Skip to content

Commit

Permalink
fix: applying nonce right
Browse files Browse the repository at this point in the history
  • Loading branch information
MaferMazu committed Feb 2, 2024
1 parent 379aa87 commit ae1bd3c
Show file tree
Hide file tree
Showing 4 changed files with 45 additions and 17 deletions.
31 changes: 24 additions & 7 deletions admin/class-openedx-commerce-admin.php
Original file line number Diff line number Diff line change
Expand Up @@ -232,7 +232,12 @@ public function add_openedx_course_product_type( $type_options ) {
* @return void
*/
public function save_openedx_option( $post_id ) {
$openedx_course = isset( $_POST['is_openedx_course'] ) ? 'yes' : 'no'; // phpcs:ignore WordPress.Security.NonceVerification.Missing
if ( ! isset( $_POST['openedx_commerce_custom_product_nonce'] ) ||
! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['openedx_commerce_custom_product_nonce'] ) ), 'openedx_commerce_custom_product_nonce' )
) {
return;
}
$openedx_course = isset( $_POST['is_openedx_course'] ) ? 'yes' : 'no';
update_post_meta( $post_id, 'is_openedx_course', $openedx_course );
}

Expand All @@ -245,11 +250,11 @@ public function add_custom_product_fields() {

global $post;

$nonce = wp_create_nonce( 'openedx_commerce_admin' );
$nonce = wp_create_nonce( 'openedx_commerce_custom_product_nonce' );

echo '<div class="custom_options_group">';

echo '<input type="hidden" name="openedx_commerce_admin" value="<?php echo esc_attr($nonce); ?>">';
echo '<input type="hidden" name="openedx_commerce_custom_product_nonce" value="' . esc_attr( $nonce ) . '">';

woocommerce_wp_text_input(
array(
Expand Down Expand Up @@ -308,6 +313,7 @@ public function add_admin_order_item_values( $product, $item, $item_id = null )

// Check if the product has a non-empty "_course_id" metadata.
$course_id = '';
$nonce = wp_create_nonce( 'openedx_commerce_order_item_nonce' );

if ( $product ) {
$course_id = get_post_meta( $product->get_id(), '_course_id', true );
Expand All @@ -321,7 +327,7 @@ public function add_admin_order_item_values( $product, $item, $item_id = null )
$order_url = esc_url( admin_url( 'post.php?post=' . intval( $input_value ) . '&action=edit' ) );

$html_output = '<td>';
$html_output .= '<input type="hidden" name="openedx_commerce_admin" value="<?php echo esc_attr($nonce); ?>">';
$html_output .= '<input type="hidden" name="openedx_commerce_order_item_nonce" value="' . esc_attr( $nonce ) . '">';
$html_output .= '<input style="height:30px;" type="text" name="openedx_order_id_input' . esc_attr( $item_id ) . '" value="' . esc_attr( $input_value ) . '" pattern="\d*" />';
$html_output .= '<a href="' . $order_url . '" class="button" style="margin-left: 5px; vertical-align: bottom;' . ( $input_value ? '' : 'pointer-events: none; opacity: 0.6;' ) . '">View Request</a>';
$html_output .= '</td>';
Expand Down Expand Up @@ -370,8 +376,14 @@ public function save_order_meta_data( $order_id ) {

$items = wc_get_order( $order_id )->get_items();

if ( ! isset( $_POST['openedx_commerce_order_item_nonce'] ) ||
! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['openedx_commerce_order_item_nonce'] ) ), 'openedx_commerce_order_item_nonce' )
) {
return;
}

foreach ( $items as $item_id => $item ) {
if ( wp_verify_nonce( isset( $_POST[ 'openedx_order_id_input' . $item_id ] ), 'openedx_commerce_admin' ) ) {
if ( isset( $_POST[ 'openedx_order_id_input' . $item_id ] ) ) {
$input_value = sanitize_text_field( wp_unslash( $_POST[ 'openedx_order_id_input' . $item_id ] ) );
update_post_meta( $order_id, 'enrollment_id' . $item_id, $input_value );
}
Expand All @@ -386,8 +398,13 @@ public function save_order_meta_data( $order_id ) {
* @since 1.1.1
*/
public function save_custom_product_fields( $post_id ) {
$course_id = isset( $_POST['_course_id'] ) ? wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_course_id'] ) ), 'openedx_commerce_admin' ) : '';
$mode = isset( $_POST['_mode'] ) ? wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_mode'] ) ), 'openedx_commerce_admin' ) : '';
if ( ! isset( $_POST['openedx_commerce_custom_product_nonce'] ) ||
! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['openedx_commerce_custom_product_nonce'] ) ), 'openedx_commerce_custom_product_nonce' )
) {
return;
}
$course_id = isset( $_POST['_course_id'] ) ? sanitize_text_field( wp_unslash( $_POST['_course_id'] ) ) : '';
$mode = isset( $_POST['_mode'] ) ? sanitize_text_field( wp_unslash( $_POST['_mode'] ) ) : '';

update_post_meta( $post_id, '_course_id', $course_id );
update_post_meta( $post_id, '_mode', $mode );
Expand Down
3 changes: 1 addition & 2 deletions admin/views/class-openedx-commerce-enrollment-info-form.php
Original file line number Diff line number Diff line change
Expand Up @@ -93,15 +93,14 @@ public function render_enrollment_info_form( $post ) {
$openedx_new_enrollment = true;
}

