Add a nonce to duplicate and edit actions (#215)

* Add a nonce to duplicate and edit actions

* Add a nonce for the preview URL

* Test that there's a preview link

wp-modules/app/app.php

@@ -27,6 +27,7 @@ function get_app_state() {
 		'patterns'                 => \PatternManager\PatternDataHandlers\get_theme_patterns_with_editor_links(),
 		'patternCategories'        => \WP_Block_Pattern_Categories_Registry::get_instance()->get_all_registered(),
 		'apiNonce'                 => wp_create_nonce( 'wp_rest' ),
+		'previewNonce'             => wp_create_nonce( 'pm_action_pattern_preview' ),
 		'apiEndpoints'             => array(
 			'deletePatternEndpoint'         => get_rest_url( false, 'pattern-manager/v1/delete-pattern/' ),
 			'updateDismissedSitesEndpoint'  => get_rest_url( false, 'pattern-manager/v1/update-dismissed-sites/' ),

wp-modules/app/js/src/components/Patterns/PatternGrid.tsx

@@ -59,11 +59,7 @@ export default function PatternGrid( {
 									<div className="item-pattern-preview">
 										<PatternPreview
 											key={ patternName }
-											url={
-												siteUrl +
-												'?pm_pattern_preview=' +
-												patternData.name
-											}
+											url={ `${ siteUrl }?pm_pattern_preview=${ patternData.name }&_wpnonce=${ patternManager.previewNonce }` }
 											viewportWidth={
 												patternData.viewportWidth ||
 												1280

wp-modules/app/js/src/components/Patterns/PatternGridActions.tsx

@@ -46,7 +46,7 @@ export default function PatternGridActions( { patternData }: Props ) {
 						__( 'Duplicate %1$s', 'pattern-manager' ),
 						patternData.title
 					) }
-					href={ `${ patternManager.siteUrl }/wp-admin/admin.php?post_type=pm_pattern&action=duplicate&name=${ patternData.name }` }
+					href={ patternData.duplicateLink }
 				>
 					<Icon
 						className="item-action-icon"

wp-modules/app/js/src/types.ts

@@ -15,6 +15,7 @@ export type InitialPatternManager = {
 		updateDismissedThemesEndpoint: string;
 	};
 	apiNonce: string;
+	previewNonce: string;
 	patternCategories: QueriedCategories;
 	patterns: Patterns;
 	siteUrl: string;
@@ -24,6 +25,7 @@ export type InitialPatternManager = {
 
 export type Pattern = {
 	content: string;
+	duplicateLink: string;
 	editorLink: string;
 	name: string;
 	slug: string;

wp-modules/app/tests/AppTest.php

@@ -25,6 +25,7 @@ public function test_get_app_state() {
 				'patterns',
 				'patternCategories',
 				'apiNonce',
+				'previewNonce',
 				'apiEndpoints',
 				'siteUrl',
 				'adminUrl',

wp-modules/editor/editor.php

@@ -239,6 +239,7 @@ function enqueue_meta_fields_in_editor() {
 				'getPatternNamesEndpoint' => get_rest_url( false, 'pattern-manager/v1/get-pattern-names/' ),
 			),
 			'apiNonce'          => wp_create_nonce( 'wp_rest' ),
+			'previewNonce'      => wp_create_nonce( 'pm_action_pattern_preview' ),
 			'patternCategories' => \WP_Block_Pattern_Categories_Registry::get_instance()->get_all_registered(),
 			'patternNames'      => get_pattern_names(),
 			'patterns'          => \PatternManager\PatternDataHandlers\get_theme_patterns_with_editor_links(),

wp-modules/editor/js/src/components/SidebarPanels/ViewportWidthPanel.tsx

@@ -51,11 +51,7 @@ export default function ViewportWidthPanel( {
 					/>
 				) : (
 					<PatternPreview
-						url={
-							patternManager.siteUrl +
-							'?pm_pattern_preview=' +
-							currentName
-						}
+						url={ `${ patternManager.siteUrl }?pm_pattern_preview=${ currentName }&_wpnonce=${ patternManager.previewNonce }` }
 						viewportWidth={ currentWidth }
 					/>
 				) ) }

