From 3fd7429d82dde04fd2a5f93b0923d93142f67085 Mon Sep 17 00:00:00 2001 From: Ben Keith Date: Thu, 23 Jun 2016 13:28:16 -0400 Subject: [PATCH] Better nonceing on the story-getting portion --- get_stories.php | 16 ++++++++++++++++ get_stories_ui.php | 1 + 2 files changed, 17 insertions(+) diff --git a/get_stories.php b/get_stories.php index fbd54de..3c82e38 100644 --- a/get_stories.php +++ b/get_stories.php @@ -79,10 +79,26 @@ function load_page_hook() { if ( isset($_POST['createDaft'] ) ){ $publish = false; } + if ( ! check_admin_referer('nprstory_nonce_story_id', 'nprstory_nonce_story_id_field') ) { + wp_die( + __('Nonce did not verify in DS_NPR_API::load_page_hook. Are you sure you should be doing this?'), + __('NPR Story API Error'), + 403 + ); + } } else if ( isset( $_GET['story_id']) && isset( $_GET['create_draft'] ) ) { $story_id = $_GET['story_id']; } + // if the current user shouldn't be doing this, fail + if ( ! current_user_can('edit_posts') ) { + wp_die( + __('You do not have permission to edit posts, and therefore you do not have permission to pull posts from the NPR API'), + __('NPR Story API Error'), + 403 + ); + } + // try to get the ID of the story from the URL if ( isset( $story_id ) ) { //check to see if we got an ID or a URL diff --git a/get_stories_ui.php b/get_stories_ui.php index e7c51ad..3c2bf3a 100644 --- a/get_stories_ui.php +++ b/get_stories_ui.php @@ -122,6 +122,7 @@ function nprstory_get_stories() {
Enter an NPR Story ID or URL: +