bugfix(ajax): permission check

436a297d · Grzegorz Rola · cd51ab56 · 436a297d · 436a297d
Commit 436a297d authored 1 year ago by Grzegorz Rola
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
+## [3.2.4] - 2024-03-11
+### Fixed
+- permission check on notice dismiss action
+
 ## [3.2.3] - 2023-04-06
 ### Fixed
 - fatal error if get_current_screen function return null
+
 ## [3.2.2] - 2023-03-03
 ### Added
 - security nonce in permanent dismissible notice ajax action

--- a/src/WPDesk/Notice/AjaxHandler.php
+++ b/src/WPDesk/Notice/AjaxHandler.php
@@ -78,17 +78,21 @@ class AjaxHandler implements HookablePluginDependant {
        if ( isset( $_POST[ self::POST_FIELD_NOTICE_NAME ] ) ) {
            $noticeName = sanitize_text_field( $_POST[ self::POST_FIELD_NOTICE_NAME ] );

+            $option_name = PermanentDismissibleNotice::OPTION_NAME_PREFIX . $noticeName;
+            ajax_check_referer( $option_name, self::POST_FIELD_SECURITY );
+
+            if ( ! current_user_can( 'edit_posts' ) ) {
+                wp_send_json_error();
+            }
+
            if ( isset( $_POST[ self::POST_FIELD_SOURCE ] ) ) {
                $source = sanitize_text_field( $_POST[ self::POST_FIELD_SOURCE ] );
            } else {
                $source = null;
            }

-            $security = $_POST[ self::POST_FIELD_SECURITY ] ?? '';
-
            $option_name = PermanentDismissibleNotice::OPTION_NAME_PREFIX . $noticeName;

-            if ( wp_verify_nonce( $security, $option_name ) ) {
            update_option(
                $option_name,
                PermanentDismissibleNotice::OPTION_VALUE_DISMISSED
@@ -98,11 +102,9 @@ class AjaxHandler implements HookablePluginDependant {
                wp_send_json_success();
            }
        }
-        }
        if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
            wp_send_json_error();
        }
    }

 }
-