Merge pull request #285 from rtCamp/fix/GH-179

GH-179 : Implement nonce verification for Ajax calls
rtCamp · Feb 26, 2024 · 064fd5a · 064fd5a
2 parents 0065784 + 6bfb1cc
commit 064fd5a
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 38 deletions.
diff --git a/admin/js/rt-transcoder-admin.js b/admin/js/rt-transcoder-admin.js
@@ -45,7 +45,8 @@
 					if ( confirm( rt_transcoder_script.disable_encoding ) ) {
 
 						var data = {
-							action: 'rt_disable_transcoding'
+							action: 'rt_disable_transcoding',
+							rt_transcoder_nonce: rt_transcoder_script.security_nonce_for_disabling_encoding
 						};
 
 						if ( $( this ).next( 'img' ).length === 0 ) {
@@ -84,7 +85,8 @@
 					if ( confirm( rt_transcoder_script.enable_encoding ) ) {
 
 						var data = {
-							action: 'rt_enable_transcoding'
+							action: 'rt_enable_transcoding',
+							rt_transcoder_nonce: rt_transcoder_script.security_nonce_for_enabling_encoding
 						};
 
 						if ( $( this ).next( 'img' ).length === 0 ) {

diff --git a/admin/js/rt-transcoder-admin.min.js b/admin/js/rt-transcoder-admin.min.js
diff --git a/admin/rt-transcoder-admin.php b/admin/rt-transcoder-admin.php
@@ -196,12 +196,14 @@ public function enqueue_scripts_styles() {
 		wp_register_script( 'rt-transcoder-main', RT_TRANSCODER_URL . 'admin/js/rt-transcoder-admin' . $suffix . '.js', array( 'jquery' ), RT_TRANSCODER_VERSION, true );
 
 		$localize_script_data = array(
-			'admin_url'            => esc_url( admin_url() ),
-			'loader_image'         => esc_url( admin_url( 'images/loading.gif' ) ),
-			'disable_encoding'     => esc_html__( 'Are you sure you want to disable the transcoding service?', 'transcoder' ),
-			'enable_encoding'      => esc_html__( 'Are you sure you want to enable the transcoding service?', 'transcoder' ),
-			'something_went_wrong' => esc_html__( 'Something went wrong. Please ', 'transcoder' ) . '<a href onclick="location.reload();">' . esc_html__( 'refresh', 'transcoder' ) . '</a>' . esc_html__( ' page.', 'transcoder' ),
-			'error_empty_key'      => esc_html__( 'Please enter the license key.', 'transcoder' ),
+			'admin_url'                             => esc_url( admin_url() ),
+			'loader_image'                          => esc_url( admin_url( 'images/loading.gif' ) ),
+			'disable_encoding'                      => esc_html__( 'Are you sure you want to disable the transcoding service?', 'transcoder' ),
+			'enable_encoding'                       => esc_html__( 'Are you sure you want to enable the transcoding service?', 'transcoder' ),
+			'something_went_wrong'                  => esc_html__( 'Something went wrong. Please ', 'transcoder' ) . '<a href onclick="location.reload();">' . esc_html__( 'refresh', 'transcoder' ) . '</a>' . esc_html__( ' page.', 'transcoder' ),
+			'error_empty_key'                       => esc_html__( 'Please enter the license key.', 'transcoder' ),
+			'security_nonce_for_enabling_encoding'  => wp_create_nonce( 'rt_enable_transcoding' ),
+			'security_nonce_for_disabling_encoding' => wp_create_nonce( 'rt_disable_transcoding' ),
 		);
 
 		wp_localize_script( 'rt-transcoder-main', 'rt_transcoder_script', $localize_script_data );

diff --git a/admin/rt-transcoder-handler.php b/admin/rt-transcoder-handler.php
@@ -180,8 +180,6 @@ public function __construct( $no_init = false ) {
 		}
 
 		add_action( 'init', array( $this, 'handle_callback' ), 20 );
-		add_action( 'wp_ajax_rt_hide_transcoding_notice', array( $this, 'hide_transcoding_notice' ), 1 );
-		add_action( 'wp_ajax_rt_enter_api_key', array( $this, 'enter_api_key' ), 1 );
 		add_action( 'wp_ajax_rt_disable_transcoding', array( $this, 'disable_transcoding' ), 1 );
 		add_action( 'wp_ajax_rt_enable_transcoding', array( $this, 'enable_transcoding' ), 1 );
 		add_action( 'add_attachment', array( $this, 'after_upload_pdf' ) );
@@ -1263,39 +1261,13 @@ public function handle_callback() {
 		do_action( 'rtt_handle_callback_finished', $attachment_id, $job_id );
 	}
 
-	/**
-	 * Hide notices.
-	 *
-	 * @since 1.0.0
-	 */
-	public function hide_transcoding_notice() {
-		update_site_option( 'rt-transcoding-service-notice', true );
-		update_site_option( 'rt-transcoding-expansion-notice', true );
-		echo true;
-		die();
-	}
-
-	/**
-	 * Check whether key is entered or not.
-	 *
-	 * @since 1.0
-	 */
-	public function enter_api_key() {
-		$apikey = transcoder_filter_input( INPUT_GET, 'apikey', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
-		if ( ! empty( $apikey ) ) {
-			echo wp_json_encode( array( 'apikey' => $apikey ) );
-		} else {
-			echo wp_json_encode( array( 'error' => esc_html__( 'Please enter the license key.', 'transcoder' ) ) );
-		}
-		die();
-	}
-
 	/**
 	 * Disable transcoding.
 	 *
 	 * @since 1.0.0
 	 */
 	public function disable_transcoding() {
+		check_ajax_referer( 'rt_disable_transcoding', 'rt_transcoder_nonce', true );
 		update_site_option( 'rt-transcoding-api-key', '' );
 		esc_html_e( 'Transcoding disabled successfully.', 'transcoder' );
 		die();
@@ -1307,6 +1279,7 @@ public function disable_transcoding() {
 	 * @since 1.0.0
 	 */
 	public function enable_transcoding() {
+		check_ajax_referer( 'rt_enable_transcoding', 'rt_transcoder_nonce', true );
 		update_site_option( 'rt-transcoding-api-key', $this->stored_api_key );
 		esc_html_e( 'Transcoding enabled successfully.', 'transcoder' );
 		die();