From f3e8f746b87dce86734b4b48610c729b7874157d Mon Sep 17 00:00:00 2001 From: Anthony Seure Date: Wed, 3 Jan 2024 15:01:10 +0100 Subject: [PATCH] Prevent usage of `cloudflare_proxy` action on /admin-ajax endpoint for non-Administrator users MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit **🔖 Summary** The implementation of this plugin is hidden behind a [`is_admin()` WordPress function](https://developer.wordpress.org/reference/functions/is_admin/). However, as stated in the documentation: > Does not check if the user is an administrator; use current_user_can() > for checking roles and capabilities. This commit is about ensuring that the `cloudflare_proxy` action on the /admin-ajax endpoint is correctly limited to Administrator users only before making any call via the Proxy to Cloudflare. **✅ Testing plan** Update the mocked tests which were rightfully failing due to non-Administrator calls. --- src/Integration/IntegrationAPIInterface.php | 5 +++++ src/Test/WordPress/HooksTest.php | 1 + src/Test/WordPress/ProxyTest.php | 2 ++ src/WordPress/Proxy.php | 4 ++++ src/WordPress/WordPressAPI.php | 8 ++++++++ src/WordPress/WordPressWrapper.php | 5 +++++ 6 files changed, 25 insertions(+) diff --git a/src/Integration/IntegrationAPIInterface.php b/src/Integration/IntegrationAPIInterface.php index 517cbb18..e111cdc8 100644 --- a/src/Integration/IntegrationAPIInterface.php +++ b/src/Integration/IntegrationAPIInterface.php @@ -53,4 +53,9 @@ public function getDomainList($userId = null); * @return mixed */ public function getUserId(); + + /** + * @return boolean + */ + public function isCurrentUserAdministrator(); } diff --git a/src/Test/WordPress/HooksTest.php b/src/Test/WordPress/HooksTest.php index 34a8791a..fe3d5a44 100644 --- a/src/Test/WordPress/HooksTest.php +++ b/src/Test/WordPress/HooksTest.php @@ -76,6 +76,7 @@ public function testPluginActionLinksGetAdminUrl() public function testInitProxyCallsProxyRun() { + $this->mockWordPressAPI->method('isCurrentUserAdministrator')->willReturn(true); $this->mockProxy->expects($this->once())->method('run'); $this->hooks->initProxy(); } diff --git a/src/Test/WordPress/ProxyTest.php b/src/Test/WordPress/ProxyTest.php index ae7113d9..6298a7de 100644 --- a/src/Test/WordPress/ProxyTest.php +++ b/src/Test/WordPress/ProxyTest.php @@ -55,6 +55,7 @@ public function testRunHandlesGet() $_SERVER['REQUEST_METHOD'] = 'GET'; $_GET['proxyURL'] = 'proxyUrl'; $_GET['proxyURLType'] = 'proxyUrlType'; + $this->mockWordPressAPI->method('isCurrentUserAdministrator')->willReturn(true); $this->mockRequestRouter->expects($this->once())->method('route'); $mockWPDie = $this->getFunctionMock('CF\WordPress', 'wp_die'); $this->mockProxy->run(); @@ -72,6 +73,7 @@ public function testRunHandlesPost() $mockFileGetContents->expects($this->any())->willReturn($jsonBody); $mockWPVerifyNonce = $this->getFunctionMock('CF\WordPress', 'wp_verify_nonce'); $mockWPVerifyNonce->expects($this->once())->willReturn(true); + $this->mockWordPressAPI->method('isCurrentUserAdministrator')->willReturn(true); $this->mockRequestRouter->expects($this->once())->method('route'); $mockWPDie = $this->getFunctionMock('CF\WordPress', 'wp_die'); $this->mockProxy->run(); diff --git a/src/WordPress/Proxy.php b/src/WordPress/Proxy.php index 908501d3..50ba48bd 100644 --- a/src/WordPress/Proxy.php +++ b/src/WordPress/Proxy.php @@ -53,6 +53,10 @@ public function setRequestRouter(RequestRouter $requestRouter) public function run() { + if (!$this->wordpressAPI->isCurrentUserAdministrator()) { + return; + } + header('Content-Type: application/json'); $request = $this->createRequest(); diff --git a/src/WordPress/WordPressAPI.php b/src/WordPress/WordPressAPI.php index 07fb922d..390e792c 100644 --- a/src/WordPress/WordPressAPI.php +++ b/src/WordPress/WordPressAPI.php @@ -155,4 +155,12 @@ public function checkIfValidCloudflareSubdomain($response, $domainName) return false; } + + /** + * @return boolean + */ + public function isCurrentUserAdministrator() + { + return $this->wordPressWrapper->currentUserCan('administrator'); + } } diff --git a/src/WordPress/WordPressWrapper.php b/src/WordPress/WordPressWrapper.php index 72048898..fef8c574 100644 --- a/src/WordPress/WordPressWrapper.php +++ b/src/WordPress/WordPressWrapper.php @@ -35,4 +35,9 @@ public function getSiteURL() return strtolower($site_url); } + + public function currentUserCan($capabilities) + { + return current_user_can($capabilities); + } }