Skip to content

Commit

Permalink
Merge pull request #184 from skaut/user-connect-nonce
Browse files Browse the repository at this point in the history 
Added nonce verification to user connecting
@marekdedic
marekdedic authored Feb 14, 2022

Unverified

No user is associated with the committer email.
Learn about vigilant mode
2 parents 93811ac + 396d4b7 commit 7c67947
Showing 1 changed file with 8 additions and 3 deletions.
11 changes: 8 additions & 3 deletions src/src/auth/ConnectAndDisconnectWpAccount.php
View file
Original file line number Diff line number Diff line change
@@ -76,8 +76,13 @@ public function connect() {
}

public function connectWpUserToSkautis() {
if ( ! $this->skautisLogin->isUserLoggedInSkautis() || ! Helpers::userIsSkautisManager() || empty( $_GET['ReturnUrl'] ) ) {
return;
if ( ! isset( $_GET[SKAUTISINTEGRATION_NAME. '_connect_user_nonce'] ) ||
! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET[SKAUTISINTEGRATION_NAME. '_connect_user_nonce'] ) ), SKAUTISINTEGRATION_NAME. '_connect_user' ) ||
! $this->skautisLogin->isUserLoggedInSkautis() ||
! Helpers::userIsSkautisManager() ||
empty( $_GET['ReturnUrl'] )
) {
wp_die( esc_html__( 'Nemáte oprávnění k propojování uživatelů.', 'skautis-integration' ), esc_html__( 'Neautorizovaný přístup', 'skautis-integration' ) );
}

if ( ! isset( $_GET['wpUserId'], $_GET['skautisUserId'] ) ) {
@@ -97,7 +102,7 @@ public function getConnectWpUserToSkautisUrl(): string {
$returnUrl = add_query_arg( SKAUTISINTEGRATION_NAME . '_connectWpAccountWithSkautis', wp_create_nonce( SKAUTISINTEGRATION_NAME . '_connectWpAccountWithSkautis' ), $returnUrl );
$url = add_query_arg( 'ReturnUrl', urlencode( $returnUrl ), get_home_url( null, 'skautis/auth/' . Actions::CONNECT_WP_USER_TO_SKAUTIS_ACTION ) );

return esc_url( $url );
return esc_url( wp_nonce_url( $url, SKAUTISINTEGRATION_NAME. '_connect_user', SKAUTISINTEGRATION_NAME. '_connect_user_nonce' ) );
}

public function disconnect() {

0 comments on commit 7c67947

Please sign in to comment.