General: add nonce for block theme preview activation.

Adds a nonce so that activation works for block theme previews. Temporary fix until there is a REST API endpoint for activating themes.

Props scruffian, peterwilsoncc, nithins53, nithi22, jomonthomaslobo1, poena, syamraj24, vivekawsm, mrinal013.
Fixes #58712.


git-svn-id: https://develop.svn.wordpress.org/trunk@56199 602fd350-edb4-49c9-b593-d223f7449a82

Author: tellthemachines

src/wp-admin/includes/admin-filters.php

@@ -168,10 +168,3 @@
 
 // Append '(Draft)' to draft page titles in the privacy page dropdown.
 add_filter( 'list_pages', '_wp_privacy_settings_filter_draft_page_titles', 10, 2 );
-
-// Attaches filters to enable theme previews in the Site Editor.
-if ( ! empty( $_GET['wp_theme_preview'] ) ) {
-	add_filter( 'stylesheet', 'wp_get_theme_preview_path' );
-	add_filter( 'template', 'wp_get_theme_preview_path' );
-	add_action( 'init', 'wp_attach_theme_preview_middleware' );
-}

src/wp-admin/includes/admin.php

@@ -71,7 +71,6 @@
 
 /** WordPress Theme Administration API */
 require_once ABSPATH . 'wp-admin/includes/theme.php';
-require_once ABSPATH . 'wp-admin/includes/theme-previews.php';
 
 /** WordPress Privacy Functions */
 require_once ABSPATH . 'wp-admin/includes/privacy-tools.php';

src/wp-admin/includes/theme-previews.php

@@ -54,3 +54,31 @@ function wp_attach_theme_preview_middleware() {
 		'after'
 	);
 }
+
+/**
+ * Set a JavaScript constant for theme activation.
+ *
+ * Sets the JavaScript global WP_BLOCK_THEME_ACTIVATE_NONCE containing the nonce
+ * required to activate a theme. For use within the site editor.
+ *
+ * @see https://github.com/WordPress/gutenberg/pull/41836.
+ *
+ * @since 6.3.0
+ * @private
+ */
+function wp_block_theme_activate_nonce() {
+	$nonce_handle = 'switch-theme_' . wp_get_theme_preview_path();
+	?>
+	<script type="text/javascript">
+		window.WP_BLOCK_THEME_ACTIVATE_NONCE = '<?php echo wp_create_nonce( $nonce_handle ); ?>';
+	</script>
+	<?php
+}
+
+// Attaches filters to enable theme previews in the Site Editor.
+if ( ! empty( $_GET['wp_theme_preview'] ) ) {
+	add_filter( 'stylesheet', 'wp_get_theme_preview_path' );
+	add_filter( 'template', 'wp_get_theme_preview_path' );
+	add_action( 'init', 'wp_attach_theme_preview_middleware' );
+	add_action( 'admin_head', 'wp_block_theme_activate_nonce' );
+}

src/wp-settings.php

@@ -181,6 +181,7 @@
 require ABSPATH . WPINC . '/block-template-utils.php';
 require ABSPATH . WPINC . '/block-template.php';
 require ABSPATH . WPINC . '/theme-templates.php';
+require ABSPATH . WPINC . '/theme-previews.php';
 require ABSPATH . WPINC . '/template.php';
 require ABSPATH . WPINC . '/https-detection.php';
 require ABSPATH . WPINC . '/https-migration.php';