wp-modules/editor/js/src/types.ts

@@ -58,6 +58,7 @@ export type Patterns = {
 export type InitialPatternManager = {
 	activeTheme: string;
 	apiNonce: string;
+	previewNonce: string;
 	apiEndpoints: {
 		getPatternNamesEndpoint: string;
 	};

wp-modules/editor/model.php

@@ -188,10 +188,12 @@ function redirect_pattern_actions() {
 	}
 
 	if ( 'duplicate' === filter_input( INPUT_GET, 'action' ) ) {
+		check_admin_referer( 'pm-pattern-duplicate' );
 		duplicate_pattern( filter_input( INPUT_GET, 'name' ) );
 	}
 
 	if ( 'edit-pattern' === filter_input( INPUT_GET, 'action' ) ) {
+		check_admin_referer( 'pm-pattern-edit' );
 		edit_pattern( filter_input( INPUT_GET, 'name' ) );
 	}
 }

wp-modules/pattern-data-handlers/pattern-data-handlers.php

@@ -166,18 +166,37 @@ function get_theme_patterns_with_editor_links() {
 			);
 			$post  = empty( $query->posts[0] ) ? false : $query->posts[0];
 
-			$pattern['editorLink'] = $post && $post->name === $pattern['name']
-				? get_edit_post_link( $post, 'localized_data' )
-				: add_query_arg(
-					[
-						'post_type' => get_pattern_post_type(),
-						'action'    => 'edit-pattern',
-						'name'      => $pattern['name'],
-					],
-					admin_url()
-				);
-
-			$all_patterns[ $pattern_name ] = $pattern;
+			$duplicate_nonce_action = 'pm-pattern-duplicate';
+			$edit_nonce_action      = 'pm-pattern-edit';
+			$new_pattern            = array_merge(
+				$pattern,
+				[
+					'editorLink'    => $post && $post->name === $pattern['name']
+						? add_query_arg(
+							[ '_wpnonce' => wp_create_nonce( $edit_nonce_action ) ],
+							get_edit_post_link( $post, 'localized_data' ),
+						)
+						: add_query_arg(
+							[
+								'post_type' => get_pattern_post_type(),
+								'action'    => 'edit-pattern',
+								'name'      => $pattern['name'],
+								'_wpnonce'  => wp_create_nonce( $edit_nonce_action ),
+							]
+						),
+					'duplicateLink' => add_query_arg(
+						[
+							'post_type' => get_pattern_post_type(),
+							'action'    => 'duplicate',
+							'name'      => $pattern['name'],
+							'_wpnonce'  => wp_create_nonce( $duplicate_nonce_action ),
+						],
+						admin_url()
+					),
+				]
+			);
+
+			$all_patterns[ $pattern_name ] = $new_pattern;
 		}
 	}
 

wp-modules/pattern-data-handlers/tests/PatternDataHandlersTest.php

@@ -250,6 +250,12 @@ public function test_get_theme_patterns_with_editor_links() {
 		$patterns = get_theme_patterns_with_editor_links();
 
 		$this->assertCount( 2, array_values( $patterns ) );
+		$this->assertTrue(
+			array_key_exists(
+				'duplicateLink',
+				$patterns['my-new-pattern']
+			)
+		);
 		$this->assertTrue(
 			array_key_exists(
 				'editorLink',

wp-modules/pattern-preview-renderer/pattern-preview-renderer.php

@@ -20,15 +20,14 @@
  * Receive pattern id in the URL and display its content. Useful for pattern previews and thumbnails.
  */
 function display_block_pattern_preview() {
-
-	// Nonce not required as the user is not taking any action here.
-	if ( ! isset( $_GET['pm_pattern_preview'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+	if ( ! isset( $_GET['pm_pattern_preview'] ) ) {
 		return;
 	}
 
-	$pattern_name = sanitize_text_field( wp_unslash( $_GET['pm_pattern_preview'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+	check_admin_referer( 'pm_action_pattern_preview' );
 
-	$pattern = \PatternManager\PatternDataHandlers\get_pattern_by_name( $pattern_name );
+	$pattern_name = sanitize_text_field( wp_unslash( $_GET['pm_pattern_preview'] ) );
+	$pattern      = \PatternManager\PatternDataHandlers\get_pattern_by_name( $pattern_name );
 
 	if ( ! isset( $pattern['content'] ) ) {
 		$pattern['content'] = '';