From e7c8872049e6f92cf9864909347b4e30daf6b228 Mon Sep 17 00:00:00 2001
From: vnmedeiros <vnicius.nm.ba@gmail.com>
Date: Mon, 26 Feb 2024 11:46:29 -0300
Subject: [PATCH] fix: add nonce on request protect files

---
 ...class-tainacan-rest-background-processes-controller.php | 5 ++++-
 src/classes/exporter/class-tainacan-exporter.php           | 7 +++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/classes/api/endpoints/class-tainacan-rest-background-processes-controller.php b/src/classes/api/endpoints/class-tainacan-rest-background-processes-controller.php
index 45d6425d6..8ee93813c 100644
--- a/src/classes/api/endpoints/class-tainacan-rest-background-processes-controller.php
+++ b/src/classes/api/endpoints/class-tainacan-rest-background-processes-controller.php
@@ -244,6 +244,8 @@ class REST_Background_Processes_Controller extends REST_Controller {
     public function prepare_item_for_response($item, $request) {
         $item->log = $this->get_log_url($item->ID, $item->action);
         $item->error_log = $this->get_log_url($item->ID, $item->action, 'error');
+        $nonce = wp_create_nonce( 'wp_rest' );
+        $item->output = str_replace("&_wpnonce=[nonce]", "&_wpnonce=$nonce", $item->output);
         return $item;
     }
 
@@ -351,7 +353,8 @@ class REST_Background_Processes_Controller extends REST_Controller {
         if (!file_exists( $upload_url['basedir'] . '/tainacan/' . $filename )) {
             return null;
         }
-        $logs_url = esc_url_raw( rest_url() ) . "tainacan/v2/bg-processes/file?guid=$filename";
+        $nonce = wp_create_nonce( 'wp_rest' );
+        $logs_url = esc_url_raw( rest_url() ) . "tainacan/v2/bg-processes/file?guid=$filename&_wpnonce=$nonce";
         return $logs_url;
     }
 
diff --git a/src/classes/exporter/class-tainacan-exporter.php b/src/classes/exporter/class-tainacan-exporter.php
index 531f8d12d..523a378e9 100644
--- a/src/classes/exporter/class-tainacan-exporter.php
+++ b/src/classes/exporter/class-tainacan-exporter.php
@@ -700,7 +700,7 @@ abstract class Exporter {
 		}
 		$file_name = "{$upload_dir}{$file_suffix}";
 		$guid = "exporter/{$prefix}_{$key}";
-		$file_url = esc_url_raw( rest_url() ) . "tainacan/v2/bg-processes/file?guid=$guid";
+		$file_url = esc_url_raw( rest_url() ) . "tainacan/v2/bg-processes/file?guid=$guid&_wpnonce=[nonce]";
 		$this->output_files[$key] = [
 			'filename' => $file_name,
 			'url' => $file_url
@@ -776,7 +776,10 @@ abstract class Exporter {
 			$user = get_userdata( (int) $author );
 			if ($user instanceof \WP_User) {
 				$msg = $this->get_output();
-				$this->add_log('Sending email to ' . $user->user_email);
+				$email_parts = explode('@', $user->user_email);
+				$first_letter = substr($email_parts[0], 0, 1);
+				$anonymized_email = $first_letter . '*****@' . $email_parts[1];
+				$this->add_log('Sending email to ' . $anonymized_email);
 				wp_mail($user->user_email, __('Finished export.', 'tainacan'), $msg);
 			}