Merge pull request #738 from CleanTalk/auth_sub_vuln_av

Fix. AdminActions. Checking permissions for Actions

Author: AntonV1211

inc/cleantalk-admin.php

@@ -1551,6 +1551,10 @@ function apbct_action_adjust_change()
 {
     AJAXService::checkAdminNonce();
 
+    if (!current_user_can('activate_plugins')) {
+        wp_send_json_error('Permission denied');
+    }
+
     if (in_array(Post::get('adjust'), array_keys(AdjustToEnvironmentHandler::SET_OF_ADJUST))) {
         try {
             $adjust = Post::getString('adjust');
@@ -1570,6 +1574,10 @@ function apbct_action_adjust_reverse()
 {
     AJAXService::checkAdminNonce();
 
+    if (!current_user_can('activate_plugins')) {
+        wp_send_json_error('Permission denied');
+    }
+
     if (in_array(Post::getString('adjust'), array_keys(AdjustToEnvironmentHandler::SET_OF_ADJUST))) {
         $adjust = Post::getString('adjust');
         try {
@@ -1586,6 +1594,10 @@ function apbct_action_adjust_reverse()
 
 function apbct_action__create_support_user()
 {
+    if (!current_user_can('activate_plugins')) {
+        wp_send_json_error('Permission denied');
+    }
+
     $support_user = new SupportUser();
     $result = $support_user->ajaxProcess();
     wp_send_json($result);

inc/cleantalk-settings.php

@@ -2592,6 +2592,15 @@ function apbct_settings__sync($direct_call = false)
 
     global $apbct;
 
+    if (!current_user_can('activate_plugins')) {
+        $out = array(
+            'success' => false,
+            'reload'  => false,
+            'message' => __('You do not have sufficient permissions to access this page.', 'cleantalk-spam-protect'),
+        );
+        die(json_encode($out));
+    }
+
     //Clearing all errors
     $apbct->errorDeleteAll(true);
 
@@ -2720,6 +2729,15 @@ function apbct_settings__get_key_auto($direct_call = false)
 
     global $apbct;
 
+    if (!current_user_can('activate_plugins')) {
+        $out = array(
+            'success' => false,
+            'message' => __('You do not have sufficient permissions to access this page.', 'cleantalk-spam-protect'),
+
+        );
+        die(json_encode($out));
+    }
+
     $website        = parse_url(get_option('home'), PHP_URL_HOST) . parse_url(get_option('home'), PHP_URL_PATH);
     $platform       = 'wordpress';
     $user_ip        = Helper::ipGet('real', false);
@@ -2983,6 +3001,14 @@ function apbct_settings__get__long_description()
     global $apbct;
     AJAXService::checkAdminNonce();
 
+    if (!current_user_can('activate_plugins')) {
+        $out = array(
+            'success' => false,
+            'message' => __('You do not have sufficient permissions to access this page.', 'cleantalk-spam-protect'),
+        );
+        die(json_encode($out));
+    }
+
     $setting_id = TT::toString(Post::get('setting_id', null, 'word'));
 
     $link_exclusion_by_form_signs = LinkConstructor::buildCleanTalkLink(
@@ -3150,6 +3176,15 @@ function apbct_settings__check_renew_banner()
 
     AJAXService::checkAdminNonce();
 
+    if (!current_user_can('activate_plugins')) {
+        $out = array(
+            'success' => false,
+            'close_renew_banner' => false,
+            'message' => __('You do not have sufficient permissions to access this page.', 'cleantalk-spam-protect'),
+        );
+        die(json_encode($out));
+    }
+
     die(
         json_encode(
             array('close_renew_banner' => ($apbct->data['notice_trial'] == 0 && $apbct->data['notice_renew'] == 0) ? true : false)