From e4fcfd8f7bc171d2c727a4e0c6f889a2b45f9e02 Mon Sep 17 00:00:00 2001 From: Ryan Kienstra Date: Tue, 31 Oct 2023 11:40:46 -0600 Subject: [PATCH] Add a nonce to duplicate and edit actions (#215) * Add a nonce to duplicate and edit actions * Add a nonce for the preview URL * Test that there's a preview link --- wp-modules/app/app.php | 1 + .../src/components/Patterns/PatternGrid.tsx | 6 +-- .../Patterns/PatternGridActions.tsx | 2 +- wp-modules/app/js/src/types.ts | 2 + wp-modules/app/tests/AppTest.php | 1 + wp-modules/editor/editor.php | 1 + .../SidebarPanels/ViewportWidthPanel.tsx | 6 +-- wp-modules/editor/js/src/types.ts | 1 + wp-modules/editor/model.php | 2 + .../pattern-data-handlers.php | 43 +++++++++++++------ .../tests/PatternDataHandlersTest.php | 6 +++ .../pattern-preview-renderer.php | 9 ++-- 12 files changed, 52 insertions(+), 28 deletions(-) diff --git a/wp-modules/app/app.php b/wp-modules/app/app.php index 3608ddae8..af52724a9 100644 --- a/wp-modules/app/app.php +++ b/wp-modules/app/app.php @@ -27,6 +27,7 @@ function get_app_state() { 'patterns' => \PatternManager\PatternDataHandlers\get_theme_patterns_with_editor_links(), 'patternCategories' => \WP_Block_Pattern_Categories_Registry::get_instance()->get_all_registered(), 'apiNonce' => wp_create_nonce( 'wp_rest' ), + 'previewNonce' => wp_create_nonce( 'pm_action_pattern_preview' ), 'apiEndpoints' => array( 'deletePatternEndpoint' => get_rest_url( false, 'pattern-manager/v1/delete-pattern/' ), 'updateDismissedSitesEndpoint' => get_rest_url( false, 'pattern-manager/v1/update-dismissed-sites/' ), diff --git a/wp-modules/app/js/src/components/Patterns/PatternGrid.tsx b/wp-modules/app/js/src/components/Patterns/PatternGrid.tsx index 8263ae12b..f2ae527ee 100644 --- a/wp-modules/app/js/src/components/Patterns/PatternGrid.tsx +++ b/wp-modules/app/js/src/components/Patterns/PatternGrid.tsx @@ -59,11 +59,7 @@ export default function PatternGrid( {
get_rest_url( false, 'pattern-manager/v1/get-pattern-names/' ), ), 'apiNonce' => wp_create_nonce( 'wp_rest' ), + 'previewNonce' => wp_create_nonce( 'pm_action_pattern_preview' ), 'patternCategories' => \WP_Block_Pattern_Categories_Registry::get_instance()->get_all_registered(), 'patternNames' => get_pattern_names(), 'patterns' => \PatternManager\PatternDataHandlers\get_theme_patterns_with_editor_links(), diff --git a/wp-modules/editor/js/src/components/SidebarPanels/ViewportWidthPanel.tsx b/wp-modules/editor/js/src/components/SidebarPanels/ViewportWidthPanel.tsx index 46facf832..794aa10ed 100644 --- a/wp-modules/editor/js/src/components/SidebarPanels/ViewportWidthPanel.tsx +++ b/wp-modules/editor/js/src/components/SidebarPanels/ViewportWidthPanel.tsx @@ -51,11 +51,7 @@ export default function ViewportWidthPanel( { /> ) : ( posts[0] ) ? false : $query->posts[0]; - $pattern['editorLink'] = $post && $post->name === $pattern['name'] - ? get_edit_post_link( $post, 'localized_data' ) - : add_query_arg( - [ - 'post_type' => get_pattern_post_type(), - 'action' => 'edit-pattern', - 'name' => $pattern['name'], - ], - admin_url() - ); - - $all_patterns[ $pattern_name ] = $pattern; + $duplicate_nonce_action = 'pm-pattern-duplicate'; + $edit_nonce_action = 'pm-pattern-edit'; + $new_pattern = array_merge( + $pattern, + [ + 'editorLink' => $post && $post->name === $pattern['name'] + ? add_query_arg( + [ '_wpnonce' => wp_create_nonce( $edit_nonce_action ) ], + get_edit_post_link( $post, 'localized_data' ), + ) + : add_query_arg( + [ + 'post_type' => get_pattern_post_type(), + 'action' => 'edit-pattern', + 'name' => $pattern['name'], + '_wpnonce' => wp_create_nonce( $edit_nonce_action ), + ] + ), + 'duplicateLink' => add_query_arg( + [ + 'post_type' => get_pattern_post_type(), + 'action' => 'duplicate', + 'name' => $pattern['name'], + '_wpnonce' => wp_create_nonce( $duplicate_nonce_action ), + ], + admin_url() + ), + ] + ); + + $all_patterns[ $pattern_name ] = $new_pattern; } } diff --git a/wp-modules/pattern-data-handlers/tests/PatternDataHandlersTest.php b/wp-modules/pattern-data-handlers/tests/PatternDataHandlersTest.php index 7447c952e..a239be0b8 100644 --- a/wp-modules/pattern-data-handlers/tests/PatternDataHandlersTest.php +++ b/wp-modules/pattern-data-handlers/tests/PatternDataHandlersTest.php @@ -250,6 +250,12 @@ public function test_get_theme_patterns_with_editor_links() { $patterns = get_theme_patterns_with_editor_links(); $this->assertCount( 2, array_values( $patterns ) ); + $this->assertTrue( + array_key_exists( + 'duplicateLink', + $patterns['my-new-pattern'] + ) + ); $this->assertTrue( array_key_exists( 'editorLink', diff --git a/wp-modules/pattern-preview-renderer/pattern-preview-renderer.php b/wp-modules/pattern-preview-renderer/pattern-preview-renderer.php index 0adb4c2be..a980dc23b 100644 --- a/wp-modules/pattern-preview-renderer/pattern-preview-renderer.php +++ b/wp-modules/pattern-preview-renderer/pattern-preview-renderer.php @@ -20,15 +20,14 @@ * Receive pattern id in the URL and display its content. Useful for pattern previews and thumbnails. */ function display_block_pattern_preview() { - - // Nonce not required as the user is not taking any action here. - if ( ! isset( $_GET['pm_pattern_preview'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended + if ( ! isset( $_GET['pm_pattern_preview'] ) ) { return; } - $pattern_name = sanitize_text_field( wp_unslash( $_GET['pm_pattern_preview'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended + check_admin_referer( 'pm_action_pattern_preview' ); - $pattern = \PatternManager\PatternDataHandlers\get_pattern_by_name( $pattern_name ); + $pattern_name = sanitize_text_field( wp_unslash( $_GET['pm_pattern_preview'] ) ); + $pattern = \PatternManager\PatternDataHandlers\get_pattern_by_name( $pattern_name ); if ( ! isset( $pattern['content'] ) ) { $pattern['content'] = '';