If already checking for administrator perms, is nonce-verifying necessary?

  • Endlyss

    (@akel-res)


    8 years, 5 months ago

    I am developing a plugin that only applies itself to the dashboard area of a website, and on top of that, it’s more “dangerous” functions are wrapped in:

    if(current_user_can('administrator')){
//Code Here
}

    Do I still need to nonce-verify whenever interacting with sensitive information, or is the administrator check enough?

    Also, I apologize if this is the wrong area…the area that I wanted to post it in originally was closed to new topics, and I wasn’t sure where-else to put it. Place it here because it applies to both my plugin development and theme development.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator bcworkz

    (@bcworkz)

    8 years, 5 months ago

    Yes, this location is fine, this forum is for development and coding questions.

    And yes, you must still use a nonce. It prevents CSRF attacks. A nonce ensures a request came from a valid form that was requested by the user. Otherwise, an attacker could trick our administrator user who is visiting an unknown malicious site to inadvertently send a forged request to our WP site where our user happens to still be logged in.

    Thread Starter Endlyss

    (@akel-res)

    8 years, 5 months ago

    Gotcha!
    Thank you very much for the response, bcworkz, as well as the explanation as to why it’s important.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘If already checking for administrator perms, is nonce-verifying necessary?’ is closed to new replies.