Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check authorization on 'save_new_alert' AJAX action #1391

Merged
merged 1 commit into from
Jan 9, 2023
Merged

Check authorization on 'save_new_alert' AJAX action #1391

merged 1 commit into from
Jan 9, 2023

Conversation

schlessera
Copy link
Contributor

@schlessera schlessera commented Jan 9, 2023
edited
Loading

The logic in save_new_alert AJAX action does only check for a valid nonce, but not for authorization. This makes it possible to reuse a valid nonce and trigger the save_new_alert with an unauthorized or unauthenticated user.

This PR adds an authorization check to save_new_alert (as well as to get_new_alert_triggers_notifications, which could be used to retrieve a nonce as an authenticated but unauthorized user), and adds corresponding tests to ensure both wanted and unwanted requests behave as expected with regards to alert creation.

Props to @marcS0H for the report.

Checklist

  • Project documentation has been updated to reflect the changes in this pull request, if applicable.
  • I have tested the changes in the local development environment (see contributing.md).
  • I have added phpunit tests.

@schlessera schlessera requested a review from kasparsd January 9, 2023 16:24
schlessera
schlessera commented Jan 9, 2023
View reviewed changes
classes/class-alerts.php
@@ -509,6 +509,7 @@ public function change_menu_link_url() {
* @return void
*/
public function display_notification_box( $post = array() ) {
$alert = null;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was added to avoid PHP notices for the use of a non-initialized variable.

kasparsd
kasparsd approved these changes Jan 9, 2023
View reviewed changes
Copy link
Contributor

@kasparsd kasparsd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great, thanks!

@kasparsd kasparsd merged commit 9882d22 into develop Jan 9, 2023
@kasparsd kasparsd deleted the fix/save-alert-authorisation branch January 9, 2023 16:31
@schlessera schlessera mentioned this pull request Jan 10, 2023
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kasparsd kasparsd kasparsd approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@schlessera @kasparsd