Merge pull request #28500 from woocommerce/fix/issue-27424

Defer nonce creation until displayed by WC Admin closes #27424

includes/admin/class-wc-admin-notices.php

@@ -64,6 +64,51 @@ class WC_Admin_Notices {
 		}
 	}
 
+	/**
+	 * Parses query to create nonces when available.
+	 *
+	 * @param object $response The WP_REST_Response we're working with.
+	 * @return object $response The prepared WP_REST_Response object.
+	 */
+	public static function prepare_note_with_nonce( $response ) {
+		if ( 'wc-update-db-reminder' !== $response->data['name'] || ! isset( $response->data['actions'] ) ) {
+			return $response;
+		}
+
+		foreach ( $response->data['actions'] as $action_key => $action ) {
+			$url_parts = ! empty( $action->query ) ? wp_parse_url( $action->query ) : '';
+
+			if ( ! isset( $url_parts['query'] ) ) {
+				continue;
+			}
+
+			wp_parse_str( $url_parts['query'], $params );
+
+			if ( array_key_exists( '_nonce_action', $params ) && array_key_exists( '_nonce_name', $params ) ) {
+				$org_params = $params;
+
+				// Check to make sure we're acting on the whitelisted nonce actions.
+				if ( 'wc_db_update' !== $params['_nonce_action'] && 'woocommerce_hide_notices_nonce' !== $params['_nonce_action'] ) {
+					continue;
+				}
+
+				unset( $org_params['_nonce_action'] );
+				unset( $org_params['_nonce_name'] );
+
+				$url = $url_parts['scheme'] . '://' . $url_parts['host'] . $url_parts['path'];
+
+				$nonce         = array( $params['_nonce_name'] => wp_create_nonce( $params['_nonce_action'] ) );
+				$merged_params = array_merge( $nonce, $org_params );
+				$parsed_query  = add_query_arg( $merged_params, $url );
+
+				$response->data['actions'][ $action_key ]->query = $parsed_query;
+				$response->data['actions'][ $action_key ]->url   = $parsed_query;
+			}
+		}
+
+		return $response;
+	}
+
 	/**
 	 * Store notices to DB
 	 */

includes/admin/notes/class-wc-notes-run-db-update.php

@@ -110,10 +110,13 @@ class WC_Notes_Run_Db_Update {
 	 */
 	private static function update_needed_notice( $note_id = null ) {
 		$update_url = html_entity_decode(
-			wp_nonce_url(
-				add_query_arg( 'do_update_woocommerce', 'true', wc_get_current_admin_url() ? wc_get_current_admin_url() : admin_url( 'admin.php?page=wc-settings' ) ),
-				'wc_db_update',
-				'wc_db_update_nonce'
+			add_query_arg(
+				array(
+					'do_update_woocommerce' => 'true',
+					'_nonce_action'         => 'wc_db_update',
+					'_nonce_name'           => 'wc_db_update_nonce',
+				),
+				wc_get_current_admin_url() ? wc_get_current_admin_url() : admin_url( 'admin.php?page=wc-settings' )
 			)
 		);
 
@@ -206,14 +209,13 @@ class WC_Notes_Run_Db_Update {
 	 */
 	private static function update_done_notice( $note_id ) {
 		$hide_notices_url = html_entity_decode( // to convert &s to normal &, otherwise produces invalid link.
-			wp_nonce_url(
-				add_query_arg(
-					'wc-hide-notice',
-					'update',
-					wc_get_current_admin_url() ? wc_get_current_admin_url() : admin_url( 'admin.php?page=wc-settings' )
+			add_query_arg(
+				array(
+					'wc-hide-notice' => 'update',
+					'_nonce_action'  => 'woocommerce_hide_notices_nonce',
+					'_nonce_name'    => '_wc_notice_nonce',
 				),
-				'woocommerce_hide_notices_nonce',
-				'_wc_notice_nonce'
+				wc_get_current_admin_url() ? remove_query_arg( 'do_update_woocommerce', wc_get_current_admin_url() ) : admin_url( 'admin.php?page=wc-settings' )
 			)
 		);
 

includes/class-woocommerce.php

@@ -203,6 +203,7 @@ final class WooCommerce {
 		add_action( 'switch_blog', array( $this, 'wpdb_table_fix' ), 0 );
 		add_action( 'activated_plugin', array( $this, 'activated_plugin' ) );
 		add_action( 'deactivated_plugin', array( $this, 'deactivated_plugin' ) );
+		add_filter( 'woocommerce_rest_prepare_note', array( 'WC_Admin_Notices', 'prepare_note_with_nonce' ) );
 
 		// These classes set up hooks on instantiation.
 		wc_get_container()->get( DownloadPermissionsAdjuster::class );