Merge branch 'bugfix/permission-check' into 'master'

bugfix(ajax): permission check See merge request !28

Merge branch 'bugfix/permission-check' into 'master'
bugfix(ajax): permission check See merge request !28
d884c9e7 · Grzegorz Rola · cd51ab56 · ee9bf265 · d884c9e7 · d884c9e7
Commit d884c9e7 authored 1 year ago by Grzegorz Rola
--- a/.env.testing
+++ b/.env.testing
@@ -12,7 +12,7 @@ TEST_DB_PASSWORD="mysql"
 TEST_TABLE_PREFIX="wp_"
 TEST_SITE_WP_URL="http://${WOOTESTS_IP}"
 TEST_SITE_WP_DOMAIN="${WOOTESTS_IP}"
-TEST_SITE_ADMIN_EMAIL="grola@seostudio.pl"
+TEST_SITE_ADMIN_EMAIL="grola@octolize.dev"
 TEST_SITE_ADMIN_USERNAME="admin"
 TEST_SITE_ADMIN_PASSWORD="admin"
 SELENIUM_HOST="chrome"

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
+## [3.2.4] - 2024-03-11
+### Fixed
+- permission check on notice dismiss action
+
 ## [3.2.3] - 2023-04-06
 ### Fixed
 - fatal error if get_current_screen function return null
+
 ## [3.2.2] - 2023-03-03
 ### Added
 - security nonce in permanent dismissible notice ajax action

--- a/src/WPDesk/Notice/AjaxHandler.php
+++ b/src/WPDesk/Notice/AjaxHandler.php
@@ -78,25 +78,26 @@ class AjaxHandler implements HookablePluginDependant {
        if ( isset( $_POST[ self::POST_FIELD_NOTICE_NAME ] ) ) {
            $noticeName = sanitize_text_field( $_POST[ self::POST_FIELD_NOTICE_NAME ] );

+            $optionName = PermanentDismissibleNotice::OPTION_NAME_PREFIX . $noticeName;
+            check_ajax_referer( $optionName, self::POST_FIELD_SECURITY );
+
+            if ( ! current_user_can( 'edit_posts' ) ) {
+                wp_send_json_error();
+            }
+
            if ( isset( $_POST[ self::POST_FIELD_SOURCE ] ) ) {
                $source = sanitize_text_field( $_POST[ self::POST_FIELD_SOURCE ] );
            } else {
                $source = null;
            }

-            $security = $_POST[ self::POST_FIELD_SECURITY ] ?? '';
-
-            $option_name = PermanentDismissibleNotice::OPTION_NAME_PREFIX . $noticeName;
-
-            if ( wp_verify_nonce( $security, $option_name ) ) {
-                update_option(
-                    $option_name,
-                    PermanentDismissibleNotice::OPTION_VALUE_DISMISSED
-                );
-                do_action( 'wpdesk_notice_dismissed_notice', $noticeName, $source );
-                if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
-                    wp_send_json_success();
-                }
+            update_option(
+                $optionName,
+                PermanentDismissibleNotice::OPTION_VALUE_DISMISSED
+            );
+            do_action( 'wpdesk_notice_dismissed_notice', $noticeName, $source );
+            if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
+                wp_send_json_success();
            }
        }
        if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
@@ -105,4 +106,3 @@ class AjaxHandler implements HookablePluginDependant {
    }

 }
-
--- a/tests/codeception/tests/integration.suite.yml
+++ b/tests/codeception/tests/integration.suite.yml
@@ -30,7 +30,7 @@ modules:
            dbHost: "%TEST_SITE_DB_HOST%"
            dbUser: "%TEST_SITE_DB_USER%"
            dbPassword: "%TEST_SITE_DB_PASSWORD%"
-            isolatedInstall: false
+            isolatedInstall: true
            loadOnly: false
            tablePrefix: "%TEST_SITE_TABLE_PREFIX%"
            plugins: []

