Skip to content

Commit

Permalink
Prevent usage of cloudflare_proxy action on /admin-ajax endpoint fo…
Browse files Browse the repository at this point in the history
…r non-Administrator users

**🔖 Summary**

The implementation of this plugin is hidden behind a [`is_admin()` WordPress function](https://developer.wordpress.org/reference/functions/is_admin/).
However, as stated in the documentation:

> Does not check if the user is an administrator; use current_user_can()
> for checking roles and capabilities.

This commit is about ensuring that the `cloudflare_proxy` action on the
/admin-ajax endpoint is correctly limited to Administrator users only
before making any call via the Proxy to Cloudflare.

**✅ Testing plan**

Update the mocked tests which were rightfully failing due to non-Administrator
calls.
eployment plan**
  • Loading branch information
aseure committed Jan 4, 2024
1 parent 4ad24c8 commit ee2b876
Show file tree
Hide file tree
Showing 6 changed files with 25 additions and 0 deletions.
5 changes: 5 additions & 0 deletions src/Integration/IntegrationAPIInterface.php
Original file line number Diff line number Diff line change
Expand Up @@ -53,4 +53,9 @@ public function getDomainList($userId = null);
* @return mixed
*/
public function getUserId();

/**
* @return boolean
*/
public function isCurrentUserAdministrator();
}
1 change: 1 addition & 0 deletions src/Test/WordPress/HooksTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ public function testPluginActionLinksGetAdminUrl()

public function testInitProxyCallsProxyRun()
{
$this->mockWordPressAPI->method('isCurrentUserAdministrator')->willReturn(true);
$this->mockProxy->expects($this->once())->method('run');
$this->hooks->initProxy();
}
Expand Down
2 changes: 2 additions & 0 deletions src/Test/WordPress/ProxyTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ public function testRunHandlesGet()
$_SERVER['REQUEST_METHOD'] = 'GET';
$_GET['proxyURL'] = 'proxyUrl';
$_GET['proxyURLType'] = 'proxyUrlType';
$this->mockWordPressAPI->method('isCurrentUserAdministrator')->willReturn(true);
$this->mockRequestRouter->expects($this->once())->method('route');
$mockWPDie = $this->getFunctionMock('CF\WordPress', 'wp_die');
$this->mockProxy->run();
Expand All @@ -72,6 +73,7 @@ public function testRunHandlesPost()
$mockFileGetContents->expects($this->any())->willReturn($jsonBody);
$mockWPVerifyNonce = $this->getFunctionMock('CF\WordPress', 'wp_verify_nonce');
$mockWPVerifyNonce->expects($this->once())->willReturn(true);
$this->mockWordPressAPI->method('isCurrentUserAdministrator')->willReturn(true);
$this->mockRequestRouter->expects($this->once())->method('route');
$mockWPDie = $this->getFunctionMock('CF\WordPress', 'wp_die');
$this->mockProxy->run();
Expand Down
4 changes: 4 additions & 0 deletions src/WordPress/Proxy.php
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,10 @@ public function setRequestRouter(RequestRouter $requestRouter)

public function run()
{
if (!$this->wordpressAPI->isCurrentUserAdministrator()) {
return;
}

header('Content-Type: application/json');

$request = $this->createRequest();
Expand Down
8 changes: 8 additions & 0 deletions src/WordPress/WordPressAPI.php
Original file line number Diff line number Diff line change
Expand Up @@ -155,4 +155,12 @@ public function checkIfValidCloudflareSubdomain($response, $domainName)

return false;
}

/**
* @return boolean
*/
public function isCurrentUserAdministrator()
{
return $this->wordPressWrapper->currentUserCan('administrator');
}
}
5 changes: 5 additions & 0 deletions src/WordPress/WordPressWrapper.php
Original file line number Diff line number Diff line change
Expand Up @@ -35,4 +35,9 @@ public function getSiteURL()

return strtolower($site_url);
}

public function currentUserCan($capabilities)
{
return current_user_can($capabilities);
}
}

0 comments on commit ee2b876

Please sign in to comment.