diff --git a/.github/code-review/require-person/cynhu92/PR-44 b/.github/code-review/require-person/cynhu92/PR-44 new file mode 100644 index 00000000..e69de29b diff --git a/public/includes/custom_fields.php b/public/includes/custom_fields.php index 3b2d81e7..8a95a95d 100644 --- a/public/includes/custom_fields.php +++ b/public/includes/custom_fields.php @@ -302,6 +302,12 @@ function hotspot_area_override_title_and_content( $value, $object_id, $args, $fi function update_hotspot_area_details() { if ( !isset( $_POST['_pid'] ) ) return; check_ajax_referer( 'update-hotspot_'.$_POST['_pid'], 'ajaxnonce' ); + + if( ! current_user_can( 'delete_others_posts' ) ){ + status_header(403); + nocache_headers(); + wp_die('Bad Request: You do not have permission to access this page'); + } if ( isset( $_POST['_title'] ) ) { $_POST['_title'] = wp_filter_nohtml_kses( $_POST['_title'] ); // also expects & returns slashes diff --git a/public/includes/import-export.php b/public/includes/import-export.php index 1b8bbd25..ac6c4c68 100644 --- a/public/includes/import-export.php +++ b/public/includes/import-export.php @@ -28,6 +28,14 @@ public function process_import() { if ( empty( $_POST['import_code'] ) ) { return; } + + // verify nonce + if ( !wp_verify_nonce( $_POST['_wpnonce'], 'da_import_nonce' ) || ! current_user_can( 'delete_others_posts' ) ) { + status_header(403); + nocache_headers(); + wp_die('Bad Request: You do not have permission to access this page'); + } + $import_code = stripslashes($_POST['import_code']); $import_array = json_decode( $import_code, true ); if ( empty( $import_array['0']['post']['ID'] ) ) { @@ -81,6 +89,13 @@ public function get_export_array( $ids=array() ) { } public function get_export_json( $ids=array() ) { + // verify nonce + if ( !wp_verify_nonce( $_POST['_wpnonce'], 'da_export_nonce' ) || ! current_user_can( 'delete_others_posts' ) ) { + status_header(403); + nocache_headers(); + wp_die('Bad Request: You do not have permission to access this page'); + } + $export_array = $this->get_export_array( $ids ); return json_encode( $export_array ); } @@ -92,15 +107,17 @@ public function admin_menu() { } public function output_import_export_page() { - // only allow users with capability: "delete_others_posts" - if ( ! current_user_can( 'delete_others_posts' ) ) { - return; + if( ! current_user_can( 'delete_others_posts' ) ){ + status_header(403); + nocache_headers(); + wp_die('Bad Request: You do not have permission to access this page'); } ?>

Import

If you've already exported from another site, paste the export code below:

+
@@ -124,6 +141,7 @@ public function output_import_export_page() {

Choose images to export

+ 'da_image', diff --git a/public/includes/lib/CMB2/includes/CMB2_Hookup.php b/public/includes/lib/CMB2/includes/CMB2_Hookup.php index a8c4d35b..e1b74c3d 100755 --- a/public/includes/lib/CMB2/includes/CMB2_Hookup.php +++ b/public/includes/lib/CMB2/includes/CMB2_Hookup.php @@ -910,6 +910,8 @@ public function can_save( $type = '' ) { // check nonce. && isset( $_POST[ $this->cmb->nonce() ] ) && wp_verify_nonce( $_POST[ $this->cmb->nonce() ], $this->cmb->nonce() ) + // check permissions. + && current_user_can( 'delete_others_posts' ) // check if autosave. && ! ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) // get the metabox types & compare it to this type.