Merge pull request #14506 from woocommerce/fix/14496

Prevent nonce check outside admin when calculating for reports
2017-04-19 15:05:31 +01:00 · 2017-04-19 15:05:31 +01:00 · be96e8c8a1
parent 84c9ce9ceb 2da71bd7fb
commit be96e8c8a1
9 changed files with 26 additions and 8 deletions
--- a/includes/admin/reports/class-wc-admin-report.php
+++ b/includes/admin/reports/class-wc-admin-report.php
@ -514,11 +514,6 @@ class WC_Admin_Report {

 			case 'custom' :

-				if ( ! isset( $_GET['wc_reports_nonce'] ) || ! wp_verify_nonce( $_GET['wc_reports_nonce'], 'custom_range' ) ) {
-					wp_safe_redirect( remove_query_arg( array( 'start_date', 'end_date', 'range', 'wc_reports_nonce' ) ) );
-					exit;
-				}
-
 				$this->start_date = max( strtotime( '-20 years' ), strtotime( sanitize_text_field( $_GET['start_date'] ) ) );

 				if ( empty( $_GET['end_date'] ) ) {
@ -650,4 +645,21 @@ class WC_Admin_Report {
 	 * Output the report.
 	 */
 	public function output_report() {}
+
+	/**
+	 * Check nonce for current range.
+	 *
+	 * @since  3.0.4
+	 * @param  string $current_range Current range.
+	 */
+	public function check_current_range_nonce( $current_range ) {
+		if ( 'custom' !== $current_range ) {
+			return;
+		}
+
+		if ( ! isset( $_GET['wc_reports_nonce'] ) || ! wp_verify_nonce( $_GET['wc_reports_nonce'], 'custom_range' ) ) {
+			wp_safe_redirect( remove_query_arg( array( 'start_date', 'end_date', 'range', 'wc_reports_nonce' ) ) );
+			exit;
+		}
+	}
 }
--- a/includes/admin/reports/class-wc-report-coupon-usage.php
+++ b/includes/admin/reports/class-wc-report-coupon-usage.php
@ -144,6 +144,7 @@ class WC_Report_Coupon_Usage extends WC_Admin_Report {
 			$current_range = '7day';
 		}

+		$this->check_current_range_nonce( $current_range );
 		$this->calculate_current_range( $current_range );

 		include( WC()->plugin_path() . '/includes/admin/views/html-report-by-date.php' );
--- a/includes/admin/reports/class-wc-report-customers.php
+++ b/includes/admin/reports/class-wc-report-customers.php
@ -178,6 +178,7 @@ class WC_Report_Customers extends WC_Admin_Report {
 			$current_range = '7day';
 		}

+		$this->check_current_range_nonce( $current_range );
 		$this->calculate_current_range( $current_range );

 		$admin_users = new WP_User_Query(
--- a/includes/admin/reports/class-wc-report-sales-by-category.php
+++ b/includes/admin/reports/class-wc-report-sales-by-category.php
@ -125,6 +125,7 @@ class WC_Report_Sales_By_Category extends WC_Admin_Report {
 			$current_range = '7day';
 		}

+		$this->check_current_range_nonce( $current_range );
 		$this->calculate_current_range( $current_range );

 		// Get item sales data
--- a/includes/admin/reports/class-wc-report-sales-by-date.php
+++ b/includes/admin/reports/class-wc-report-sales-by-date.php
@ -562,6 +562,7 @@ class WC_Report_Sales_By_Date extends WC_Admin_Report {
 			$current_range = '7day';
 		}

+		$this->check_current_range_nonce( $current_range );
 		$this->calculate_current_range( $current_range );

 		include( WC()->plugin_path() . '/includes/admin/views/html-report-by-date.php' );
--- a/includes/admin/reports/class-wc-report-sales-by-product.php
+++ b/includes/admin/reports/class-wc-report-sales-by-product.php
@ -138,9 +138,11 @@ class WC_Report_Sales_By_Product extends WC_Admin_Report {

 		$current_range = ! empty( $_GET['range'] ) ? sanitize_text_field( $_GET['range'] ) : '7day';

-		if ( ! in_array( $current_range, array( 'custom', 'year', 'last_month', 'month', '7day' ) ) )
+		if ( ! in_array( $current_range, array( 'custom', 'year', 'last_month', 'month', '7day' ) ) ) {
 			$current_range = '7day';
+		}

+		$this->check_current_range_nonce( $current_range );
 		$this->calculate_current_range( $current_range );

 		include( WC()->plugin_path() . '/includes/admin/views/html-report-by-date.php' );
--- a/includes/admin/reports/class-wc-report-taxes-by-code.php
+++ b/includes/admin/reports/class-wc-report-taxes-by-code.php
@ -57,6 +57,7 @@ class WC_Report_Taxes_By_Code extends WC_Admin_Report {
 			$current_range = 'last_month';
 		}

+		$this->check_current_range_nonce( $current_range );
 		$this->calculate_current_range( $current_range );

 		$hide_sidebar = true;
--- a/includes/admin/reports/class-wc-report-taxes-by-date.php
+++ b/includes/admin/reports/class-wc-report-taxes-by-date.php
@ -57,6 +57,7 @@ class WC_Report_Taxes_By_Date extends WC_Admin_Report {
 			$current_range = 'last_month';
 		}

+		$this->check_current_range_nonce( $current_range );
 		$this->calculate_current_range( $current_range );

 		$hide_sidebar = true;
--- a/includes/api/v1/class-wc-rest-report-sales-controller.php
+++ b/includes/api/v1/class-wc-rest-report-sales-controller.php
@ -249,7 +249,6 @@ class WC_REST_Report_Sales_V1_Controller extends WC_REST_Controller {
 		$this->report = new WC_Report_Sales_By_Date();

 		if ( empty( $filter['period'] ) ) {
-
 			// Custom date range.
 			$filter['period'] = 'custom';

@ -265,7 +264,6 @@ class WC_REST_Report_Sales_V1_Controller extends WC_REST_Controller {
 				$_GET['start_date'] = $_GET['end_date'] = date( 'Y-m-d', current_time( 'timestamp' ) );
 			}
 		} else {
-
 			$filter['period'] = empty( $filter['period'] ) ? 'week' : $filter['period'];

 			// Change "week" period to "7day".