Better nonceing on the story-getting portion

INN · Jun 23, 2016 · 3fd7429 · 3fd7429
1 parent d5c5d67
commit 3fd7429
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/get_stories.php b/get_stories.php
@@ -79,10 +79,26 @@ function load_page_hook() {
             if ( isset($_POST['createDaft'] ) ){
             	$publish = false;
             }
+			if ( ! check_admin_referer('nprstory_nonce_story_id', 'nprstory_nonce_story_id_field') ) {
+				wp_die(
+					__('Nonce did not verify in DS_NPR_API::load_page_hook. Are you sure you should be doing this?'),
+					__('NPR Story API Error'),
+					403
+				);
+			}
         } else if ( isset( $_GET['story_id']) && isset( $_GET['create_draft'] ) ) {
             $story_id = $_GET['story_id'];
         }
 
+		// if the current user shouldn't be doing this, fail
+		if ( ! current_user_can('edit_posts') ) {
+			wp_die(
+				__('You do not have permission to edit posts, and therefore you do not have permission to pull posts from the NPR API'),
+				__('NPR Story API Error'),
+				403
+			);
+		}
+
 		// try to get the ID of the story from the URL
         if ( isset( $story_id ) ) {
             //check to see if we got an ID or a URL

diff --git a/get_stories_ui.php b/get_stories_ui.php
@@ -122,6 +122,7 @@ function nprstory_get_stories() {
             <div style="float: left;">
                 <form action="" method="POST">
                     Enter an NPR Story ID or URL: <input type="text" name="story_id" value="<?php echo esc_attr($story_id)?>" />
+					<?php wp_nonce_field('nprstory_nonce_story_id', 'nprstory_nonce_story_id_field'); ?>
                     <input type="submit" name='createDaft' value="Create Draft" />
                     <input type="submit" name='publishNow' value="Publish Now" />
                 </form>