Commit 7174c05a authored by Eric Windham's avatar Eric Windham

add nonce and auth check to maybe delete field function

parent 18229dea
Pipeline #3625 passed with stages
in 1 minute and 7 seconds
......@@ -92,6 +92,23 @@ define( [], function() {
jQuery.post(ajaxurl, data)
.done(function (response) {
var res = JSON.parse(response);
if (res.data.hasOwnProperty('errors')) {
var errors = res.data.errors;
var errorMsg = '';
if (Array.isArray(errors)) {
errors.forEach(function(error) {
errors += error + "\n";
})
} else {
errors = errors;
}
console.log('Maybe Delete Field Errors: ', errors);
alert(errors);
return null;
}
if (res.data.field_has_data) {
// if it does, show warning modal
that.doDeleteFieldModal(e, dataModel);
......
This source diff could not be displayed because it is too large. You can view the blob instead.
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -15,6 +15,14 @@ class NF_AJAX_Controllers_DeleteAllData extends NF_Abstracts_Controller
$this->_respond();
}
// If we don't have a nonce...
// OR if the nonce is invalid...
if (!isset($_REQUEST['security']) || !wp_verify_nonce($_REQUEST['security'], 'ninja_forms_dashboard_nonce')) {
// Kick the request out now.
$this->_data['errors'] = __('Request forbidden.', 'ninja-forms');
$this->_respond();
}
check_ajax_referer( 'ninja_forms_settings_nonce', 'security' );
global $wpdb;
......
......@@ -16,6 +16,21 @@ class NF_AJAX_Controllers_Fields extends NF_Abstracts_Controller
* delete field modal
*/
public function maybe_delete_field() {
// Does the current user have admin privileges
if (!current_user_can('manage_options')) {
$this->_data['errors'] = __('Access denied. You must have admin privileges to view this data.', 'ninja-forms');
$this->_respond();
}
// If we don't have a nonce...
// OR if the nonce is invalid...
if (!isset($_REQUEST['security']) || !wp_verify_nonce($_REQUEST['security'], 'ninja_forms_builder_nonce')) {
// Kick the request out now.
$this->_data['errors'] = __('Request forbidden.', 'ninja-forms');
$this->_respond();
}
$field_id = $_REQUEST[ 'fieldID' ];
// $field_key = $_REQUEST[ 'fieldKey' ];
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment