PLUGINS-6828

Ecwid · Nov 25, 2023 · 1a4b206 · 1a4b206
1 parent 38db780
commit 1a4b206
Show file tree

Hide file tree

Showing 5 changed files with 192 additions and 133 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,13 @@
 .DS_Store
 .idea
 .vscode
-/WordPress
+/WordPress
+.phpcs.xml.dist
+.phpunit.result.cache
+.travis.yml
+bin/
+composer.json
+composer.lock
+phpunit.xml.dist
+tests/
+vendor/
diff --git a/includes/class-ecwid-admin-storefront-page.php b/includes/class-ecwid-admin-storefront-page.php
@@ -2,6 +2,8 @@
 class Ecwid_Admin_Storefront_Page {
 
 	const ADMIN_SLUG = 'ec-storefront-settings';
+	const NONCE_SLUG = 'ecwid-admin-storefront';
+
 	public static $templates_dir;
 
 	public function __construct() {
@@ -94,6 +96,14 @@ public static function do_page() {
 
 		wp_enqueue_script( 'ecwid-admin-storefront-js', ECWID_PLUGIN_URL . 'js/admin-storefront.js', array(), get_option( 'ecwid_plugin_version' ) );
 
+        wp_localize_script(
+            'ecwid-admin-storefront-js',
+            'EcwidAdminStorefront', 
+            array(
+                '_ajax_nonce' => wp_create_nonce( self::NONCE_SLUG )
+            )
+        );
+
 		Ecwid_Admin_UI_Framework::print_fix_js();
 		require_once self::$templates_dir . 'main.php';
 	}
@@ -120,6 +130,10 @@ public static function get_page_data( $page_id ) {
 	}
 
 	public function ajax_set_status() {
+        if ( ! check_ajax_referer( self::NONCE_SLUG ) ) {
+            die();
+        }
+
 		if ( ! current_user_can( Ecwid_Admin::get_capability() ) ) {
 			die();
 		}
@@ -158,6 +172,10 @@ public function ajax_set_status() {
 	}
 
 	public function ajax_set_store_on_front() {
+        if ( ! check_ajax_referer( self::NONCE_SLUG ) ) {
+            die();
+        }
+
 		if ( ! current_user_can( Ecwid_Admin::get_capability() ) ) {
 			die();
 		}
@@ -189,6 +207,10 @@ public function ajax_set_store_on_front() {
 	}
 
 	public function ajax_set_mainpage() {
+        if ( ! check_ajax_referer( self::NONCE_SLUG ) ) {
+            die();
+        }
+
 		if ( ! current_user_can( Ecwid_Admin::get_capability() ) ) {
 			die();
 		}
@@ -222,6 +244,10 @@ public function ajax_set_mainpage() {
 	}
 
 	public function ajax_set_display_cart_icon() {
+        if ( ! check_ajax_referer( self::NONCE_SLUG ) ) {
+            die();
+        }
+
 		if ( ! current_user_can( Ecwid_Admin::get_capability() ) ) {
 			die();
 		}
@@ -239,6 +265,10 @@ public function ajax_set_display_cart_icon() {
 	}
 
 	public function ajax_set_page_slug() {
+        if ( ! check_ajax_referer( self::NONCE_SLUG ) ) {
+            die();
+        }
+
 		if ( ! current_user_can( Ecwid_Admin::get_capability() ) ) {
 			die();
 		}
@@ -285,6 +315,10 @@ public function ajax_set_page_slug() {
 	}
 
 	public function ajax_create_page() {
+        if ( ! check_ajax_referer( self::NONCE_SLUG ) ) {
+            die();
+        }
+
 		if ( ! current_user_can( Ecwid_Admin::get_capability() ) ) {
 			die();
 		}

diff --git a/includes/class-ecwid-product-popup.php b/includes/class-ecwid-product-popup.php
@@ -51,6 +51,10 @@ public function init_current_screen() {
 	}
 
 	public function save_display_params() {
+        if ( ! check_ajax_referer( 'ecwid-product-popup' ) ) {
+            die();
+        }
+
 		if ( ! is_admin() || ! current_user_can( Ecwid_Admin::get_capability() ) ) {
 			return;
 		}
@@ -123,6 +127,14 @@ public function add_scripts() {
 		wp_enqueue_style( 'ecwid-product-popup', ECWID_PLUGIN_URL . 'css/product-popup.css', array(), get_option( 'ecwid_plugin_version' ) );
 		wp_enqueue_script( 'ecwid-product-popup', ECWID_PLUGIN_URL . 'js/product-popup.js', array(), get_option( 'ecwid_plugin_version' ), false );
 
+        wp_localize_script(
+            'ecwid-product-popup',
+            'EcwidProductPopup', 
+            array(
+                '_ajax_nonce' => wp_create_nonce( 'ecwid-product-popup' )
+            )
+        );
+
 		$data = array();
 		if ( ! Ecwid_Api_V3::get_token() ) {
 			$data = array( 'no_token' => 1 );

diff --git a/js/admin-storefront.js b/js/admin-storefront.js
@@ -8,7 +8,8 @@ jQuery(document).ready(function () {
 
         var data = {
             action: 'ecwid_storefront_set_status',
-            status: new_status
+            status: new_status,
+            _ajax_nonce: EcwidAdminStorefront._ajax_nonce
         };
 
         jQuery.getJSON(
@@ -29,7 +30,8 @@ jQuery(document).ready(function () {
 
         var data = {
             action: 'ecwid_storefront_set_mainpage',
-            page: page
+            page: page,
+            _ajax_nonce: EcwidAdminStorefront._ajax_nonce
         };
 
         jQuery.getJSON(
@@ -49,7 +51,8 @@ jQuery(document).ready(function () {
 
         var data = {
             action: 'ecwid_storefront_set_' + setting,
-            status: status
+            status: status,
+            _ajax_nonce: EcwidAdminStorefront._ajax_nonce
         };
 
         jQuery.getJSON(
@@ -77,7 +80,8 @@ jQuery(document).ready(function () {
 
         var data = {
             action: 'ecwid_storefront_set_page_slug',
-            slug: slug
+            slug: slug,
+            _ajax_nonce: EcwidAdminStorefront._ajax_nonce
         };
 
         jQuery.getJSON(
@@ -118,7 +122,8 @@ jQuery(document).ready(function () {
         var data = {
             action: 'ecwid_storefront_create_page',
             type: type,
-            item_id: item_id
+            item_id: item_id,
+            _ajax_nonce: EcwidAdminStorefront._ajax_nonce
         };
 
         jQuery.getJSON(