Skip to content
Permalink
Browse files

extra permissions & capabilities check for admin actions

  • Loading branch information...
Spreeuw committed Feb 13, 2019
1 parent 684ae3d commit e06042c0a736ad927ef6da00f93600f08da4c7a9
Showing with 29 additions and 3 deletions.
  1. +5 −0 includes/class-wcpdf-admin.php
  2. +19 −3 includes/class-wcpdf-settings-debug.php
  3. +5 −0 includes/class-wcpdf-settings.php
@@ -580,6 +580,11 @@ public function delete_document() {
'message' => 'incomplete request',
) );
}
if ( !current_user_can('manage_woocommerce') ) {
wp_send_json_error( array(
'message' => 'no permissions',
) );
}
$order_id = absint($_POST['order_id']);
$document = sanitize_text_field($_POST['document']);
@@ -37,10 +37,16 @@ public function debug_tools( $tab, $section ) {
}
?>
<form method="post">
<?php wp_nonce_field( 'wpo_wcpdf_debug_tools_action', 'security' ); ?>
<input type="hidden" name="wpo_wcpdf_debug_tools_action" value="install_fonts">
<input type="submit" name="submit" id="submit" class="button" value="<?php _e( 'Reinstall fonts', 'woocommerce-pdf-invoices-packing-slips' ); ?>">
<?php
if (isset($_POST['wpo_wcpdf_debug_tools_action']) && $_POST['wpo_wcpdf_debug_tools_action'] == 'install_fonts') {
if ( !empty($_POST) && isset($_POST['wpo_wcpdf_debug_tools_action']) && $_POST['wpo_wcpdf_debug_tools_action'] == 'install_fonts' ) {
// check permissions
if ( !check_admin_referer( 'wpo_wcpdf_debug_tools_action', 'security' ) ) {
return;
}
$font_path = WPO_WCPDF()->main->get_tmp_path( 'fonts' );
// clear folder first
@@ -59,10 +65,15 @@ public function debug_tools( $tab, $section ) {
?>
</form>
<form method="post">
<?php wp_nonce_field( 'wpo_wcpdf_debug_tools_action', 'security' ); ?>
<input type="hidden" name="wpo_wcpdf_debug_tools_action" value="clear_tmp">
<input type="submit" name="submit" id="submit" class="button" value="<?php _e( 'Remove temporary files', 'woocommerce-pdf-invoices-packing-slips' ); ?>">
<?php
if (isset($_POST['wpo_wcpdf_debug_tools_action']) && $_POST['wpo_wcpdf_debug_tools_action'] == 'clear_tmp') {
if ( !empty($_POST) && isset($_POST['wpo_wcpdf_debug_tools_action']) && $_POST['wpo_wcpdf_debug_tools_action'] == 'clear_tmp' ) {
// check permissions
if ( !check_admin_referer( 'wpo_wcpdf_debug_tools_action', 'security' ) ) {
return;
}
$tmp_path = WPO_WCPDF()->main->get_tmp_path('attachments');
if ( !function_exists("glob") ) {
@@ -98,10 +109,15 @@ public function debug_tools( $tab, $section ) {
?>
</form>
<form method="post">
<?php wp_nonce_field( 'wpo_wcpdf_debug_tools_action', 'security' ); ?>
<input type="hidden" name="wpo_wcpdf_debug_tools_action" value="delete_legacy_settings">
<input type="submit" name="submit" id="submit" class="button" value="<?php _e( 'Delete legacy (1.X) settings', 'woocommerce-pdf-invoices-packing-slips' ); ?>">
<?php
if (isset($_POST['wpo_wcpdf_debug_tools_action']) && $_POST['wpo_wcpdf_debug_tools_action'] == 'delete_legacy_settings') {
if ( !empty($_POST) && isset($_POST['wpo_wcpdf_debug_tools_action']) && $_POST['wpo_wcpdf_debug_tools_action'] == 'delete_legacy_settings' ) {
// check permissions
if ( !check_admin_referer( 'wpo_wcpdf_debug_tools_action', 'security' ) ) {
return;
}
// delete options
delete_option( 'wpo_wcpdf_general_settings' );
delete_option( 'wpo_wcpdf_template_settings' );
@@ -227,6 +227,11 @@ public function get_template_path( $document_type = NULL ) {
public function set_number_store() {
check_ajax_referer( "wpo_wcpdf_next_{$_POST['store']}", 'security' );
// check permissions
if ( !current_user_can('manage_woocommerce') ) {
die();
}
$number = isset( $_POST['number'] ) ? (int) $_POST['number'] : 0;
$number_store_method = $this->get_sequential_number_store_method();
$number_store = new Sequential_Number_Store( $_POST['store'], $number_store_method );

0 comments on commit e06042c

Please sign in to comment.
You can’t perform that action at this time.