From fe695ef3b8e38b076c3887b2551f657cbfa2d3ac Mon Sep 17 00:00:00 2001
From: Sabbir Ahmed <sabbir.081070@gmail.com>
Date: Thu, 13 Dec 2018 02:03:50 +0600
Subject: [PATCH] fix: promo notice nonce checking and permission checking

---
 includes/admin/class-admin.php |  5 +++--
 includes/admin/class-ajax.php  | 13 +++++++++++--
 lib/promotions.php             | 11 ++++++++++-
 3 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/includes/admin/class-admin.php b/includes/admin/class-admin.php
index 7f97357333..8419fee1d5 100755
--- a/includes/admin/class-admin.php
+++ b/includes/admin/class-admin.php
@@ -64,8 +64,9 @@ public function promotional_offer() {
                 jQuery('body').on('click', '#dokan-christmas-notice .notice-dismiss', function(e) {
                     e.preventDefault();
 
-                    wp.ajax.post('dokan-dismiss-christmas-offer-notice', {
-                        dokan_christmas_dismissed: true
+                    wp.ajax.post( 'dokan-dismiss-christmas-offer-notice', {
+                        dokan_christmas_dismissed: true,
+                        nonce: dokan.nonce
                     });
                 });
             </script>
diff --git a/includes/admin/class-ajax.php b/includes/admin/class-ajax.php
index 923676e166..ed829e8d5d 100644
--- a/includes/admin/class-ajax.php
+++ b/includes/admin/class-ajax.php
@@ -15,7 +15,6 @@ class Dokan_Admin_Ajax {
 	function __construct() {
         add_action( 'wp_ajax_dokan_withdraw_form_action', array( $this, 'handle_withdraw_action' ) );
         add_action( 'wp_ajax_dokan-dismiss-christmas-offer-notice', array( $this, 'dismiss_christmas_offer' ) );
-        // add_action( 'wp_ajax_dokan-dismiss-promotional-offer-notice', array( $this, 'dismiss_promotional_offer' ) );
 	}
 
 	/**
@@ -117,10 +116,20 @@ function handle_withdraw_action() {
      * @return void
      */
     public function dismiss_christmas_offer() {
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( __( 'You have no permission to do that', 'dokan' ) );
+        }
+
+        if ( ! wp_verify_nonce( $_POST['nonce'], 'dokan_admin' ) ) {
+            wp_send_json_error( __( 'Invalid nonce', 'dokan' ) );
+        }
+
+        error_log( print_r( $_POST, true ) );
+
         if ( ! empty( $_POST['dokan_christmas_dismissed'] ) ) {
             $offer_key = 'dokan_christmas_notice';
             update_option( $offer_key, 'hide' );
         }
     }
 
-}
\ No newline at end of file
+}
diff --git a/lib/promotions.php b/lib/promotions.php
index c75cd6aaaf..799fb4fc4c 100644
--- a/lib/promotions.php
+++ b/lib/promotions.php
@@ -159,7 +159,8 @@ public function show_promotions() {
                             data: {
                                 dokan_upgrade_promotion_dismissed: true,
                                 key: key,
-                                promo_key: promo_key
+                                promo_key: promo_key,
+                                nonce: dokan.nonce
                             },
                             complete: function( resp ) {
                                 self.closest('.dokan-upgrade-promotional-notice').fadeOut(200);
@@ -179,6 +180,14 @@ public function show_promotions() {
      * @return void
      */
     public function dismiss_upgrade_promo() {
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( __( 'You have no permission to do that', 'dokan-lite' ) );
+        }
+
+        if ( ! wp_verify_nonce( $_POST['nonce'], 'dokan_admin' ) ) {
+            wp_send_json_error( __( 'Invalid nonce', 'dokan-lite' ) );
+        }
+
         if ( isset( $_POST['dokan_upgrade_promotion_dismissed'] ) && $_POST['dokan_upgrade_promotion_dismissed'] ) {
             $promo_option_key        = $_POST['promo_key'];
             $promo_last_display_time = $_POST['promo_key'] . '_displayed_time';