Merge pull request #529 from aseure/limit-proxy-usage-to-administrator

Prevent usage of `cloudflare_proxy` action on /admin-ajax endpoint for non-Administrator users
cloudflare · Jan 4, 2024 · a84c48b · a84c48b
2 parents 4ad24c8 + f3e8f74
commit a84c48b
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 0 deletions.
diff --git a/src/Integration/IntegrationAPIInterface.php b/src/Integration/IntegrationAPIInterface.php
@@ -53,4 +53,9 @@ public function getDomainList($userId = null);
  * @return mixed
  */
  public function getUserId();
+
+ /**
+ * @return boolean
+ */
+ public function isCurrentUserAdministrator();
 }
diff --git a/src/Test/WordPress/HooksTest.php b/src/Test/WordPress/HooksTest.php
@@ -76,6 +76,7 @@ public function testPluginActionLinksGetAdminUrl()
 
  public function testInitProxyCallsProxyRun()
  {
+ $this->mockWordPressAPI->method('isCurrentUserAdministrator')->willReturn(true);
  $this->mockProxy->expects($this->once())->method('run');
  $this->hooks->initProxy();
  }

diff --git a/src/Test/WordPress/ProxyTest.php b/src/Test/WordPress/ProxyTest.php
@@ -55,6 +55,7 @@ public function testRunHandlesGet()
  $_SERVER['REQUEST_METHOD'] = 'GET';
  $_GET['proxyURL'] = 'proxyUrl';
  $_GET['proxyURLType'] = 'proxyUrlType';
+ $this->mockWordPressAPI->method('isCurrentUserAdministrator')->willReturn(true);
  $this->mockRequestRouter->expects($this->once())->method('route');
  $mockWPDie = $this->getFunctionMock('CF\WordPress', 'wp_die');
  $this->mockProxy->run();
@@ -72,6 +73,7 @@ public function testRunHandlesPost()
  $mockFileGetContents->expects($this->any())->willReturn($jsonBody);
  $mockWPVerifyNonce = $this->getFunctionMock('CF\WordPress', 'wp_verify_nonce');
  $mockWPVerifyNonce->expects($this->once())->willReturn(true);
+ $this->mockWordPressAPI->method('isCurrentUserAdministrator')->willReturn(true);
  $this->mockRequestRouter->expects($this->once())->method('route');
  $mockWPDie = $this->getFunctionMock('CF\WordPress', 'wp_die');
  $this->mockProxy->run();

diff --git a/src/WordPress/Proxy.php b/src/WordPress/Proxy.php
@@ -53,6 +53,10 @@ public function setRequestRouter(RequestRouter $requestRouter)
 
  public function run()
  {
+ if (!$this->wordpressAPI->isCurrentUserAdministrator()) {
+ return;
+ }
+
  header('Content-Type: application/json');
 
  $request = $this->createRequest();

diff --git a/src/WordPress/WordPressAPI.php b/src/WordPress/WordPressAPI.php
@@ -155,4 +155,12 @@ public function checkIfValidCloudflareSubdomain($response, $domainName)
 
  return false;
  }
+
+ /**
+ * @return boolean
+ */
+ public function isCurrentUserAdministrator()
+ {
+ return $this->wordPressWrapper->currentUserCan('administrator');
+ }
 }
diff --git a/src/WordPress/WordPressWrapper.php b/src/WordPress/WordPressWrapper.php
@@ -35,4 +35,9 @@ public function getSiteURL()
 
  return strtolower($site_url);
  }
+
+ public function currentUserCan($capabilities)
+ {
+ return current_user_can($capabilities);
+ }
 }