Skip to content

Commit ecdad06

Browse files
committed
refactor(admin): drop unused bulk-create nonce field
The form was a structural shell only — its submit is hijacked by the picker JS and dispatched via wp.apiFetch, which carries its own X-WP-Nonce. There's no server-side handler for the POST, so the nonce field was emitted but never verified. Removed and replaced with a comment explaining the auth path.
1 parent 0154e75 commit ecdad06

1 file changed

Lines changed: 3 additions & 1 deletion

File tree

includes/MslsTranslationPickerPage.php

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -446,8 +446,10 @@ private static function render_list_table( int $source, string $post_type, strin
446446
$table = new MslsTranslationPickerTable( $source, $post_type, $search );
447447
$table->prepare_items();
448448

449+
// The form's submit is intercepted client-side and dispatched through
450+
// the REST API (which carries its own X-WP-Nonce), so no server-side
451+
// nonce is required here.
449452
echo '<form method="post" id="msls-tp-form">';
450-
wp_nonce_field( 'msls_tp_bulk', 'msls_tp_nonce' );
451453
$table->display();
452454
echo '</form>';
453455
}

0 commit comments

Comments
 (0)