Skip to content

Commit f45f8c0

Browse files
Merge pull request #1326 from Codeinwp/bugfix/pro/589
Prevent unauthorized access to private charts
2 parents 9e2eb51 + 4547cfa commit f45f8c0

1 file changed

Lines changed: 18 additions & 7 deletions

File tree

classes/Visualizer/Module/Frontend.php

Lines changed: 18 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -153,14 +153,25 @@ public function endpoint_register() {
153153
),
154154
),
155155
'permission_callback' => function ( WP_REST_Request $request ) {
156-
$chart_id = filter_var( sanitize_text_field( $request->get_param( 'chart' ), FILTER_VALIDATE_INT ) );
157-
if ( ! empty( $chart_id ) && in_array( $request->get_param( 'type' ), array( 'save', 'cancel' ), true ) ) {
158-
// let save and cancel go without any check as past version of pro
159-
// did not send the X-WP-Nonce
160-
// we can change this at a later date.
161-
return true;
156+
$chart_id = absint( $request->get_param( 'chart' ) );
157+
if ( ! $chart_id ) {
158+
return false;
162159
}
163-
return ! empty( $chart_id ) && apply_filters( 'visualizer_pro_show_chart', true, $chart_id );
160+
161+
$chart = get_post( $chart_id );
162+
if ( ! $chart || Visualizer_Plugin::CPT_VISUALIZER !== $chart->post_type ) {
163+
return false;
164+
}
165+
166+
if ( in_array( $request->get_param( 'type' ), array( 'save', 'cancel' ), true ) ) {
167+
return current_user_can( 'edit_post', $chart_id );
168+
}
169+
170+
if ( 'publish' !== $chart->post_status ) {
171+
return current_user_can( 'edit_post', $chart_id );
172+
}
173+
174+
return apply_filters( 'visualizer_pro_show_chart', true, $chart_id );
164175
},
165176
'callback' => array( $this, 'perform_action' ),
166177
)

0 commit comments

Comments
 (0)