From f5790e2a589db6e626992000ad0691e50b482102 Mon Sep 17 00:00:00 2001
From: Brad Taylor <bradtaylorsf@gmail.com>
Date: Tue, 7 Jul 2015 09:48:53 -0400
Subject: [PATCH] patched security issue and look for same referer for AJAX
 calls when editing posts

---
 edit.js  | 3 ++-
 edit.php | 9 +++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/edit.js b/edit.js
index 3fcdea5..c38478e 100644
--- a/edit.js
+++ b/edit.js
@@ -6,7 +6,7 @@
 		var optly = new OptimizelyAPI( $( '#optimizely_token' ).val() ); 
 		
 		if ( !! $( '#optimizely_experiment_id' ).val() ) {
-			optly.get( 'experiments/' + $( '#optimizely_experiment_id' ).val(), function( response ) {
+			optly.get(f 'experiments/' + $( '#optimizely_experiment_id' ).val(), function( response ) {
 				optly.experiment = response;
 				showExperiment( optly.experiment );
 			});
@@ -56,6 +56,7 @@
 			var data = {
 				action: 'update_experiment_meta',
 				post_id: $( '#post_ID' ).val(),
+				optimizely_experiment_nonce: $( '#optimizely_experiment_nonce' ).val(),
 				optimizely_experiment_id: experiment.id,
 				optimizely_experiment_status: experiment.status
 			};
diff --git a/edit.php b/edit.php
index 3b147af..0b87999 100644
--- a/edit.php
+++ b/edit.php
@@ -72,6 +72,7 @@ function optimizely_title_variations_render( $post ) {
 	<input type="hidden" id="optimizely_token" value="<?php echo esc_attr( get_option( 'optimizely_token' ) )?>" />
 	<input type="hidden" id="optimizely_project_id" value="<?php echo esc_attr( get_option('optimizely_project_id') ) ?>" />
 	<input type="hidden" id="optimizely_experiment_id" name="optimizely_experiment_id" value="<?php echo esc_attr( get_post_meta( $post->ID, 'optimizely_experiment_id', true ) ) ?>" />
+	<?php wp_nonce_field( OPTIMIZELY_NONCE, 'optimizely_experiment_nonce' ); ?>
 	<input type="hidden" id="optimizely_experiment_status" name="optimizely_experiment_status" value="<?php echo esc_attr( get_post_meta( $post->ID, 'optimizely_experiment_status', true ) ) ?>" />
 	<input type="hidden" id="optimizely_experiment_url" name="optimizely_experiment_url" value="<?php echo esc_url( get_full_permalink() ) ?>" />
 	<input type="hidden" id="optimizely_url_targeting" name="optimizely_url_targeting" value="<?php echo esc_attr( get_option( 'optimizely_url_targeting' ) ) ?>" />
@@ -128,6 +129,14 @@ function optimizely_title_variations_save( $post_id ) {
  * @param int $post_id
  */
 function optimizely_update_experiment_meta() {
+	// Make sure this is a valid request.
+	check_ajax_referer( OPTIMIZELY_NONCE, 'optimizely_experiment_nonce' );
+
+	// See if the current user has permissions to edit posts.
+	if ( ! current_user_can( 'edit_post', absint( $_POST['post_id'] ) ) ) {
+		die( 'You do not have permission to edit posts.' );
+	}
+	
 	if ( isset( $_POST['post_id'] ) ) {
 		optimizely_title_variations_save( absint( $_POST['post_id'] ) );
 	}