Skip to content

(Hardening) Add a cap check before previewing classification of a post.#1049

Merged
dkotter merged 1 commit intodevelopfrom
fix/add-cap-check-to-classifation-preview
Feb 10, 2026
Merged

(Hardening) Add a cap check before previewing classification of a post.#1049
dkotter merged 1 commit intodevelopfrom
fix/add-cap-check-to-classifation-preview

Conversation

@peterwilsoncc
Copy link
Contributor

@peterwilsoncc peterwilsoncc commented Feb 10, 2026

Description of the Change

This adds a read_post capability check to the Watson NLU classification preview ajax endpoint.

It's a very, very minor hardening issue as users can only access the nonce if they have the manage_options capability required to access the classifai settings page.

It protects against the case in which a developer has used the map_meta_cap filter to modify the permissions of users able to read posts. Without that use case it does nothing.

How to test the Change

  1. Create and publish a post with dummy content
  2. Enable Watson NLU Classification feature
  3. Save the settings
  4. Open your browser tools network tab. Your browser will need to have a feature where you can right click on a request and "copy as curl" (Firefox has this).
  5. In the preview post option search for the post created by title
  6. The preview should show as expected.
  7. Copy the admin-ajax request used for the preview as curl
  8. Run the curl code in your terminal
  9. Ensure the preview data is shown in the terminal
  10. Add this code as an mu-plugin to prevent anyone from reading any posts
add_filter( 'map_meta_cap', function( $caps, $cap, $user_id, $args ) {
	if ( 'read_post' === $cap ) {
		$caps[] = 'do_not_allow';
	}
	return $caps;
}, 10, 4 );
  1. Re-run the curl command
  2. Ensure the response contains the error "You do not have permission to preview this post"
  3. Delete the mu-plugin code added above to avoid confusion later

Changelog Entry

Security - Hardening: add read post check for Watson NLU classification previewer

Credits

Props @peterwilsoncc

Checklist:

@github-actions github-actions bot added this to the 3.8.0 milestone Feb 10, 2026
@github-actions
Copy link

github-actions bot commented Feb 10, 2026

✅ WordPress Plugin Check Report

✅ Status: Passed

📊 Report

All checks passed! No errors or warnings found.

🤖 Generated by WordPress Plugin Check Action • Learn more about Plugin Check

@peterwilsoncc peterwilsoncc changed the title Add a cap check before previewing classification of a post. (Hardening) Add a cap check before previewing classification of a post. Feb 10, 2026
@jeffpaul jeffpaul mentioned this pull request Feb 10, 2026
Open
28 tasks
@peterwilsoncc peterwilsoncc marked this pull request as ready for review February 10, 2026 20:49
@peterwilsoncc peterwilsoncc requested review from a team, dkotter and jeffpaul as code owners February 10, 2026 20:49
@github-actions github-actions bot added the needs:code-review This requires code review. label Feb 10, 2026
@dkotter dkotter merged commit 2cca00f into develop Feb 10, 2026
21 checks passed
@dkotter dkotter deleted the fix/add-cap-check-to-classifation-preview branch February 10, 2026 21:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dkotter dkotter dkotter approved these changes

@jeffpaul jeffpaul Awaiting requested review from jeffpaul jeffpaul is a code owner

Assignees

@peterwilsoncc peterwilsoncc

Labels

needs:code-review This requires code review.

Projects

None yet

Milestone

3.8.0

Development

Successfully merging this pull request may close these issues.

2 participants

@peterwilsoncc @dkotter