Fix. AdminActions. Checking permissions for Actions

AntonV1211 · AntonV1211 · commit ac1c76e725fb · 2026-02-10T16:49:28.000+07:00
diff --git a/inc/cleantalk-admin.php b/inc/cleantalk-admin.php
@@ -1551,6 +1551,10 @@ function apbct_action_adjust_change()
 {
     AJAXService::checkAdminNonce();
 
+    if(!current_user_can('activate_plugins')) {
+        wp_send_json_error('Permission denied');
+    }
+
     if (in_array(Post::get('adjust'), array_keys(AdjustToEnvironmentHandler::SET_OF_ADJUST))) {
         try {
             $adjust = Post::getString('adjust');
@@ -1570,6 +1574,10 @@ function apbct_action_adjust_reverse()
 {
     AJAXService::checkAdminNonce();
 
+    if (!current_user_can('activate_plugins')) {
+        wp_send_json_error('Permission denied');
+    }
+
     if (in_array(Post::getString('adjust'), array_keys(AdjustToEnvironmentHandler::SET_OF_ADJUST))) {
         $adjust = Post::getString('adjust');
         try {
@@ -1586,6 +1594,10 @@ function apbct_action_adjust_reverse()
 
 function apbct_action__create_support_user()
 {
+    if (!current_user_can('activate_plugins')) {
+        wp_send_json_error('Permission denied');
+    }
+
     $support_user = new SupportUser();
     $result = $support_user->ajaxProcess();
     wp_send_json($result);
diff --git a/inc/cleantalk-settings.php b/inc/cleantalk-settings.php
@@ -2592,6 +2592,15 @@ function apbct_settings__sync($direct_call = false)
 
     global $apbct;
 
+    if (!current_user_can('activate_plugins')) {
+        $out = array(
+            'success' => false,
+            'reload'  => false,
+            'message' => __('You do not have sufficient permissions to access this page.', 'cleantalk-spam-protect'),
+        );
+        die(json_encode($out));
+    }
+
     //Clearing all errors
     $apbct->errorDeleteAll(true);
 
@@ -2720,6 +2729,15 @@ function apbct_settings__get_key_auto($direct_call = false)
 
     global $apbct;
 
+    if(!current_user_can('activate_plugins')) {
+        $out = array(
+            'success' => false,
+            'message' => __('You do not have sufficient permissions to access this page.', 'cleantalk-spam-protect'),
+
+        );
+        die(json_encode($out));
+    }
+
     $website        = parse_url(get_option('home'), PHP_URL_HOST) . parse_url(get_option('home'), PHP_URL_PATH);
     $platform       = 'wordpress';
     $user_ip        = Helper::ipGet('real', false);
@@ -2983,6 +3001,14 @@ function apbct_settings__get__long_description()
     global $apbct;
     AJAXService::checkAdminNonce();
 
+    if(!current_user_can('activate_plugins')) {
+        $out = array(
+            'success' => false,
+            'message' => __('You do not have sufficient permissions to access this page.', 'cleantalk-spam-protect'),
+        );
+        die(json_encode($out));
+    }
+
     $setting_id = TT::toString(Post::get('setting_id', null, 'word'));
 
     $link_exclusion_by_form_signs = LinkConstructor::buildCleanTalkLink(
@@ -3150,6 +3176,15 @@ function apbct_settings__check_renew_banner()
 
     AJAXService::checkAdminNonce();
 
+    if(!current_user_can('activate_plugins')) {
+        $out = array(
+            'success' => false,
+            'close_renew_banner' => false,
+            'message' => __('You do not have sufficient permissions to access this page.', 'cleantalk-spam-protect'),
+        );
+        die(json_encode($out));
+    }
+
     die(
         json_encode(
             array('close_renew_banner' => ($apbct->data['notice_trial'] == 0 && $apbct->data['notice_renew'] == 0) ? true : false)
diff --git a/js/src/cleantalk-admin-settings-page.js b/js/src/cleantalk-admin-settings-page.js
@@ -724,13 +724,15 @@ function apbctSettingsShowDescription(label, settingId) {
         {
             spinner: obj.children('img'),
             callback: function(result, data, params, obj) {
-                obj.empty()
-                    .append('<div class=\'apbct_long_desc__angle\'></div>')
-                    .append('<i class=\'apbct_long_desc__cancel apbct-icon-cancel\'></i>')
-                    .append('<h3 class=\'apbct_long_desc__title\'>'+result.title+'</h3>')
-                    .append('<p>'+result.desc+'</p>');
-
-                jQuery(document).on('click', removeDescFunc);
+                if (result && result.title && result.desc) {
+                    obj.empty()
+                        .append('<div class=\'apbct_long_desc__angle\'></div>')
+                        .append('<i class=\'apbct_long_desc__cancel apbct-icon-cancel\'></i>')
+                        .append('<h3 class=\'apbct_long_desc__title\'>'+result.title+'</h3>')
+                        .append('<p>'+result.desc+'</p>');
+
+                    jQuery(document).on('click', removeDescFunc);
+                }
             },
         },
         obj,
