One button on admin page works but not two

Question

I am workin on a plugin (for use on my own site). I recently added a button to the admin page that generates some text, and it works fine. This is what I use (pilfered from examples):

if (!current_user_can('manage_options'))  {
  wp_die( __('You do not have sufficient galooph to access this page.')    );
}

if ($_POST['plugin_button'] == 'thing' && check_admin_referer('thing_button_clicked')) {
  plugin_thing_button();
}
echo '<form action="options-general.php?page=plugin-list" method="post">';

wp_nonce_field('thing_button_clicked');
echo '<input type="hidden" value="thing" name="plugin_button" />';
submit_button('Generate new thing');

echo '</form>';

This works fine and calls the function as it should.

Now I want a second button to do something completely unrelated.

Here is what I tried, basically copying from above:

if (!current_user_can('manage_options'))  {
  wp_die( __('You do not have sufficient galooph to access this page.')    );
}

if ($_POST['plugin_button'] == 'thing' && check_admin_referer('thing_button_clicked')) {
  plugin_thing_button();
}
if ($_POST['plugin_button2'] == 'thing2' && check_admin_referer('thing2_button_clicked')) {
  plugin_thing2_button();
}
echo '<form action="options-general.php?page=plugin-list" method="post">';

wp_nonce_field('thing_button_clicked');
echo '<input type="hidden" value="thing" name="plugin_button" />';
submit_button('Generate new thing');

wp_nonce_field('thing2_button_clicked');
echo '<input type="hidden" value="thing2" name="plugin_button2" />';
submit_button('Generate new new thing');

echo '</form>';

The code for 2 buttons returns "The link you followed has expired." for both buttons, i.e. the one that worked alone does not work either now.

Where is my mistake? Thank you in advance!

Answer 1

I think I've solved the problem, there are 2 issues:

1. You have 1 form for both buttons, submitting means submitting the entire form, so both buttons are submitted
2. Your nonce/referrer checks appear to be incomplete

The second item is why you're having issues, although server time issues could also factor in.

If we inspect your nonce and check closer:

...

check_admin_referer('thing_button_clicked')

...

wp_nonce_field('thing_button_clicked');

Notice that they only use the first parameter which is the action. They do not specify the name. This means that when you use wp_nonce_field, it will default too _nonce, resulting in <input type="hidden" name="_nonce"... which is a problem when you have 2 nonces.

So specify the second parameter, or switch to a singular nonce

Answer 2

Thanks to Tom J Nowell, I found the solution. The problem was putting both buttons in the same . This fixed it:

echo '<form action="options-general.php?page=plugin-list" method="post">';
wp_nonce_field('thing_button_clicked');
echo '<input type="hidden" value="thing" name="plugin_button" />';
submit_button('Generate new thing');
echo '</form>';

echo '<form action="options-general.php?page=plugin-list" method="post">';
wp_nonce_field('thing2_button_clicked');
echo '<input type="hidden" value="thing2" name="plugin_button2" />';
submit_button('Generate new new thing');
echo '</form>';

(I hope this is the right way to go about this! And thank you again, Tom!)