From 3baf3d2545ba6ece6b74a64c0def59bd0774cf54 Mon Sep 17 00:00:00 2001
From: Jake Vanderwerf <get@jakevanderwerf.ca>
Date: Wed, 10 Jun 2026 16:34:12 +0000
Subject: [PATCH] =Laid the groundwork for an improved DashboardManager.php setup. Have to put it aside so I can get the dang Northeh done though.

---
 inc/rest/PermissionHandler.php |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/inc/rest/PermissionHandler.php b/inc/rest/PermissionHandler.php
index 8d4b447..eb87fd0 100644
--- a/inc/rest/PermissionHandler.php
+++ b/inc/rest/PermissionHandler.php
@@ -330,6 +330,9 @@
 		}
 
 		if (!wp_verify_nonce($nonce, $action)) {
+			error_log('[PermissionHandler] Validating nonce....');
+			error_log('Nonce: '.print_r($nonce, true));
+			error_log('Action: '.print_r($action, true));
 			return new WP_Error(
 				'invalid_nonce',
 				'Invalid or expired security token',
@@ -343,9 +346,13 @@
 	/**
 	 * Verify action-specific nonce (e.g., 'dash-{user_id}')
 	 */
-	public static function verifyActionNonce(WP_REST_Request $request, string $actionPrefix, string $header = 'action_nonce'): bool|WP_Error
+	public static function verifyActionNonce(WP_REST_Request $request, string $actionPrefix, string $header = 'X-Action-Nonce'): bool|WP_Error
 	{
-		$userId = $request->get_param('user') ?: get_current_user_id();
+		$userId = absint($request->get_param('user'));
+		if ($userId === 0) {
+			return false;
+		}
+
 		$action = $actionPrefix . $userId;
 
 		return self::verifyNonce($request, $action, $header);

--
Gitblit v1.10.0