Prevent unauthorized users from updating chart data#1249
Prevent unauthorized users from updating chart data#1249girishpanchal30 wants to merge 2 commits intodevelopmentfrom
Conversation
girishpanchal30
added
the
pr-checklist-skip
pirate-bot
added
the
pr-checklist-complete
There was a problem hiding this comment.
Pull request overview
This pull request enhances security for the Visualizer plugin's chart data upload functionality by implementing proper nonce verification and user permission checks. The changes prevent unauthorized users from uploading or modifying chart data by verifying that users have the required permissions (edit_posts and edit_post for specific charts) and by using a specific nonce action ('visualizer-upload-data') instead of a generic nonce.
Changes:
- Added 'visualizer-upload-data' action parameter to nonce creation in three files for consistent verification
- Added
current_user_can('edit_posts')check before nonce verification in uploadData() - Added
current_user_can('edit_post', $chart_id)check to verify user can edit the specific chart - Removed nullable type hint from
_getChartArray()method parameter
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| classes/Visualizer/Render/Page/Types.php | Added 'visualizer-upload-data' action to nonce creation, but this introduces a bug as _handleTypesPage verifies without action parameter |
| classes/Visualizer/Render/Layout.php | Added 'visualizer-upload-data' action to nonce creation in two locations (correctly matches uploadData verification) |
| classes/Visualizer/Module/Chart.php | Enhanced uploadData() security with nonce action verification and dual capability checks; removed type hint from _getChartArray() |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| protected function _toHTML() { | ||
| echo '<form method="post" id="viz-types-form">'; | ||
| echo '<input type="hidden" name="nonce" value="', wp_create_nonce(), '">'; | ||
| echo '<input type="hidden" name="nonce" value="', wp_create_nonce( 'visualizer-upload-data' ), '">'; |
There was a problem hiding this comment.
The nonce is created with the action 'visualizer-upload-data', but the corresponding verification in _handleTypesPage (classes/Visualizer/Module/Chart.php:956) calls wp_verify_nonce without providing an action parameter. This mismatch will cause nonce verification to fail. Either use a different action that matches what _handleTypesPage expects (no action), or update _handleTypesPage to verify with the same action parameter.
| echo '<input type="hidden" name="nonce" value="', wp_create_nonce( 'visualizer-upload-data' ), '">'; | |
| echo '<input type="hidden" name="nonce" value="', wp_create_nonce(), '">'; |
Summary
Verified the nonce with the proper action and checked that the current user has permission to edit the post.
Check before Pull Request is ready:
Closes https://github.com/Codeinwp/visualizer-pro/issues/516