Feature request: Bypass nonce verification

  • Resolved verygoodplugins

    (@verygoodplugins)


    3 years, 10 months ago

    Hey guys,

    Really digging the plugin, thanks.

    At the moment Helpful is running check_ajax_referer() in the save_vote() and save_feedback() functions.

    With our current caching setup, this means we need to expire the cache every 24h, so the nonce remains valid for Helpful (otherwise we get 403 errors saving votes or feedback for guests).

    I’d like to request a filter / option to disable nonce verification when leaving feedback. I understand this is slightly less secure, but for us it’s worth it to save having to rebuild the cache every day.

    At the moment we’ve just been patching Helpful\Core\Modules\Frontend with each update but obviously that’s not ideal ??

    Thanks!
    Jack

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Pixelbart

    (@pixelbart)

    @verygoodplugins

    Thank you for your feedback!

    You can send me your correction, then I’ll see what I can do.

    Is then easier for me to understand.

    Stay healthy!

    Thread Starter verygoodplugins

    (@verygoodplugins)

    Hey @pixelbart , thanks for the quick reply.

    It may benefit from having an option in the plugin, under Settings >> System >> Miscellaneous, in case other people have the same issue.

    But for us, it would be sufficient to change lines 189 and 229 in class-frontend.php from

    check_ajax_referer( 'helpful_frontend_nonce' )

    to

    if ( apply_filters( 'helpful_verify_nonces', true ) ) {
	check_ajax_referer( 'helpful_frontend_nonce' );
}

    In that case we could add a simple

    add_filter( 'helpful_verify_nonces', '__return_false' ); to our functions.php and we’d be able to preserve the fix between Helpful updates.

    Thanks again
    Jack

    Plugin Author Pixelbart

    (@pixelbart)

    @verygoodplugins

    Thank you! I just implemented the whole thing, including a small option in Helpful’s settings.

    There are two filters in total because two nonces are affected.

    Patch Note: https://github.com/pixelbart/helpful/releases/tag/4.4.19

    You can let me know if it works for you that way. Thank you in any case for the tip!

    Edit: If you want me to link you differently, you can write me that too. I have now used your www.remarpro.com account.

    • This reply was modified 3 years, 10 months ago by Pixelbart.
    Thread Starter verygoodplugins

    (@verygoodplugins)

    Brilliant, thank you so much! That works perfectly.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Feature request: Bypass nonce verification’ is closed to new replies.