check_admin_referer() – Ensures intent by verifying that a user was referred from another admin page with the correct security nonce.

You appear to be a bot. Output may be restricted

Description

Ensures intent by verifying that a user was referred from another admin page with the correct security nonce.

This function ensures the user intends to perform a given action, which helps protect against clickjacking style attacks. It verifies intent, not authorisation, therefore it does not verify the user's capabilities. This should be performed with current_user_can() or similar. If the nonce value is invalid, the function will exit with an "Are You Sure?" style message.

Usage

$int|false = check_admin_referer( $action, $query_arg );

Parameters

$action
( int|string ) optional default: -1 – The nonce action.
$query_arg
( string ) optional default: _wpnonce – Optional. Key to check for nonce in `$_REQUEST`. Default '_wpnonce'.

Returns

int|false

  1. if the nonce is valid and generated between 0-12 hours ago,
  2. if the nonce is valid and generated between 12-24 hours ago.
  3. False if the nonce is invalid.

    Source

    File name: wordpress/wp-includes/pluggable.php
    Lines:

    1 to 27 of 27
      function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
        if ( -1 === $action ) {
          _doing_it_wrong( check_admin_referer, __( 'You should specify an action to be verified by using the first parameter.' ), '3.2.0' );
        }
    
        $adminurl = strtolower( admin_url() );
        $referer  = strtolower( wp_get_referer() );
        $result   = isset( $_REQUEST[ $query_arg ] ) ? wp_verify_nonce( $_REQUEST[ $query_arg ], $action ) : false;
    
        
    /**
     * Fires once the admin request has been validated or not.
     *
     * @since 1.5.1
     *
     * @param string    $action The nonce action.
     * @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between
     *                          0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
     */
        do_action( 'check_admin_referer', $action, $result );
    
        if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
          wp_nonce_ays( $action );
          die();
        }
    
        return $result;
      }
     

     View on GitHub View on Trac