fix: add nonce on request protect files

2024-02-26 11:46:29 -03:00 · 2024-02-26 11:46:29 -03:00 · e7c8872049
parent 65f96ff558
commit e7c8872049
2 changed files with 9 additions and 3 deletions
--- a/src/classes/api/endpoints/class-tainacan-rest-background-processes-controller.php
+++ b/src/classes/api/endpoints/class-tainacan-rest-background-processes-controller.php
@ -244,6 +244,8 @@ class REST_Background_Processes_Controller extends REST_Controller {
    public function prepare_item_for_response($item, $request) {
        $item->log = $this->get_log_url($item->ID, $item->action);
        $item->error_log = $this->get_log_url($item->ID, $item->action, 'error');
+        $nonce = wp_create_nonce( 'wp_rest' );
+        $item->output = str_replace("&_wpnonce=[nonce]", "&_wpnonce=$nonce", $item->output);
        return $item;
    }

@ -351,7 +353,8 @@ class REST_Background_Processes_Controller extends REST_Controller {
        if (!file_exists( $upload_url['basedir'] . '/tainacan/' . $filename )) {
            return null;
        }
-        $logs_url = esc_url_raw( rest_url() ) . "tainacan/v2/bg-processes/file?guid=$filename";
+        $nonce = wp_create_nonce( 'wp_rest' );
+        $logs_url = esc_url_raw( rest_url() ) . "tainacan/v2/bg-processes/file?guid=$filename&_wpnonce=$nonce";
        return $logs_url;
    }

--- a/src/classes/exporter/class-tainacan-exporter.php
+++ b/src/classes/exporter/class-tainacan-exporter.php
@ -700,7 +700,7 @@ abstract class Exporter {
 		}
 		$file_name = "{$upload_dir}{$file_suffix}";
 		$guid = "exporter/{$prefix}_{$key}";
-		$file_url = esc_url_raw( rest_url() ) . "tainacan/v2/bg-processes/file?guid=$guid";
+		$file_url = esc_url_raw( rest_url() ) . "tainacan/v2/bg-processes/file?guid=$guid&_wpnonce=[nonce]";
 		$this->output_files[$key] = [
 			'filename' => $file_name,
 			'url' => $file_url
@ -776,7 +776,10 @@ abstract class Exporter {
 			$user = get_userdata( (int) $author );
 			if ($user instanceof \WP_User) {
 				$msg = $this->get_output();
-				$this->add_log('Sending email to ' . $user->user_email);
+				$email_parts = explode('@', $user->user_email);
+				$first_letter = substr($email_parts[0], 0, 1);
+				$anonymized_email = $first_letter . '*****@' . $email_parts[1];
+				$this->add_log('Sending email to ' . $anonymized_email);
 				wp_mail($user->user_email, __('Finished export.', 'tainacan'), $msg);
 			}