change(jobs): use nonces

podlove · Feb 21, 2024 · c23da61 · c23da61
1 parent 21fdba8
commit c23da61
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 3 deletions.
diff --git a/includes/scripts_and_styles.php b/includes/scripts_and_styles.php
@@ -113,6 +113,7 @@ function add_type_attribute($tag, $handle, $src)
             [
                 'rest_url' => esc_url_raw(rest_url()),
                 'nonce' => wp_create_nonce('wp_rest'),
+                'nonce_ajax' => wp_create_nonce('podlove_ajax'),
                 'post_id' => get_the_ID(),
             ]
         );

diff --git a/js/src/admin/jobs.js b/js/src/admin/jobs.js
@@ -13,7 +13,8 @@ var PODLOVE = PODLOVE || {};
         $.post(ajaxurl, {
             action: 'podlove-job-create',
             name: name,
-            args: args
+            args: args,
+            nonce: podlove_admin_global.nonce_ajax
         }, 'json').done(function(job) {
             // console.log("create job done", job);
 

diff --git a/js/src/components/JobsDashboard.vue b/js/src/components/JobsDashboard.vue
@@ -96,7 +96,8 @@ export default {
             this.aborting.push(job.id)
             $.getJSON(ajaxurl, {
                 action: 'podlove-job-delete',
-                job_id: job.id
+                job_id: job.id,
+                nonce: podlove_admin_global.nonce_ajax
             })
         },
         isAborting(job) {

diff --git a/lib/ajax/ajax.php b/lib/ajax/ajax.php
@@ -73,6 +73,12 @@ public function episode_next_number()
     public function job_create()
     {
         if (!current_user_can('administrator')) {
+            http_response_code(401);
+            exit;
+        }
+
+        if (!wp_verify_nonce($_REQUEST['nonce'], 'podlove_ajax')) {
+            http_response_code(401);
             exit;
         }
 
@@ -118,8 +124,15 @@ public function job_get()
     public function job_delete()
     {
         if (!current_user_can('administrator')) {
+            http_response_code(401);
             exit;
         }
+
+        if (!wp_verify_nonce($_REQUEST['nonce'], 'podlove_ajax')) {
+            http_response_code(401);
+            exit;
+        }
+
         $job_id = filter_input(INPUT_GET, 'job_id');
         $job = \Podlove\Model\Job::find_by_id($job_id);
 

diff --git a/readme.txt b/readme.txt
@@ -3,7 +3,7 @@ Contributors: eteubert
 Donate link: https://opencollective.com/podlove
 Tags: podlove, podcast, publishing, rss, feed, audio, mp3, m4a, player, webplayer, iTunes, radio
 Tested up to: 6.4.3
-Stable tag: 4.0.14
+Stable tag: 4.0.15
 Requires at least: 4.9.6
 Requires PHP: 8.0
 License: MIT
@@ -106,6 +106,10 @@ This product includes GeoLite2 data created by MaxMind, available from http://ww
 
 == Changelog ==
 
+= 4.0.15 =
+
+- security: add nonces to jobs management
+
 = 4.0.14 =
 
 - add: migrate episode license selector user interface