From 4547cfa60662a29288e45d498e2aee2609d877aa Mon Sep 17 00:00:00 2001 From: girishpanchal30 Date: Mon, 29 Jun 2026 10:25:54 +0530 Subject: [PATCH] fix: prevent unauthorized access to private charts --- classes/Visualizer/Module/Frontend.php | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/classes/Visualizer/Module/Frontend.php b/classes/Visualizer/Module/Frontend.php index 2a7e60045..1d3bbabd6 100644 --- a/classes/Visualizer/Module/Frontend.php +++ b/classes/Visualizer/Module/Frontend.php @@ -153,14 +153,25 @@ public function endpoint_register() { ), ), 'permission_callback' => function ( WP_REST_Request $request ) { - $chart_id = filter_var( sanitize_text_field( $request->get_param( 'chart' ), FILTER_VALIDATE_INT ) ); - if ( ! empty( $chart_id ) && in_array( $request->get_param( 'type' ), array( 'save', 'cancel' ), true ) ) { - // let save and cancel go without any check as past version of pro - // did not send the X-WP-Nonce - // we can change this at a later date. - return true; + $chart_id = absint( $request->get_param( 'chart' ) ); + if ( ! $chart_id ) { + return false; } - return ! empty( $chart_id ) && apply_filters( 'visualizer_pro_show_chart', true, $chart_id ); + + $chart = get_post( $chart_id ); + if ( ! $chart || Visualizer_Plugin::CPT_VISUALIZER !== $chart->post_type ) { + return false; + } + + if ( in_array( $request->get_param( 'type' ), array( 'save', 'cancel' ), true ) ) { + return current_user_can( 'edit_post', $chart_id ); + } + + if ( 'publish' !== $chart->post_status ) { + return current_user_can( 'edit_post', $chart_id ); + } + + return apply_filters( 'visualizer_pro_show_chart', true, $chart_id ); }, 'callback' => array( $this, 'perform_action' ), )