Commit 6674c34f authored by Eric Windham's avatar Eric Windham

updated form templates to check for admin rights and security nonce

parent ab9cca9c
Pipeline #3621 passed with stages
in 1 minute and 8 seconds
This diff is collapsed.
This diff is collapsed.
......@@ -10,10 +10,14 @@ define( ['models/formTemplateModel'], function( TemplateModel ) {
model: TemplateModel,
tmpNum: 1,
url: function() {
return ajaxurl + "?action=nf_new_form_templates";
return ajaxurl + "?action=nf_new_form_templates&security="+ nfAdmin.ajaxNonce;
},
parse: function( response, options ){
if(response.data.hasOwnProperty('error')) {
alert(response.data.error);
return null;
}
return response.data;
},
......
......@@ -10,6 +10,19 @@ class NF_AJAX_REST_NewFormTemplates extends NF_AJAX_REST_Controller
*/
public function get()
{
// Does the current user have admin privileges
if (!current_user_can('manage_options')) {
return ['error' => __('Access denied. You must have admin privileges to view this data.', 'ninja-forms')];
}
// If we don't have a nonce...
// OR if the nonce is invalid...
if (!isset($_REQUEST['security']) || !wp_verify_nonce($_REQUEST['security'], 'ninja_forms_dashboard_nonce')) {
// Kick the request out now.
$data['error'] = __('Request forbidden.', 'ninja-forms');
return $data;
}
$templates = Ninja_Forms()->config( 'NewFormTemplates' );
usort( $templates, array( $this, 'cmp' ) );
array_unshift( $templates, array(
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment