diff --git a/.github/code-review/require-person/cynhu92/PR-44 b/.github/code-review/require-person/cynhu92/PR-44 new file mode 100644 index 00000000..e69de29b diff --git a/public/includes/custom_fields.php b/public/includes/custom_fields.php index 3b2d81e7..8a95a95d 100644 --- a/public/includes/custom_fields.php +++ b/public/includes/custom_fields.php @@ -302,6 +302,12 @@ function hotspot_area_override_title_and_content( $value, $object_id, $args, $fi function update_hotspot_area_details() { if ( !isset( $_POST['_pid'] ) ) return; check_ajax_referer( 'update-hotspot_'.$_POST['_pid'], 'ajaxnonce' ); + + if( ! current_user_can( 'delete_others_posts' ) ){ + status_header(403); + nocache_headers(); + wp_die('Bad Request: You do not have permission to access this page'); + } if ( isset( $_POST['_title'] ) ) { $_POST['_title'] = wp_filter_nohtml_kses( $_POST['_title'] ); // also expects & returns slashes diff --git a/public/includes/import-export.php b/public/includes/import-export.php index 1b8bbd25..ac6c4c68 100644 --- a/public/includes/import-export.php +++ b/public/includes/import-export.php @@ -28,6 +28,14 @@ public function process_import() { if ( empty( $_POST['import_code'] ) ) { return; } + + // verify nonce + if ( !wp_verify_nonce( $_POST['_wpnonce'], 'da_import_nonce' ) || ! current_user_can( 'delete_others_posts' ) ) { + status_header(403); + nocache_headers(); + wp_die('Bad Request: You do not have permission to access this page'); + } + $import_code = stripslashes($_POST['import_code']); $import_array = json_decode( $import_code, true ); if ( empty( $import_array['0']['post']['ID'] ) ) { @@ -81,6 +89,13 @@ public function get_export_array( $ids=array() ) { } public function get_export_json( $ids=array() ) { + // verify nonce + if ( !wp_verify_nonce( $_POST['_wpnonce'], 'da_export_nonce' ) || ! current_user_can( 'delete_others_posts' ) ) { + status_header(403); + nocache_headers(); + wp_die('Bad Request: You do not have permission to access this page'); + } + $export_array = $this->get_export_array( $ids ); return json_encode( $export_array ); } @@ -92,15 +107,17 @@ public function admin_menu() { } public function output_import_export_page() { - // only allow users with capability: "delete_others_posts" - if ( ! current_user_can( 'delete_others_posts' ) ) { - return; + if( ! current_user_can( 'delete_others_posts' ) ){ + status_header(403); + nocache_headers(); + wp_die('Bad Request: You do not have permission to access this page'); } ?>
If you've already exported from another site, paste the export code below: