Steve-Dee-Designs
/
woocommerce
mirror of https://github.com/woocommerce/woocommerce.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: added pre-API call permissions check on APIs being called on non-admin accessible screens (#51406) 

fix: no permissions api errors
This commit is contained in:
RJ 2024-09-18 14:53:52 +10:00 committed by GitHub
parent 2e3013555e
commit ec29880e3e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 43 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
packages/js/data/changelog/fix-no-permissions-api-error Normal file
View File

@ -0,0 +1,4 @@
Significance: minor
Type: fix
Added pre-API call permission checks for some API calls that were being called on non-admin accessible screens

3
packages/js/data/src/notes/resolvers.ts
View File

@ -10,11 +10,14 @@ import { apiFetch } from '@wordpress/data-controls';
import { NAMESPACE } from '../constants'; import { NAMESPACE } from '../constants';
import { setNotes, setNotesQuery, setError } from './actions'; import { setNotes, setNotesQuery, setError } from './actions';
import { NoteQuery, Note } from './types'; import { NoteQuery, Note } from './types';
import { checkUserCapability } from '../utils';
export function* getNotes( query: NoteQuery = {} ) { export function* getNotes( query: NoteQuery = {} ) {
const url = addQueryArgs( `${ NAMESPACE }/admin/notes`, query ); const url = addQueryArgs( `${ NAMESPACE }/admin/notes`, query );
try { try {
yield checkUserCapability( 'manage_woocommerce' );
const notes: Note[] = yield apiFetch( { const notes: Note[] = yield apiFetch( {
path: url, path: url,
} ); } );

3
packages/js/data/src/onboarding/resolvers.ts
View File

@ -31,6 +31,7 @@ import {
TaskListType, TaskListType,
} from './types'; } from './types';
import { Plugin } from '../plugins/types'; import { Plugin } from '../plugins/types';
import { checkUserCapability } from '../utils';
const resolveSelect = const resolveSelect =
controls && controls.resolveSelect ? controls.resolveSelect : select; controls && controls.resolveSelect ? controls.resolveSelect : select;
@ -68,6 +69,8 @@ export function* getEmailPrefill() {
export function* getTaskLists() { export function* getTaskLists() {
const deprecatedTasks = new DeprecatedTasks(); const deprecatedTasks = new DeprecatedTasks();
try { try {
yield checkUserCapability( 'manage_woocommerce' );
const results: TaskListType[] = yield apiFetch( { const results: TaskListType[] = yield apiFetch( {
path: WC_ADMIN_NAMESPACE + '/onboarding/tasks', path: WC_ADMIN_NAMESPACE + '/onboarding/tasks',
method: deprecatedTasks.hasDeprecatedTasks() ? 'POST' : 'GET', method: deprecatedTasks.hasDeprecatedTasks() ? 'POST' : 'GET',

7
packages/js/data/src/plugins/resolvers.ts
View File

@ -27,6 +27,7 @@ import {
RecommendedTypes, RecommendedTypes,
JetpackConnectionDataResponse, JetpackConnectionDataResponse,
} from './types'; } from './types';
import { checkUserCapability } from '../utils';
// Can be removed in WP 5.9, wp.data is supported in >5.7. // Can be removed in WP 5.9, wp.data is supported in >5.7.
const resolveSelect = const resolveSelect =
@ -61,6 +62,8 @@ type ConnectJetpackResponse = {
export function* getActivePlugins() { export function* getActivePlugins() {
yield setIsRequesting( 'getActivePlugins', true ); yield setIsRequesting( 'getActivePlugins', true );
try { try {
yield checkUserCapability( 'manage_woocommerce' );
const url = WC_ADMIN_NAMESPACE + '/plugins/active'; const url = WC_ADMIN_NAMESPACE + '/plugins/active';
const results: PluginGetResponse = yield apiFetch( { const results: PluginGetResponse = yield apiFetch( {
path: url, path: url,
@ -77,6 +80,8 @@ export function* getInstalledPlugins() {
yield setIsRequesting( 'getInstalledPlugins', true ); yield setIsRequesting( 'getInstalledPlugins', true );
try { try {
yield checkUserCapability( 'manage_woocommerce' );
const url = WC_ADMIN_NAMESPACE + '/plugins/installed'; const url = WC_ADMIN_NAMESPACE + '/plugins/installed';
const results: PluginGetResponse = yield apiFetch( { const results: PluginGetResponse = yield apiFetch( {
path: url, path: url,
@ -111,6 +116,8 @@ export function* getJetpackConnectionData() {
yield setIsRequesting( 'getJetpackConnectionData', true ); yield setIsRequesting( 'getJetpackConnectionData', true );
try { try {
yield checkUserCapability( 'manage_woocommerce' );
const url = JETPACK_NAMESPACE + '/connection/data'; const url = JETPACK_NAMESPACE + '/connection/data';
const results: JetpackConnectionDataResponse = yield apiFetch( { const results: JetpackConnectionDataResponse = yield apiFetch( {

22
packages/js/data/src/utils.ts
View File

@ -2,14 +2,15 @@
* External dependencies * External dependencies
*/ */
import { addQueryArgs } from '@wordpress/url'; import { addQueryArgs } from '@wordpress/url';
import { apiFetch } from '@wordpress/data-controls'; import { apiFetch, select } from '@wordpress/data-controls';
/** /**
* Internal dependencies * Internal dependencies
*/ */
import { BaseQueryParams } from './types/query-params'; import { BaseQueryParams } from './types/query-params';
import { fetchWithHeaders } from './controls'; import { fetchWithHeaders } from './controls';
import { USER_STORE_NAME } from './user';
import { WCUser } from './user/types';
function replacer( _: string, value: unknown ) { function replacer( _: string, value: unknown ) {
if ( value ) { if ( value ) {
if ( Array.isArray( value ) ) { if ( Array.isArray( value ) ) {
@ -100,3 +101,20 @@ export function* request< Query extends BaseQueryParams, DataType >(
return { items: response.data, totalCount }; return { items: response.data, totalCount };
} }
} }
/**
* Utility function to check if the current user has a specific capability.
*
* @param {string} capability - The capability to check (e.g. 'manage_woocommerce').
* @throws {Error} If the user does not have the required capability.
*/
export function* checkUserCapability( capability: string ) {
const currentUser: WCUser< 'capabilities' > = yield select(
USER_STORE_NAME,
'getCurrentUser'
);
if ( ! currentUser.capabilities[ capability ] ) {
throw new Error( `User does not have ${ capability } capability.` );
}
}

3
plugins/woocommerce-admin/client/activity-panel/activity-panel.js
View File

@ -269,7 +269,8 @@ export const ActivityPanel = ( { isEmbedded, query } ) => {
visible: visible:
( isEmbedded || ! isHomescreen ) && ( isEmbedded || ! isHomescreen ) &&
! isPerformingSetupTask() && ! isPerformingSetupTask() &&
! isProductScreen(), ! isProductScreen() &&
currentUserCan( 'manage_woocommerce' ),
}; };
const feedback = { const feedback = {

4
plugins/woocommerce/changelog/fix-no-permissions-api-error Normal file
View File

@ -0,0 +1,4 @@
Significance: minor
Type: fix
Added pre-API call permission checks for some API calls that were being called on non-admin accessible screens