Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent usage of cloudflare_proxy action on /admin-ajax endpoint for non-Administrator users #529

Merged
merged 1 commit into from
Jan 4, 2024
Merged

Prevent usage of cloudflare_proxy action on /admin-ajax endpoint for non-Administrator users #529

merged 1 commit into from
Jan 4, 2024

Conversation

aseure
Copy link
Member

@aseure aseure commented Jan 3, 2024
edited
Loading

🔖 Summary

The implementation of this plugin is hidden behind a is_admin() WordPress function.
However, as stated in the documentation:

Does not check if the user is an administrator; use current_user_can()
for checking roles and capabilities.

This commit is about ensuring that the cloudflare_proxy action on the
/admin-ajax endpoint is correctly limited to Administrator users only
before making any call via the Proxy to Cloudflare.

✅ Testing plan

Update the mocked tests which were rightfully failing due to non-Administrator
calls.

@aseure aseure force-pushed the limit-proxy-usage-to-administrator branch 2 times, most recently from cbc9aae to 258fe4c Compare January 3, 2024 14:53
@aseure aseure marked this pull request as draft January 3, 2024 17:13
@aseure aseure force-pushed the limit-proxy-usage-to-administrator branch from 258fe4c to ee2b876 Compare January 4, 2024 08:18
@aseure aseure changed the title wip Prevent usage of cloudflare_proxy action on /admin-ajax endpoint for non-Administrator users Jan 4, 2024
@aseure
Prevent usage of cloudflare_proxy action on /admin-ajax endpoint fo…
f3e8f74 
…r non-Administrator users

**🔖 Summary**

The implementation of this plugin is hidden behind a [`is_admin()` WordPress function](https://developer.wordpress.org/reference/functions/is_admin/).
However, as stated in the documentation:

> Does not check if the user is an administrator; use current_user_can()
> for checking roles and capabilities.

This commit is about ensuring that the `cloudflare_proxy` action on the
/admin-ajax endpoint is correctly limited to Administrator users only
before making any call via the Proxy to Cloudflare.

**✅ Testing plan**

Update the mocked tests which were rightfully failing due to non-Administrator
calls.
@aseure aseure force-pushed the limit-proxy-usage-to-administrator branch from ee2b876 to f3e8f74 Compare January 4, 2024 08:19
@aseure aseure marked this pull request as ready for review January 4, 2024 08:19
@aseure aseure merged commit a84c48b into cloudflare:master Jan 4, 2024
5 checks passed
aseure added a commit to aseure/Cloudflare-WordPress that referenced this pull request Jan 4, 2024
@aseure
release 4.12.3
edde958 
This release deploys the following fix cloudflare#529.
@aseure aseure mentioned this pull request Jan 4, 2024
Merged
@rvdsteege rvdsteege mentioned this pull request Apr 3, 2024
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jacobbednarz jacobbednarz jacobbednarz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aseure @jacobbednarz