Plugin installation link not working

  • nitrospectide

    (@nitrospectide)


    3 months, 1 week ago

    I am still relatively new to creating plugins, and I’m trying to create an admin screen with a handy list of troubleshooting plugins I typically install, use, and remove. I have tried creating the link with a nonce, but every time I click the link, I’m told it’s expired.

    function custom_plugin_menu() {
    	// Add a submenu page under the "Plugins" menu
    	add_plugins_page(
    		'Plugin Library',	// Page title
    		'Plugin Library',	// Menu title
    		'manage_options',	// Capability required to access the page
    		'plugin-library',	// Menu slug (unique identifier for the page)
    		'plugin_library_page'	// Callback function to display the page content
    	);
    }
    add_action('admin_menu', 'custom_plugin_menu');


    function plugin_library_page() {

    	$bare_url = admin_url( 'update.php?action=install-plugin&plugin=which-template-file' ); // The base URL for your action
    	$nonce_action = 'plugin_install_nonce'; // A unique string identifying the nonce's purpose

    	$nonce_url = wp_nonce_url( $bare_url, $nonce_action );
    		
    	// Output HTML content for your custom admin page here
    	echo '<div class="wrap">';
    	echo '<h1>Library of Commonly Used Temporary Plugins</h1>';
    	echo '<a href="'.  $nonce_url  .'">Which Template</a>';
    	echo '</div>';
    }
Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator threadi

    (@threadi)

    3 months, 1 week ago

    If I understand correctly, you want to use this link to install the which-template-file plugin. To do this, call up the update.php file from the WordPress Core. There you will find this section that checks the nonce value in this case: https://github.com/WordPress/WordPress/blob/master/wp-admin/update.php#L112

    This means that you have to construct your nonce value differently. Like this:

    $nonce_action = 'install-plugin_which-template-file';

    Then the link will work 🙂

    Why? Because you should generally only set the nonce value that is actually queried, and not just any value. If you want to use WordPress’s own functions, take a look at their source code and see if and which nonce values they use there.

    Thread Starter nitrospectide

    (@nitrospectide)

    3 months, 1 week ago

    First, thank you. That fixed it.

    Second, as mentioned, I am very new at this, and don’t understand why it fixed it. I see the ‘install-plugin_’ prefix listed in line 112, and that it’s being handed as a parameter to check_admin_referer(), but don’t understand what that’s doing. I see it come up elsewhere in that file, and it looks like it’s doing a check to see which action should be performed. It seems that my problem arose from example code that didn’t call this out, and made it seem like this was just a generic identifier string that only needed to be unique (presumably to act as an id somewhere).
    $nonce_action = 'plugin_install_nonce'; // A unique string identifying the nonce's purpose

    How does one look up functions to investigate these things?

    Moderator threadi

    (@threadi)

    3 months, 1 week ago

    Take a look at the manual for nonces: https://developer.wordpress.org/apis/security/nonces/

    Or this article: https://developer.wordpress.org/news/2023/08/understand-and-use-wordpress-nonces-properly/

    check_admin_referer is described here: https://developer.wordpress.org/reference/functions/check_admin_referer/ – the above pages will show you when this function is used.

    Tip: Before you use any system functions such as install, create a page in the backend where you send a link to your own programming. In the simplest case, this can be an admin_action, see: https://developer.wordpress.org/reference/hooks/admin_action_action/

    Example:

    // define the action url in any function which displays in backend.
    $url = add_query_arg(
    	array(
    		'action' => 'your_custom_action',
    		'nonce'  => wp_create_nonce( 'your-custom-nonce' ),
    	),
    	get_admin_url() . 'admin.php'
    );
    ?><a href="<?php echo esc_url( $url); ?>">click me</a><?php

    // use hook to use this admin action.
    add_action( 'admin_action_your_custom_action', function() {
     check_admin_action( 'your-custom-nonce', 'nonce' );
     echo "ok";exit;
    });
Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.