feature(ajax): added nonce

src/WPDesk/Notice/AjaxHandler.php

@@ -12,13 +12,13 @@ use WPDesk\PluginBuilder\Plugin\PluginAccess;
  *
  * @package WPDesk\Notice
  */
-class AjaxHandler implements HookablePluginDependant
-{
+class AjaxHandler implements HookablePluginDependant {
 
     use PluginAccess;
 
     const POST_FIELD_NOTICE_NAME = 'notice_name';
     const POST_FIELD_SOURCE = 'source';
+    const POST_FIELD_SECURITY = 'security';
 
     const SCRIPTS_VERSION = '4';
     const SCRIPT_HANDLE = 'wpdesk_notice';
@@ -33,16 +33,14 @@ class AjaxHandler implements HookablePluginDependant
      *
      * @param string|null $assetsURL Assets URL.
      */
-    public function __construct($assetsURL = null)
-    {
+    public function __construct( $assetsURL = null ) {
         $this->assetsURL = $assetsURL;
     }
 
     /**
      * Hooks.
      */
-    public function hooks()
-    {
+    public function hooks() {
         if ( $this->assetsURL ) {
             add_action( 'admin_enqueue_scripts', [ $this, 'enqueueAdminScripts' ] );
         } else {
@@ -54,13 +52,11 @@ class AjaxHandler implements HookablePluginDependant
     /**
      * Enqueue admin scripts.
      */
-    public function enqueueAdminScripts()
-    {
-        $suffix = defined('SCRIPT_DEBUG') && SCRIPT_DEBUG ? '' : '.min';
+    public function enqueueAdminScripts() {
         wp_register_script(
             self::SCRIPT_HANDLE,
-            trailingslashit($this->assetsURL) . 'js/notice' . $suffix . '.js',
-            array( 'jquery' ),
+            trailingslashit( $this->assetsURL ) . 'js/notice.js',
+            [ 'jquery' ],
             self::SCRIPTS_VERSION
         );
         wp_enqueue_script( self::SCRIPT_HANDLE );
@@ -69,8 +65,7 @@ class AjaxHandler implements HookablePluginDependant
     /**
      * Add Java Script to admin header.
      */
-    public function addScriptToAdminHead()
-    {
+    public function addScriptToAdminHead() {
         include __DIR__ . '/views/admin-head-js.php';
     }
 
@@ -79,8 +74,7 @@ class AjaxHandler implements HookablePluginDependant
      *
      * Updates corresponded WordPress option and fires wpdesk_notice_dismissed_notice action with notice name.
      */
-    public function processAjaxNoticeDismiss()
-    {
+    public function processAjaxNoticeDismiss() {
         if ( isset( $_POST[ self::POST_FIELD_NOTICE_NAME ] ) ) {
             $noticeName = sanitize_text_field( $_POST[ self::POST_FIELD_NOTICE_NAME ] );
 
@@ -90,14 +84,23 @@ class AjaxHandler implements HookablePluginDependant
                 $source = null;
             }
 
+            $security = $_POST[ self::POST_FIELD_SECURITY ] ?? '';
+
+            $option_name = PermanentDismissibleNotice::OPTION_NAME_PREFIX . $noticeName;
+
+            if ( wp_verify_nonce( $security, $option_name ) ) {
                 update_option(
-                PermanentDismissibleNotice::OPTION_NAME_PREFIX . $noticeName,
+                    $option_name,
                     PermanentDismissibleNotice::OPTION_VALUE_DISMISSED
                 );
                 do_action( 'wpdesk_notice_dismissed_notice', $noticeName, $source );
+                if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
+                    wp_send_json_success();
+                }
+            }
         }
         if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
-            die();
+            wp_send_json_error();
         }
     }