[wp-hackers] Inconsistant actions, duplicated code, complicated plugins

Robert Deaton false.hopes at gmail.com
Thu Jun 22 04:32:59 GMT 2006


While writing my latest plugin, I realized the difficulty and growing
complexity of the admin panel and some of the inconsistancies that
make for a hassle of plugin coding. Particularly, actions for catching
a post before it's deleted, or trying to catch the contents of a post
before its modified. Here's an example, after much digging, of the
logic needed to try and catch a post before it is deleted.

	if($_POST['action'] == 'delete-post' && !empty($_POST['id'])) {
		$id = (int) $_POST['id'];
		$ajax = 1;
	} else if($_GET['action'] == 'delete' && !empty($_GET['post'])) {
		$id = (int) $_GET['post'];
		check_admin_referer('delete-post_' . $id);
	} else if(isset($_POST['deletepost']) && !empty($_POST['post_ID'])) {
		$id = (int) $_POST['post_ID'];
		$post = get_post($id);
		/* Do not check on pages, as there is a missing nonce field here.
		Reported as http://trac.wordpress.org/ticket/2847 */
		if($post->post_status != 'static')
			check_admin_referer('delete-post_' . $id);
	} else if($_POST['action'] == 'delete-page' && !empty($_POST['id'])) {
		$id = (int) $_POST['id'];
		$ajax = 1;
	}
	if($ajax)
		if ( !check_ajax_referer() )
			die('-1');

All this just to properly get the ID of the posts and know that we can
trust the value (nonces, ajax checks, etc). Manual nonce checking has
to be done, workaround for ajax and non-ajax, different pages and
entry points for deletion.

Would it not make sense for us to make these actions, and all other
similar inconsistancies and duplications, in some way standardized so
that we're not doing so many things and searching through so many
pieces of code? Even if we have to do two checks, one on $_POST for
ajax and one on $_GET for everything else, at least having common
names that are somewhat documentable would be nice. Thoughts?
Comments?

-- 
--Robert Deaton


More information about the wp-hackers mailing list