From 0964715bc050d3f98a0d7e88bc6586efc811303f Mon Sep 17 00:00:00 2001
From: Brian Hogg <brian@lifterlms.com>
Date: Mon, 15 Jan 2024 15:22:05 -0500
Subject: [PATCH 1/2] Adding nonce to course clone link

---
 includes/admin/post-types/class.llms.post.tables.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/includes/admin/post-types/class.llms.post.tables.php b/includes/admin/post-types/class.llms.post.tables.php
index 49a0791b16..eace590d08 100644
--- a/includes/admin/post-types/class.llms.post.tables.php
+++ b/includes/admin/post-types/class.llms.post.tables.php
@@ -59,7 +59,7 @@ public function add_links( $actions, $post ) {
 				),
 				admin_url( 'edit.php' )
 			);
-			$actions['llms-clone'] = '<a href="' . esc_url( $url ) . '">' . __( 'Clone', 'lifterlms' ) . '</a>';
+			$actions['llms-clone'] = '<a href="' . esc_url( wp_nonce_url( $url, 'llms_clone_post', 'llms_clone_post_nonce' ) ) . '">' . __( 'Clone', 'lifterlms' ) . '</a>';
 		}
 
 		if ( current_user_can( 'edit_course', $post->ID ) && post_type_supports( $post->post_type, 'llms-export-post' ) ) {
@@ -84,6 +84,7 @@ public function add_links( $actions, $post ) {
 	 * @since 3.3.0
 	 * @since 3.33.1 Use `llms_filter_input` to access `$_GET` and `$_POST` data.
 	 * @since 3.33.1 Use `edit_course` cap instead of `edit_post` cap.
+	 * @since [version] Adding nonce to course clone links
 	 *
 	 * @return void
 	 */
@@ -135,6 +136,9 @@ public function handle_link_actions() {
 				break;
 
 			case 'llms-clone-post':
+				if ( ! wp_verify_nonce( sanitize_key( $_GET['llms_clone_post_nonce'] ), 'llms_clone_post' ) ) {
+					wp_die( __( 'You are not authorized to perform this action on the current post.', 'lifterlms' ) );
+				}
 				$r = $post->clone_post();
 				if ( is_wp_error( $r ) ) {
 					LLMS_Admin_Notices::flash_notice( $r->get_error_message(), 'error' );

From 00a87a26cbf93f4b0ec9d85ae445dba88b22a3fc Mon Sep 17 00:00:00 2001
From: Brian Hogg <brian@lifterlms.com>
Date: Mon, 15 Jan 2024 15:32:19 -0500
Subject: [PATCH 2/2] Adding changelog

---
 .changelogs/fix_clone-csrf.yml | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .changelogs/fix_clone-csrf.yml

diff --git a/.changelogs/fix_clone-csrf.yml b/.changelogs/fix_clone-csrf.yml
new file mode 100644
index 0000000000..f0b6bf88a6
--- /dev/null
+++ b/.changelogs/fix_clone-csrf.yml
@@ -0,0 +1,3 @@
+significance: patch
+type: security
+entry: Added nonce for course clone link. (Thanks, Dhabaleshwar Das)