Admin

Live Theme Preview

Admin Preview Themes

Browse any installed theme without activating it or touching settings.json. Works entirely via a signed token in the URL.

How it works

  1. Admin clicks "Live Preview" in the theme manager.
  1. admin/theme-preview.php (GET ?theme=themename):

- Verifies the theme exists. - Derives an HMAC secret from the bcrypt hash of the stored password. - Builds a signed token: base64url(themeName + "|" + Unix timestamp + "|" + HMAC-SHA256). - Redirects to the site root with ?_tp=TOKEN.

  1. index.phploadSettings(): if ?_tp is present and $_SESSION['admin'] === true, the token is decoded and verified (HMAC + 2-hour TTL). If valid, active_theme is overridden for this request only — settings.json is never modified.
  1. All internal href links are rewritten in JS to append ?_tp=TOKEN. A MutationObserver watches for dynamically added links.
  1. Closing the preview tab removes the token.

Security

  • HMAC-SHA256 signed token, 2-hour TTL
  • Only works when $_SESSION['admin'] === true
  • basename() applied to the theme name (path traversal prevention)

Files involved

FileRole
admin/theme-preview.phpToken generator + redirector
functions.phploadSettings()Token validator + theme override
index.phpPreview banner + JS link rewriting
admin/templates/theme-manager.php"Live Preview" button + openThemePreview() JS