Refresh Nonce Values After Reauthenticating To Prevent Data Loss #627
Description
Problem
When an authenticated session expires and a user logs in again the FieldManager nonce fields should refresh as well. The way things work now is when you reauthenticate everything seems fine so a user may continue adding content. When the post is eventually saved the user is presented with a wp_die() screen letting them know something is wrong (because behind the scenes the nonce verification failed). All of their previous work is lost after this happens.
This has happened to our editorial team a number of times and it is painful to hear how they lose work whenever it happens.
Suggested Solution
WordPress provides a filter, wp_refresh_nonces, for sending new nonces to the editor after reauthenticating. You can see an example of how this is used in the wp_refresh_post_nonces() function in /wp-admin/includes/misc.php. You provide a key => value pair with the key being the ID attribute of the nonce and the value being the new nonce value. WordPress should handle doing the replacement for you in post.js.
Steps to Reproduce
- Create a new post with one or more FieldManager fields
- Save the post as a draft
- Make more content changes
- Delete the domain cookies to force WordPress to reauthenticate via the Heartbeat API
- Reauthenticate
- Save the post and be presented with an error screen and all your changes are gone