHP
关注(0)|答案(1)|浏览(187)

我最近为WordPress创建了一个插件,允许你删除前端文章中的评论,它有一个撤销删除功能,而且每次都不必重新加载页面( AJAX )。然而,当我点击删除按钮时,什么也没有发生,我在谷歌控制台中得到了一个“POST/wp-admin/admin-ajax.php 403”错误。
下面是该插件的PHP代码:

<?php
/*
Plugin Name: Comment Deleter
Plugin URI: https://example.com/
Description: A plugin for deleting comments with undo function and 
using AJAX.
Version: 1.0.0
Author: Alexis Grolot
Author URI: https://example.com/
License: GPL2
*/

function comment_deleter_enqueue_scripts() {
    wp_enqueue_script( 'comment-deleter', plugin_dir_url( __FILE__ ) . 
    'comment-deleter.js', array( 'jquery' ), '1.0.0', true );
    wp_localize_script( 'comment-deleter', 'comment_deleter_ajax', array( 
    'ajax_url' => admin_url( 'admin-ajax.php' ) ) );
}
add_action( 'wp_enqueue_scripts', 'comment_deleter_enqueue_scripts' 
);

function comment_deleter_delete_comment() {
    check_ajax_referer( 'comment_deleter_delete_comment' );
    $commentId = isset( $_POST['comment_id'] ) ? intval( 
    $_POST['comment_id'] ) : 0;
    $comment = get_comment( $commentId );
    if ( $comment ) {
        wp_delete_comment( $commentId, true );
        wp_send_json_success();
    } else {
        wp_send_json_error( 'Comment not found' );
    }
}
add_action( 'wp_ajax_comment_deleter_delete_comment', 
'comment_deleter_delete_comment' );
add_action( 'wp_ajax_nopriv_comment_deleter_delete_comment', 
'comment_deleter_delete_comment' );

function comment_deleter_undo_comment() {
    check_ajax_referer( 'comment_deleter_undo_comment' );
    $commentId = isset( $_POST['comment_id'] ) ? intval( 
    $_POST['comment_id'] ) : 0;
    $comment = get_comment( $commentId );
    if ( $comment ) {
        wp_untrash_comment( $commentId );
        wp_send_json_success();
    } else {
        wp_send_json_error( 'Comment not found' );
    }
}
add_action( 'wp_ajax_comment_deleter_undo_comment', 
'comment_deleter_undo_comment' );
add_action( 'wp_ajax_nopriv_comment_deleter_undo_comment', ' 
comment_deleter_undo_comment' );

下面是该插件的JavaScript代码:

jQuery( document ).ready( function( $ ) {
    $( '.comment-delete' ).click( function( e ) {
        e.preventDefault();
        var commentId = $( this ).data( 'comment-id' );
        var nonce = $( this ).data( 'nonce' );
        var data = {
            action: 'comment_deleter_delete_comment',
            comment_id: commentId,
            nonce: nonce
        };
        $.post( comment_deleter_ajax.ajax_url, data, function( response ) {
            if ( response.success ) {
                $( '#comment-' + commentId ).fadeOut();
            }
        } );
    } );
} );

jQuery( document ).ready( function( $ ) {
    $( '.comment-undo' ).click( function( e ) {
        e.preventDefault();
        var commentId = $( this ).data( 'comment-id' );
        var nonce = $( this ).data( 'nonce' );
        var data = {
            action: 'comment_deleter_undo_comment',
            comment_id: commentId,
            nonce: nonce
        };
        $.post( comment_deleter_ajax.ajax_url, data, function( response ) {
            if ( response.success ) {
                $( '#comment-' + commentId ).fadeIn();
                $( '.comment-delete-undo' ).hide();
            }
        } );
    } );
} );

我把这段代码添加到主题的comments.php文件中:

<?php if ( current_user_can( 'manage_options' ) ) : ?>
    <a href="#" class="comment-delete" data-comment-id="<?php 
    comment_ID(); 
    ?>" data-nonce="<?php echo wp_create_nonce( 
    'comment_deleter_delete_comment' ); ?>">Delete</a>
<?php endif; ?>
<span class="comment-delete-undo" style="display: none;">
    <a href="#" class="comment-undo" data-comment-id="<?php 
    comment_ID(); ?>" data-nonce="<?php echo wp_create_nonce( 
    'comment_deleter_undo_comment' ); ?>">Undo</a>
</span>

我怀疑这是由于权限或安全问题,但我不确定问题的确切来源。我已经验证了nonce是有效的,登录用户有适当的权限删除评论。我还尝试禁用其他插件,看看是否有任何冲突。
你能帮我解决这个问题,并给予我建议,我可以做些什么,让我的插件正常工作?

5lhxktic

5lhxktic1#

您正在发送随机数,但没有正确验证。check_ajax_referer()需要更多参数。
第一个是你的nonce名comment_deleter_delete_comment,第二个是$_REQUEST名,在你的例子中是nonce
结果如下:check_ajax_referer('comment_deleter_delete_comment', 'nonce').
如果你不想添加第二个参数,你需要在JS中将它们重命名为一个默认值(_ajax_nonce_wpnonce)。

var data = {
  action: 'comment_deleter_delete_comment',
  comment_id: commentId,
  _ajax_nonce: nonce
};

相关问题