$nonce = wp_create_nonce( 'openedx_commerce_enrollment_form' );
wp_nonce_field( 'openedx_commerce_enrollment_form', 'openedx_commerce_enrollment_form_nonce' );

?>
<div id="namediv" class="postbox">

<fieldset>
<h2 class="">Open edX enrollment request</h2>
<input type="hidden" name="openedx_new_enrollment" value="<?php echo wp_kses( $openedx_new_enrollment, array( 'true', 'false' ) ); ?>">
<input type="hidden" name="openedx_commerce_enrollment_form" value="<?php echo esc_attr( $nonce ); ?>">
<table class="form-table">
<tbody>
<tr>
Expand Down
12 changes: 9 additions & 3 deletions admin/views/class-openedx-commerce-settings.php
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,13 @@ public function openedx_settings_init() {
'sanitize_text_field'
);

if ( wp_verify_nonce( isset( $_POST['generate_new_token'] ), 'openedx_commerce_new_token' ) ) {
if ( ! isset( $_POST['openedx_commerce_new_token_nonce'] ) ||
! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['openedx_commerce_new_token_nonce'] ) ), 'openedx_commerce_token' )
) {
return;
}

if ( isset( $_POST['generate_new_token'] ) ) {
$this->set_new_token();
}

Expand Down Expand Up @@ -188,7 +194,6 @@ public function set_new_token() {
$exp_date->add( new DateInterval( 'PT' . $exp_time . 'S' ) );
update_option( 'openedx-token-expiration-overlap', $exp_date );

$nonce = wp_create_nonce( 'openedx_commerce_new_token' );
update_option( 'openedx-jwt-token', $response_data['access_token'] );

set_transient( 'openedx_success_message', 'Token generated', 10 );
Expand Down Expand Up @@ -285,10 +290,11 @@ public function openedx_jwt_token_callback() {
$masked_value = '';
}

wp_nonce_field( 'openedx_commerce_token', 'openedx_commerce_new_token_nonce' );

?>

<div class="openedx-jwt-token-wrapper">
<input type="hidden" name="openedx_commerce_new_token" value="<?php echo esc_attr( $nonce ); ?>">

<input class="setting_input" class="openedx-jwt-token-input" type="text" name="openedx-jwt-token" id="openedx-jwt-token"
value="<?php echo esc_attr( $value ); ?>" hidden/>
Expand Down
16 changes: 11 additions & 5 deletions includes/model/class-openedx-commerce-enrollment.php
Original file line number Diff line number Diff line change
Expand Up @@ -231,32 +231,38 @@ public function save_action( $post_id, $post ) {
$enrollment_arr = array();
$enrollment_action = '';

if ( ! isset( $_POST['openedx_commerce_enrollment_form_nonce'] ) ||
! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['openedx_commerce_enrollment_form_nonce'] ) ), 'openedx_commerce_enrollment_form' )
) {
return;
}

if ( isset( $_POST['openedx_enrollment_course_id'] ) ) {
$enrollment_arr['openedx_enrollment_course_id'] = wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_course_id'] ) ), 'openedx_commerce_enrollment_form' );
$enrollment_arr['openedx_enrollment_course_id'] = sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_course_id'] ) );
} else {
$enrollment_arr['openedx_enrollment_course_id'] = sanitize_text_field( wp_unslash( '' ) );
}

if ( isset( $_POST['openedx_enrollment_email'] ) ) {
$enrollment_arr['openedx_enrollment_email'] = wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_email'] ) ), 'openedx_commerce_enrollment_form' );
$enrollment_arr['openedx_enrollment_email'] = sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_email'] ) );
} else {
$enrollment_arr['openedx_enrollment_email'] = sanitize_text_field( wp_unslash( '' ) );
}

if ( isset( $_POST['openedx_enrollment_mode'] ) ) {
$enrollment_arr['openedx_enrollment_mode'] = wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_mode'] ) ), 'openedx_commerce_enrollment_form' );
$enrollment_arr['openedx_enrollment_mode'] = sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_mode'] ) );
} else {
$enrollment_arr['openedx_enrollment_mode'] = sanitize_text_field( wp_unslash( '' ) );
}

if ( isset( $_POST['openedx_enrollment_request_type'] ) ) {
$enrollment_arr['openedx_enrollment_request_type'] = wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_request_type'] ) ), 'openedx_commerce_enrollment_form' );
$enrollment_arr['openedx_enrollment_request_type'] = sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_request_type'] ) );
} else {
$enrollment_arr['openedx_enrollment_request_type'] = sanitize_text_field( wp_unslash( '' ) );
}

if ( isset( $_POST['openedx_enrollment_order_id'] ) ) {
$enrollment_arr['openedx_enrollment_order_id'] = wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_order_id'] ) ), 'openedx_commerce_enrollment_form' );
$enrollment_arr['openedx_enrollment_order_id'] = sanitize_text_field( wp_unslash( $_POST['openedx_enrollment_order_id'] ) );
} else {
$enrollment_arr['openedx_enrollment_order_id'] = sanitize_text_field( wp_unslash( '' ) );
}
Expand Down

0 comments on commit ae1bd3c

Please sign in to comment.