From e6c445e1d4bb872a508018301b4b34b59787e663 Mon Sep 17 00:00:00 2001
From: Jeff Stieler <jeff.m.stieler@gmail.com>
Date: Mon, 1 Jul 2019 12:06:25 -0600
Subject: [PATCH] Verify that user can view reports before allowing export
 download.

---
 .../includes/export/class-wc-admin-report-exporter.php         | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/plugins/woocommerce-admin/includes/export/class-wc-admin-report-exporter.php b/plugins/woocommerce-admin/includes/export/class-wc-admin-report-exporter.php
index 2b4a99a273d..cf592b29332 100644
--- a/plugins/woocommerce-admin/includes/export/class-wc-admin-report-exporter.php
+++ b/plugins/woocommerce-admin/includes/export/class-wc-admin-report-exporter.php
@@ -172,7 +172,8 @@ class WC_Admin_Report_Exporter {
 		if (
 			isset( $_GET['action'] ) &&
 			! empty( $_GET['filename'] ) &&
-			self::DOWNLOAD_EXPORT_ACTION === wp_unslash( $_GET['action'] ) // WPCS: input var ok, sanitization ok.
+			self::DOWNLOAD_EXPORT_ACTION === wp_unslash( $_GET['action'] ) && // WPCS: input var ok, sanitization ok.
+			current_user_can( 'view_woocommerce_reports' )
 		) {
 			$exporter = new WC_Admin_Report_CSV_Exporter();
 			$exporter->set_filename( wp_unslash( $_GET['filename'] ) ); // WPCS: input var ok, sanitization ok.