adds nonce and role verification to entry exports.

Author: avonville

includes/admin/class-admin.php

@@ -170,9 +170,19 @@ public function export_forms() {
      * @return void
      */
     public function export_form_entries() {
+        if ( ! current_user_can( 'administrator' ) ) {
+            $error = new WP_Error( 'rest_weforms_invalid_permission', __( 'You do not have permission to export entries', 'weforms' ), [ 'status' => 404 ] );
+            wp_die( esc_html__( $error->get_error_message(), 'weforms' ) );
+        }
+
+        if ( ! wp_verify_nonce( $_REQUEST['_wpnonce'], 'weforms-export-entries' ) ) {
+            $error = new WP_Error( 'rest_weforms_invalid_nonce', __( 'Invalid nonce', 'weforms' ), [ 'status' => 404 ] );
+            wp_die( esc_html__( $error->get_error_message(), 'weforms' ) );
+        }
+
         $form_id = isset( $_REQUEST['selected_forms'] ) ? absint( $_REQUEST['selected_forms'] ) : 0;
 
-        if ( !$form_id ) {
+        if ( ! $form_id ) {
             return;
         }