From 396d4b7805493b7b7b4ae50916f59708da2bbe90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20D=C4=9Bdi=C4=8D?= Date: Mon, 14 Feb 2022 12:43:24 +0100 Subject: [PATCH] Added nonce verification to user connecting --- src/src/auth/ConnectAndDisconnectWpAccount.php | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/src/auth/ConnectAndDisconnectWpAccount.php b/src/src/auth/ConnectAndDisconnectWpAccount.php index 9e2e17f5..02707069 100644 --- a/src/src/auth/ConnectAndDisconnectWpAccount.php +++ b/src/src/auth/ConnectAndDisconnectWpAccount.php @@ -76,8 +76,13 @@ public function connect() { } public function connectWpUserToSkautis() { - if ( ! $this->skautisLogin->isUserLoggedInSkautis() || ! Helpers::userIsSkautisManager() || empty( $_GET['ReturnUrl'] ) ) { - return; + if ( ! isset( $_GET[SKAUTISINTEGRATION_NAME. '_connect_user_nonce'] ) || + ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET[SKAUTISINTEGRATION_NAME. '_connect_user_nonce'] ) ), SKAUTISINTEGRATION_NAME. '_connect_user' ) || + ! $this->skautisLogin->isUserLoggedInSkautis() || + ! Helpers::userIsSkautisManager() || + empty( $_GET['ReturnUrl'] ) + ) { + wp_die( esc_html__( 'Nemáte oprávnění k propojování uživatelů.', 'skautis-integration' ), esc_html__( 'Neautorizovaný přístup', 'skautis-integration' ) ); } if ( ! isset( $_GET['wpUserId'], $_GET['skautisUserId'] ) ) { @@ -97,7 +102,7 @@ public function getConnectWpUserToSkautisUrl(): string { $returnUrl = add_query_arg( SKAUTISINTEGRATION_NAME . '_connectWpAccountWithSkautis', wp_create_nonce( SKAUTISINTEGRATION_NAME . '_connectWpAccountWithSkautis' ), $returnUrl ); $url = add_query_arg( 'ReturnUrl', urlencode( $returnUrl ), get_home_url( null, 'skautis/auth/' . Actions::CONNECT_WP_USER_TO_SKAUTIS_ACTION ) ); - return esc_url( $url ); + return esc_url( wp_nonce_url( $url, SKAUTISINTEGRATION_NAME. '_connect_user', SKAUTISINTEGRATION_NAME. '_connect_user_nonce' ) ); } public function disconnect() {