Check permissions in admin-ajax.php

Author: evgenyvolferts

class.tilda-admin.php

@@ -454,6 +454,10 @@ public static function delete_key( $key_id ) {
 	 * Handle request to wp-ajax.php with action: add_new_key
 	 */
 	public static function ajax_add_new_key() {
+		if ( ! current_user_can( 'level_7' ) ) {
+			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
+		}
+
 		$request  = Tilda_Admin::options_sanitize( $_POST );
 		$defaults = [
 			'store_html_only'   => true,
@@ -509,6 +513,10 @@ public static function ajax_add_new_key() {
 	 * Delete key and all assigned projects
 	 */
 	public static function ajax_delete_key() {
+		if ( ! current_user_can( 'level_7' ) ) {
+			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
+		}
+
 		$request = Tilda_Admin::options_sanitize( $_GET );
 
 		if ( ! isset( $request['id'] ) ) {
@@ -527,6 +535,10 @@ public static function ajax_delete_key() {
 	 * Update minor parameters for dedicated key
 	 */
 	public static function ajax_update_key() {
+		if ( ! current_user_can( 'level_7' ) ) {
+			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
+		}
+
 		$request = Tilda_Admin::options_sanitize( $_GET );
 
 		if ( ! isset( $request['id'] ) ) {
@@ -552,6 +564,10 @@ public static function ajax_update_key() {
 	 * Refetch projects and pages from API and save it to the DB
 	 */
 	public static function ajax_refresh_key() {
+		if ( ! current_user_can( 'level_7' ) ) {
+			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
+		}
+
 		$request = Tilda_Admin::options_sanitize( $_GET );
 
 		if ( empty( $request['id'] ) ) {
@@ -585,6 +601,10 @@ public static function ajax_refresh_key() {
 	 * Handle request to wp-ajax.php with action: get_projects
 	 */
 	public static function ajax_get_projects() {
+		if ( ! current_user_can( 'level_7' ) ) {
+			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
+		}
+
 		$projects = Tilda::get_local_projects();
 		if ( empty( $projects ) ) {
 			$projects = [];
@@ -596,6 +616,10 @@ public static function ajax_get_projects() {
 	 * Handle request to wp-ajax.php with action: update_project
 	 */
 	public static function ajax_update_project() {
+		if ( ! current_user_can( 'level_7' ) ) {
+			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
+		}
+
 		$request = Tilda_Admin::project_sanitize( $_POST );
 
 		if ( ! isset( $request['id'] ) ) {
@@ -618,13 +642,21 @@ public static function ajax_update_project() {
 	 * Handle request to wp-ajax.php with action: get_keys
 	 */
 	public static function ajax_get_keys() {
+		if ( ! current_user_can( 'level_7' ) ) {
+			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
+		}
+
 		wp_send_json( Tilda::get_local_keys(), 200 );
 	}
 
 	/**
 	 * Handle request to wp-ajax.php with action: update_common_settings
 	 */
 	public static function ajax_update_common_settings() {
+		if ( ! current_user_can( 'level_7' ) ) {
+			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
+		}
+
 		$options = get_option( Tilda_Admin::OPTION_OPTIONS );
 		$request = Tilda_Admin::options_sanitize( $_POST );
 
@@ -1307,6 +1339,10 @@ public static function export_tilda_page( $page_id, $project_id, $post_id ) {
 	 *
 	 */
 	public static function ajax_sync() {
+		if ( ! current_user_can( 'level_7' ) ) {
+			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
+		}
+
 		$arResult = [];
 		if ( empty( $_REQUEST['page_id'] ) || empty( $_REQUEST['project_id'] ) || empty( $_REQUEST['post_id'] ) ) {
 			$arResult['error'] = __( 'Bad request line. Missing parameter: projectid', 'tilda' );
@@ -1355,6 +1391,10 @@ public static function ajax_sync() {
 	 *
 	 */
 	public static function ajax_export_file() {
+		if ( ! current_user_can( 'level_7' ) ) {
+			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
+		}
+
 		if ( empty( self::$ts_start_plugin ) ) {
 			self::$ts_start_plugin = time();
 		}
@@ -1435,6 +1475,10 @@ public static function ajax_export_file() {
 	}
 
 	public static function ajax_switcher_status() {
+		if ( ! current_user_can( 'level_7' ) ) {
+			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
+		}
+
 		if (
 			empty( $_REQUEST['post_id'] )
 			|| empty( $_REQUEST['tilda_status'] )

readme.txt

@@ -4,7 +4,7 @@ Donate link: https://wordpress.org/plugins/tilda-publishing/
 Tags: blog, bulk, convert, crawl, data, import, importer, migrate, move, posts, publishing, tilda, export
 Requires at least: 3.0.1
 Tested up to: 6.2
-Stable tag: 0.3.20
+Stable tag: 0.3.21
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -62,6 +62,9 @@ A: Please create an issue on the [GitHub page](https://github.com/TildaPublishin
 
 == Changelog ==
 
+= 0.3.21 =
+* Check permissions in admin-ajax.php
+
 = 0.3.20 =
 * Fix changing JS paths
 

tilda-wordpress-plugin.php

@@ -2,11 +2,13 @@
 /*
 Plugin Name: Tilda Publishing
 Description: Tilda позволяет делать яркую подачу материала, качественную верстку и эффектную типографику, близкую к журнальной. Каким бы ни был ваш контент — Tilda знает, как его показать. С чего начать: 1) Нажмите ссылку «Активировать» слева от этого описания; 2) <a href="http://www.tilda.cc/" target="_blank">Зарегистрируйтесь</a>, чтобы получить API-ключ; 3) Перейдите на страницу настройки Tilda Publishing и введите свой API-ключ. Читайте подробную инструкцию по подключению.
-Version: 0.3.20
+Version: 0.3.21
 Author: Tilda Publishing
 License: GPLv2 or later
 Text Domain: api tilda
 
+Update 0.3.21 - check permissions in admin-ajax.php
+
 Update 0.3.20 - fix changing JS paths
 
 Update 0.3.19 - fix saving images locally
@@ -122,7 +124,7 @@
 	exit;
 }
 
-define( 'TILDA_VERSION', '0.3.20' );
+define( 'TILDA_VERSION', '0.3.21' );
 define( 'TILDA_MINIMUM_WP_VERSION', '3.1' );
 define( 'TILDA_PLUGIN_URL', plugin_dir_url( __FILE__ ) );
 define( 'TILDA_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );