diff --git a/classes/Visualizer/Module/Frontend.php b/classes/Visualizer/Module/Frontend.php index 2a7e6004..1d3bbabd 100644 --- a/classes/Visualizer/Module/Frontend.php +++ b/classes/Visualizer/Module/Frontend.php @@ -153,14 +153,25 @@ public function endpoint_register() { ), ), 'permission_callback' => function ( WP_REST_Request $request ) { - $chart_id = filter_var( sanitize_text_field( $request->get_param( 'chart' ), FILTER_VALIDATE_INT ) ); - if ( ! empty( $chart_id ) && in_array( $request->get_param( 'type' ), array( 'save', 'cancel' ), true ) ) { - // let save and cancel go without any check as past version of pro - // did not send the X-WP-Nonce - // we can change this at a later date. - return true; + $chart_id = absint( $request->get_param( 'chart' ) ); + if ( ! $chart_id ) { + return false; } - return ! empty( $chart_id ) && apply_filters( 'visualizer_pro_show_chart', true, $chart_id ); + + $chart = get_post( $chart_id ); + if ( ! $chart || Visualizer_Plugin::CPT_VISUALIZER !== $chart->post_type ) { + return false; + } + + if ( in_array( $request->get_param( 'type' ), array( 'save', 'cancel' ), true ) ) { + return current_user_can( 'edit_post', $chart_id ); + } + + if ( 'publish' !== $chart->post_status ) { + return current_user_can( 'edit_post', $chart_id ); + } + + return apply_filters( 'visualizer_pro_show_chart', true, $chart_id ); }, 'callback' => array( $this, 'perform_action' ), ) diff --git a/composer.lock b/composer.lock index 90b51c8c..5dc651a0 100644 --- a/composer.lock +++ b/composer.lock @@ -8,16 +8,16 @@ "packages": [ { "name": "codeinwp/themeisle-sdk", - "version": "3.3.52", + "version": "3.3.54", "source": { "type": "git", "url": "https://github.com/Codeinwp/themeisle-sdk.git", - "reference": "d1ae68cbd4f84934b4d982e9eeff317b9f4c814a" + "reference": "095c2d0f1388af0b0196c492a7f79e2fd092dab1" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/Codeinwp/themeisle-sdk/zipball/d1ae68cbd4f84934b4d982e9eeff317b9f4c814a", - "reference": "d1ae68cbd4f84934b4d982e9eeff317b9f4c814a", + "url": "https://api.github.com/repos/Codeinwp/themeisle-sdk/zipball/095c2d0f1388af0b0196c492a7f79e2fd092dab1", + "reference": "095c2d0f1388af0b0196c492a7f79e2fd092dab1", "shasum": "" }, "require-dev": { @@ -43,9 +43,9 @@ ], "support": { "issues": "https://github.com/Codeinwp/themeisle-sdk/issues", - "source": "https://github.com/Codeinwp/themeisle-sdk/tree/v3.3.52" + "source": "https://github.com/Codeinwp/themeisle-sdk/tree/v3.3.54" }, - "time": "2026-05-14T19:43:56+00:00" + "time": "2026-06-23T13:43:47+00:00" }, { "name": "neitanod/forceutf8",