Steve-Dee-Designs
/
woocommerce
mirror of https://github.com/woocommerce/woocommerce.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add capability checks to ajax requests 

Closes #15
This commit is contained in:
Mike Jolley 2015-05-29 14:55:26 +01:00
parent 1505424469
commit 2febc8f20a
2 changed files with 130 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
includes/admin/class-wc-admin.php
View File

@ -172,7 +172,7 @@ class WC_Admin {
$wc_pages[] = 'dashboard_page_wc-translators';
// Check to make sure we're on a WooCommerce admin page
if ( isset( $current_screen->id ) && apply_filters( 'woocommerce_display_admin_footer_text', in_array( $current_screen->id, $wc_pages ) ) ) {
if ( isset( $current_screen->id ) && current_user_can( 'manage_woocommerce' ) && apply_filters( 'woocommerce_display_admin_footer_text', in_array( $current_screen->id, $wc_pages ) ) ) {
// Change the footer text
if ( ! get_option( 'woocommerce_admin_footer_text_rated' ) ) {
$footer_text = sprintf( __( 'If you like <strong>WooCommerce</strong> please leave us a %s&#9733;&#9733;&#9733;&#9733;&#9733;%s rating. A huge thank you from WooThemes in advance!', 'woocommerce' ), '<a href="https://wordpress.org/support/view/plugin-reviews/woocommerce?filter=5#postform" target="_blank" class="wc-rating-link" data-rated="' . __( 'Thanks :)', 'woocommerce' ) . '">', '</a>' );

131
includes/class-wc-ajax.php
View File

@ -480,6 +480,10 @@ class WC_AJAX {
check_ajax_referer( 'add-attribute', 'security' );
if ( ! current_user_can( 'edit_products' ) ) {
die(-1);
}
global $wc_product_attributes;
$thepostid = 0;
@ -516,6 +520,10 @@ class WC_AJAX {
check_ajax_referer( 'add-attribute', 'security' );
if ( ! current_user_can( 'manage_product_terms' ) ) {
die(-1);
}
$taxonomy = esc_attr( $_POST['taxonomy'] );
$term = wc_clean( $_POST['term'] );
@ -546,6 +554,10 @@ class WC_AJAX {
public static function remove_variations() {
check_ajax_referer( 'delete-variations', 'security' );
if ( ! current_user_can( 'edit_products' ) ) {
die(-1);
}
$variation_ids = (array) $_POST['variation_ids'];
foreach ( $variation_ids as $variation_id ) {
@ -566,6 +578,10 @@ class WC_AJAX {
check_ajax_referer( 'save-attributes', 'security' );
if ( ! current_user_can( 'edit_products' ) ) {
die(-1);
}
// Get post data
parse_str( $_POST['data'], $data );
$post_id = absint( $_POST['post_id'] );
@ -692,6 +708,10 @@ class WC_AJAX {
check_ajax_referer( 'add-variation', 'security' );
if ( ! current_user_can( 'edit_products' ) ) {
die(-1);
}
$post_id = intval( $_POST['post_id'] );
$loop = intval( $_POST['loop'] );
@ -795,6 +815,10 @@ class WC_AJAX {
check_ajax_referer( 'link-variations', 'security' );
if ( ! current_user_can( 'edit_products' ) ) {
die(-1);
}
@set_time_limit(0);
$post_id = intval( $_POST['post_id'] );
@ -956,6 +980,10 @@ class WC_AJAX {
check_ajax_referer( 'revoke-access', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
global $wpdb;
$download_id = $_POST['download_id'];
@ -976,6 +1004,10 @@ class WC_AJAX {
check_ajax_referer( 'grant-access', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
global $wpdb;
$wpdb->hide_errors();
@ -1030,6 +1062,10 @@ class WC_AJAX {
check_ajax_referer( 'get-customer-details', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
$user_id = (int) trim(stripslashes($_POST['user_id']));
$type_to_load = esc_attr(trim(stripslashes($_POST['type_to_load'])));
@ -1050,7 +1086,6 @@ class WC_AJAX {
$customer_data = apply_filters( 'woocommerce_found_customer_details', $customer_data, $user_id, $type_to_load );
wp_send_json( $customer_data );
}
/**
@ -1059,6 +1094,10 @@ class WC_AJAX {
public static function add_order_item() {
check_ajax_referer( 'order-item', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
$item_to_add = sanitize_text_field( $_POST['item_to_add'] );
$order_id = absint( $_POST['order_id'] );
@ -1137,6 +1176,10 @@ class WC_AJAX {
check_ajax_referer( 'order-item', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
$order_id = absint( $_POST['order_id'] );
$order = wc_get_order( $order_id );
$order_taxes = $order->get_taxes();
@ -1165,6 +1208,10 @@ class WC_AJAX {
check_ajax_referer( 'order-item', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
$order_id = absint( $_POST['order_id'] );
$order = wc_get_order( $order_id );
$order_taxes = $order->get_taxes();
@ -1193,6 +1240,10 @@ class WC_AJAX {
check_ajax_referer( 'order-item', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
$order_id = absint( $_POST['order_id'] );
$rate_id = absint( $_POST['rate_id'] );
$order = wc_get_order( $order_id );
@ -1213,6 +1264,10 @@ class WC_AJAX {
public static function remove_order_item() {
check_ajax_referer( 'order-item', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
$order_item_ids = $_POST['order_item_ids'];
if ( ! is_array( $order_item_ids ) && is_numeric( $order_item_ids ) ) {
@ -1235,6 +1290,10 @@ class WC_AJAX {
check_ajax_referer( 'order-item', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
$order_id = absint( $_POST['order_id'] );
$rate_id = absint( $_POST['rate_id'] );
@ -1254,6 +1313,10 @@ class WC_AJAX {
public static function reduce_order_item_stock() {
check_ajax_referer( 'order-item', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
$order_id = absint( $_POST['order_id'] );
$order_item_ids = isset( $_POST['order_item_ids'] ) ? $_POST['order_item_ids'] : array();
$order_item_qty = isset( $_POST['order_item_qty'] ) ? $_POST['order_item_qty'] : array();
@ -1300,6 +1363,10 @@ class WC_AJAX {
public static function increase_order_item_stock() {
check_ajax_referer( 'order-item', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
$order_id = absint( $_POST['order_id'] );
$order_item_ids = isset( $_POST['order_item_ids'] ) ? $_POST['order_item_ids'] : array();
$order_item_qty = isset( $_POST['order_item_qty'] ) ? $_POST['order_item_qty'] : array();
@ -1347,6 +1414,10 @@ class WC_AJAX {
public static function add_order_item_meta() {
check_ajax_referer( 'order-item', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
$meta_id = wc_add_order_item_meta( absint( $_POST['order_item_id'] ), __( 'Name', 'woocommerce' ), __( 'Value', 'woocommerce' ) );
if ( $meta_id ) {
@ -1364,6 +1435,10 @@ class WC_AJAX {
check_ajax_referer( 'order-item', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
$meta_id = absint( $_POST['meta_id'] );
$wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->prefix}woocommerce_order_itemmeta WHERE meta_id = %d", $meta_id ) );
@ -1379,6 +1454,10 @@ class WC_AJAX {
check_ajax_referer( 'calc-totals', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
$tax = new WC_Tax();
$order_id = absint( $_POST['order_id'] );
$items = array();
@ -1520,6 +1599,10 @@ class WC_AJAX {
public static function save_order_items() {
check_ajax_referer( 'order-item', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
if ( isset( $_POST['order_id'] ) && isset( $_POST['items'] ) ) {
$order_id = absint( $_POST['order_id'] );
@ -1545,6 +1628,10 @@ class WC_AJAX {
public static function load_order_items() {
check_ajax_referer( 'order-item', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
// Return HTML items
$order_id = absint( $_POST['order_id'] );
$order = wc_get_order( $order_id );
@ -1561,6 +1648,10 @@ class WC_AJAX {
check_ajax_referer( 'add-order-note', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
$post_id = absint( $_POST['post_id'] );
$note = wp_kses_post( trim( stripslashes( $_POST['note'] ) ) );
$note_type = $_POST['note_type'];
@ -1592,6 +1683,10 @@ class WC_AJAX {
check_ajax_referer( 'delete-order-note', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
$note_id = (int) $_POST['note_id'];
if ( $note_id > 0 ) {
@ -1613,6 +1708,10 @@ class WC_AJAX {
check_ajax_referer( 'search-products', 'security' );
if ( ! current_user_can( 'edit_products' ) ) {
die(-1);
}
$term = (string) wc_clean( stripslashes( $_GET['term'] ) );
if ( empty( $term ) ) {
@ -1716,6 +1815,10 @@ class WC_AJAX {
check_ajax_referer( 'search-customers', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
$term = wc_clean( stripslashes( $_GET['term'] ) );
if ( empty( $term ) ) {
@ -1757,6 +1860,12 @@ class WC_AJAX {
public static function json_search_downloadable_products_and_variations() {
ob_start();
check_ajax_referer( 'search-products', 'security' );
if ( ! current_user_can( 'edit_products' ) ) {
die(-1);
}
$term = (string) wc_clean( stripslashes( $_GET['term'] ) );
$args = array(
@ -1811,10 +1920,16 @@ class WC_AJAX {
* Ajax request handling for categories ordering
*/
public static function term_ordering() {
// check permissions again and make sure we have what we need
if ( ! current_user_can( 'edit_products' ) || empty( $_POST['id'] ) ) {
die(-1);
}
$id = (int) $_POST['id'];
$next_id = isset( $_POST['nextid'] ) && (int) $_POST['nextid'] ? (int) $_POST['nextid'] : null;
$taxonomy = isset( $_POST['thetaxonomy'] ) ? esc_attr( $_POST['thetaxonomy'] ) : null;
$term = get_term_by('id', $id, $taxonomy);
$term = get_term_by( 'id', $id, $taxonomy );
if ( ! $id || ! $term || ! $taxonomy ) {
die(0);
@ -1928,6 +2043,10 @@ class WC_AJAX {
check_ajax_referer( 'order-item', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
$order_id = absint( $_POST['order_id'] );
$refund_amount = wc_format_decimal( sanitize_text_field( $_POST['refund_amount'] ) );
$refund_reason = sanitize_text_field( $_POST['refund_reason'] );
@ -2040,6 +2159,10 @@ class WC_AJAX {
public static function delete_refund() {
check_ajax_referer( 'order-item', 'security' );
if ( ! current_user_can( 'edit_shop_orders' ) ) {
die(-1);
}
$refund_id = absint( $_POST['refund_id'] );
if ( $refund_id && 'shop_order_refund' === get_post_type( $refund_id ) ) {
@ -2056,6 +2179,10 @@ class WC_AJAX {
* Triggered when clicking the rating footer.
*/
public static function rated() {
if ( ! current_user_can( 'manage_woocommerce' ) ) {
die(-1);
}
update_option( 'woocommerce_admin_footer_text_rated', 1 );
die();
}