Merge pull request #1249 from Codeinwp/bugfix/pro/516

Prevent unauthorized users from updating chart data

Author: vytisbulkevicius

classes/Visualizer/Module/Chart.php

@@ -379,7 +379,7 @@ public function getCharts() {
 	 *
 	 * @return array The array of chart data.
 	 */
-	private function _getChartArray( ?WP_Post $chart = null ) {
+	private function _getChartArray( $chart = null ) {
 		if ( is_null( $chart ) ) {
 			$chart = $this->_chart;
 		}
@@ -1141,7 +1141,11 @@ public function uploadData() {
 		$can_die    = ! ( defined( 'VISUALIZER_DO_NOT_DIE' ) && VISUALIZER_DO_NOT_DIE );
 
 		// validate nonce
-		if ( ! isset( $_GET['nonce'] ) || ! wp_verify_nonce( $_GET['nonce'] ) ) {
+		if (
+			! isset( $_GET['nonce'] ) ||
+			! wp_verify_nonce( $_GET['nonce'], 'visualizer-upload-data' ) ||
+			! current_user_can( 'edit_posts' )
+		) {
 			if ( ! $can_die ) {
 				return;
 			}
@@ -1152,7 +1156,12 @@ public function uploadData() {
 		// check chart, if chart exists
 		// do not use filter_input as it does not work for phpunit test cases, use filter_var instead
 		$chart_id = isset( $_GET['chart'] ) ? filter_var( $_GET['chart'], FILTER_VALIDATE_INT ) : '';
-		if ( ! $chart_id || ! ( $chart = get_post( $chart_id ) ) || $chart->post_type !== Visualizer_Plugin::CPT_VISUALIZER ) {
+		if (
+			! $chart_id ||
+			! ( $chart = get_post( $chart_id ) ) ||
+			$chart->post_type !== Visualizer_Plugin::CPT_VISUALIZER ||
+			! current_user_can( 'edit_post', $chart_id )
+		) {
 			if ( ! $can_die ) {
 				return;
 			}

classes/Visualizer/Render/Layout.php

@@ -360,7 +360,7 @@ public static function _renderSimpleEditorScreen( $args ) {
 			add_query_arg(
 				array(
 					'action' => Visualizer_Plugin::ACTION_UPLOAD_DATA,
-					'nonce'  => wp_create_nonce(),
+					'nonce'  => wp_create_nonce( 'visualizer-upload-data' ),
 					'chart'  => $chart_id,
 				),
 				admin_url( 'admin-ajax.php' )
@@ -726,7 +726,7 @@ public static function _renderTabBasic( $args ) {
 			add_query_arg(
 				array(
 					'action' => Visualizer_Plugin::ACTION_UPLOAD_DATA,
-					'nonce'  => wp_create_nonce(),
+					'nonce'  => wp_create_nonce( 'visualizer-upload-data' ),
 					'chart'  => $chart_id,
 				),
 				admin_url( 'admin-ajax.php' )

classes/Visualizer/Render/Page/Types.php

@@ -39,7 +39,7 @@ class Visualizer_Render_Page_Types extends Visualizer_Render_Page {
 	 */
 	protected function _toHTML() {
 		echo '<form method="post" id="viz-types-form">';
-			echo '<input type="hidden" name="nonce" value="', wp_create_nonce(), '">';
+			echo '<input type="hidden" name="nonce" value="', wp_create_nonce( 'visualizer-upload-data' ), '">';
 			parent::_toHTML();
 		echo '</form>';
 	}

tests/test-import.php

@@ -89,7 +89,7 @@ public function test_url_import( $url, $content, $series ) {
 			'remote_data' => $url,
 		);
 		$_GET  = array(
-			'nonce' => wp_create_nonce(),
+			'nonce' => wp_create_nonce( 'visualizer-upload-data' ),
 			'chart' => $this->chart,
 		);
 		// swallow the output
@@ -163,7 +163,7 @@ public function test_file_import( $file, $content, $series ) {
 			),
 		);
 		$_GET   = array(
-			'nonce' => wp_create_nonce(),
+			'nonce' => wp_create_nonce( 'visualizer-upload-data' ),
 			'chart' => $this->chart,
 		);
 		// swallow the output

tests/test-revisions.php

@@ -79,7 +79,7 @@ public function test_chart_edit_cancel( $file_orig, $file_new ) {
 			),
 		);
 		$_GET   = array(
-			'nonce' => wp_create_nonce(),
+			'nonce' => wp_create_nonce( 'visualizer-upload-data' ),
 			'chart' => $this->chart,
 			'tab'   => 'type',
 		);
@@ -151,7 +151,7 @@ public function test_chart_edit_again( $file_orig, $file_new ) {
 			),
 		);
 		$_GET   = array(
-			'nonce' => wp_create_nonce(),
+			'nonce' => wp_create_nonce( 'visualizer-upload-data' ),
 			'chart' => $this->chart,
 			'tab'   => 'type',
 		);
@@ -218,7 +218,7 @@ public function test_chart_edit_save( $file_orig, $file_new ) {
 			),
 		);
 		$_GET   = array(
-			'nonce' => wp_create_nonce(),
+			'nonce' => wp_create_nonce( 'visualizer-upload-data' ),
 			'chart' => $this->chart,
 			'tab'   => 'type',
 		);