fix: promo notice nonce checking and permission checking

getdokan · Dec 12, 2018 · fe695ef · fe695ef
1 parent d67287b
commit fe695ef
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 5 deletions.
diff --git a/includes/admin/class-admin.php b/includes/admin/class-admin.php
@@ -64,8 +64,9 @@ public function promotional_offer() {
                 jQuery('body').on('click', '#dokan-christmas-notice .notice-dismiss', function(e) {
                     e.preventDefault();
 
-                    wp.ajax.post('dokan-dismiss-christmas-offer-notice', {
-                        dokan_christmas_dismissed: true
+                    wp.ajax.post( 'dokan-dismiss-christmas-offer-notice', {
+                        dokan_christmas_dismissed: true,
+                        nonce: dokan.nonce
                     });
                 });
             </script>

diff --git a/includes/admin/class-ajax.php b/includes/admin/class-ajax.php
@@ -15,7 +15,6 @@ class Dokan_Admin_Ajax {
 	function __construct() {
         add_action( 'wp_ajax_dokan_withdraw_form_action', array( $this, 'handle_withdraw_action' ) );
         add_action( 'wp_ajax_dokan-dismiss-christmas-offer-notice', array( $this, 'dismiss_christmas_offer' ) );
-        // add_action( 'wp_ajax_dokan-dismiss-promotional-offer-notice', array( $this, 'dismiss_promotional_offer' ) );
 	}
 
 	/**
@@ -117,10 +116,20 @@ function handle_withdraw_action() {
      * @return void
      */
     public function dismiss_christmas_offer() {
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( __( 'You have no permission to do that', 'dokan' ) );
+        }
+
+        if ( ! wp_verify_nonce( $_POST['nonce'], 'dokan_admin' ) ) {
+            wp_send_json_error( __( 'Invalid nonce', 'dokan' ) );
+        }
+
+        error_log( print_r( $_POST, true ) );
+
         if ( ! empty( $_POST['dokan_christmas_dismissed'] ) ) {
             $offer_key = 'dokan_christmas_notice';
             update_option( $offer_key, 'hide' );
         }
     }
 
-}
+}
diff --git a/lib/promotions.php b/lib/promotions.php
@@ -159,7 +159,8 @@ public function show_promotions() {
                             data: {
                                 dokan_upgrade_promotion_dismissed: true,
                                 key: key,
-                                promo_key: promo_key
+                                promo_key: promo_key,
+                                nonce: dokan.nonce
                             },
                             complete: function( resp ) {
                                 self.closest('.dokan-upgrade-promotional-notice').fadeOut(200);
@@ -179,6 +180,14 @@ public function show_promotions() {
      * @return void
      */
     public function dismiss_upgrade_promo() {
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( __( 'You have no permission to do that', 'dokan-lite' ) );
+        }
+
+        if ( ! wp_verify_nonce( $_POST['nonce'], 'dokan_admin' ) ) {
+            wp_send_json_error( __( 'Invalid nonce', 'dokan-lite' ) );
+        }
+
         if ( isset( $_POST['dokan_upgrade_promotion_dismissed'] ) && $_POST['dokan_upgrade_promotion_dismissed'] ) {
             $promo_option_key        = $_POST['promo_key'];
             $promo_last_display_time = $_POST['promo_key'] . '_displayed_time';