--- a/tests/codeception/tests/integration/AjaxHandlerTest.php
+++ b/tests/codeception/tests/integration/AjaxHandlerTest.php
@@ -14,12 +14,22 @@ class AjaxHandlerTest extends WPTestCase {

    public function setUp() {
        parent::setUp();
+        add_filter( 'wp_doing_ajax', '__return_true' );
+        add_filter( 'wp_die_ajax_handler', array( $this, 'getDieHandler' ), 1, 1 );
    }

    public function tearDown() {
        parent::tearDown();
    }

+    public function getDieHandler( $handler ) {
+        return array( $this, 'dieHandler' );
+    }
+
+    public function dieHandler( $message, $title, $args ) {
+        throw new \Exception( $message );
+    }
+
 	public function testHooksWithAssetsURL() {
 		$ajaxHandler = new AjaxHandler( self::ASSETS_URL );
 		$ajaxHandler->hooks();
@@ -77,25 +87,40 @@ class AjaxHandlerTest extends WPTestCase {
 		$ajaxHandler->addScriptToAdminHead();
 	}

-	public function testProcessAjaxNoticeDismiss() {
-		$_POST[ AjaxHandler::POST_FIELD_NOTICE_NAME ] = self::NOTICE_NAME;
-        $_POST[ AjaxHandler::POST_FIELD_SECURITY ] = wp_create_nonce( PermanentDismissibleNotice::OPTION_NAME_PREFIX . sanitize_text_field( self::NOTICE_NAME ) );
+    public function testProcessAjaxNoticeDismiss() {
+        $user_name = 'test_user';
+        $random_password = wp_generate_password( $length = 12, $include_standard_special_chars = false );
+        $user_email = 'test@wpdesk.dev';
+        $user_id = wp_create_user( $user_name, $random_password, $user_email );
+        $user = new \WP_User( $user_id );
+        $user->set_role( 'administrator' );
+        $user->save();
+        wp_set_current_user( $user_id );
+
+        $_POST[ AjaxHandler::POST_FIELD_NOTICE_NAME ] = self::NOTICE_NAME;
+        $_REQUEST[ AjaxHandler::POST_FIELD_SECURITY ] = wp_create_nonce( PermanentDismissibleNotice::OPTION_NAME_PREFIX . sanitize_text_field( self::NOTICE_NAME ) );

        $ajaxHandler = new AjaxHandler( self::ASSETS_URL );
-		$ajaxHandler->processAjaxNoticeDismiss();
+        $ajaxHandler->processAjaxNoticeDismiss();

-		$this->assertEquals(
-			PermanentDismissibleNotice::OPTION_VALUE_DISMISSED,
-			get_option( PermanentDismissibleNotice::OPTION_NAME_PREFIX . self::NOTICE_NAME )
-		);
-	}
+        $this->assertEquals(
+            PermanentDismissibleNotice::OPTION_VALUE_DISMISSED,
+            get_option( PermanentDismissibleNotice::OPTION_NAME_PREFIX . self::NOTICE_NAME, '0' )
+        );
+
+        wp_delete_user( $user_id );
+    }

    public function testShoulfNotProcessAjaxNoticeDismissWhenInvalidNonce() {
        $_POST[ AjaxHandler::POST_FIELD_NOTICE_NAME ] = self::NOTICE_NAME;
-        $_POST[ AjaxHandler::POST_FIELD_SECURITY ] = wp_create_nonce();
+        $_REQUEST[ AjaxHandler::POST_FIELD_SECURITY ] = wp_create_nonce();

        $ajaxHandler = new AjaxHandler( self::ASSETS_URL );
-        $ajaxHandler->processAjaxNoticeDismiss();
+        try {
+            $ajaxHandler->processAjaxNoticeDismiss();
+        } catch ( \Exception $e ) {
+            $this->assertEquals('-1', $e->getMessage());
+        }

        $this->assertNotEquals(
            PermanentDismissibleNotice::OPTION_VALUE_DISMISSED,

--- a/tests/codeception/wpdesk.yml
+++ b/tests/codeception/wpdesk.yml
@@ -3,6 +3,7 @@ plugin-file: none
 plugin-title: none
 plugins:
  repository:
+    - woocommerce
  local:
  activate:
 prepare-database: