Add nonce to update WC database URL

Doing this to check if the user has intention to perform a WC database update before starting the process.
2018-06-07 09:05:46 -03:00 · 2018-06-07 09:05:46 -03:00 · a200686005
parent 860e3e6d93
commit a200686005
2 changed files with 9 additions and 2 deletions
--- a/includes/admin/views/html-notice-update.php
+++ b/includes/admin/views/html-notice-update.php
@ -9,13 +9,19 @@ if ( ! defined( 'ABSPATH' ) ) {
 	exit;
 }

+$update_url = wp_nonce_url(
+	add_query_arg( 'do_update_woocommerce', 'true', admin_url( 'admin.php?page=wc-settings' ) ),
+	'wc_db_update',
+	'wc_db_update_nonce'
+);
+
 ?>
 <div id="message" class="updated woocommerce-message wc-connect">
 	<p>
 		<strong><?php esc_html_e( 'WooCommerce data update', 'woocommerce' ); ?></strong> &#8211; <?php esc_html_e( 'We need to update your store database to the latest version.', 'woocommerce' ); ?>
 	</p>
 	<p class="submit">
-		<a href="<?php echo esc_url( add_query_arg( 'do_update_woocommerce', 'true', admin_url( 'admin.php?page=wc-settings' ) ) ); ?>" class="wc-update-now button-primary">
+		<a href="<?php echo esc_url( $update_url ); ?>" class="wc-update-now button-primary">
 			<?php esc_html_e( 'Run the updater', 'woocommerce' ); ?>
 		</a>
 	</p>
--- a/includes/class-wc-install.php
+++ b/includes/class-wc-install.php
@ -155,7 +155,8 @@ class WC_Install {
 	 * This function is hooked into admin_init to affect admin only.
 	 */
 	public static function install_actions() {
-		if ( ! empty( $_GET['do_update_woocommerce'] ) ) { // WPCS: input var ok, CSRF ok.
+		if ( ! empty( $_GET['do_update_woocommerce'] ) ) { // WPCS: input var ok.
+			check_admin_referer( 'wc_db_update', 'wc_db_update_nonce' );
 			self::update();
 			WC_Admin_Notices::add_notice( 'update' );
 		}