fix: sql for subscriber

added check for pro filter
References: Codeinwp/visualizer-pro#472

Author: preda-bogdan

classes/Visualizer/Module/Chart.php

@@ -1431,6 +1431,10 @@ public function getQueryData() {
 			wp_send_json_error( array( 'msg' => __( 'Action not allowed for this user.', 'visualizer' ) ) );
 		}
 
+		if ( ! Visualizer_Module::is_pro() ) {
+			wp_send_json_error( array( 'msg' => __( 'Feature is not available.', 'visualizer' ) ) );
+		}
+
 		$params     = wp_parse_args( $_POST['params'] );
 		$chart_id   = filter_var( $params['chart_id'], FILTER_VALIDATE_INT );
 		$query      = trim( $params['query'], ';' );
@@ -1452,6 +1456,17 @@ public function getQueryData() {
 	public function saveQuery() {
 		check_ajax_referer( Visualizer_Plugin::ACTION_SAVE_DB_QUERY . Visualizer_Plugin::VERSION, 'security' );
 
+		if ( ! current_user_can( 'administrator' ) ) {
+			wp_send_json_error( array( 'msg' => __( 'Action not allowed for this user.', 'visualizer' ) ) );
+		}
+		if ( ! is_super_admin() ) {
+			wp_send_json_error( array( 'msg' => __( 'Action not allowed for this user.', 'visualizer' ) ) );
+		}
+
+		if ( ! Visualizer_Module::is_pro() ) {
+			wp_send_json_error( array( 'msg' => __( 'Feature is not available.', 'visualizer' ) ) );
+		}
+
 		$chart_id   = filter_input(
 			INPUT_GET,
 			'chart',

tests/test-ajax.php

@@ -66,6 +66,8 @@ public function setUp() {
 	public function test_ajax_response_get_query_data_valid_query() {
 		$this->_setRole( 'administrator' );
 
+		$this->enable_pro();
+
 		$_GET['security'] = wp_create_nonce( Visualizer_Plugin::ACTION_FETCH_DB_DATA . Visualizer_Plugin::VERSION );
 
 		global $wpdb;
@@ -93,6 +95,8 @@ public function test_ajax_response_get_query_data_valid_query() {
 	public function test_ajax_response_get_query_data_invalid_query() {
 		$this->_setRole( 'administrator' );
 
+		$this->enable_pro();
+
 		$_GET['security'] = wp_create_nonce( Visualizer_Plugin::ACTION_FETCH_DB_DATA . Visualizer_Plugin::VERSION );
 
 		$_POST['params'] = array(
@@ -120,6 +124,8 @@ public function test_ajax_response_get_query_data_invalid_query() {
 	public function test_ajax_response_get_query_data_valid_query_with_filtered_columns() {
 		$this->_setRole( 'administrator' );
 
+		$this->enable_pro();
+
 		$_GET['security'] = wp_create_nonce( Visualizer_Plugin::ACTION_FETCH_DB_DATA . Visualizer_Plugin::VERSION );
 
 		$_POST['params'] = array(
@@ -203,6 +209,8 @@ public function test_ajax_response_get_query_data_subcriber_dissallow() {
 	public function test_ajax_response_get_query_data_invalid_query_subquery() {
 		$this->_setRole( 'administrator' );
 
+		$this->enable_pro();
+
 		$_GET['security'] = wp_create_nonce( Visualizer_Plugin::ACTION_FETCH_DB_DATA . Visualizer_Plugin::VERSION );
 
 		$_POST['params'] = array(
@@ -230,6 +238,8 @@ public function test_ajax_response_get_query_data_invalid_query_subquery() {
 	public function test_ajax_response_get_query_data_invalid_query_comment() {
 		$this->_setRole( 'administrator' );
 
+		$this->enable_pro();
+
 		$_GET['security'] = wp_create_nonce( Visualizer_Plugin::ACTION_FETCH_DB_DATA . Visualizer_Plugin::VERSION );
 
 		$_POST['params'] = array(
@@ -264,4 +274,66 @@ public function test_sql_comment_strip() {
 		$source = new Visualizer_Source_Query( "/* SELECT */ DELETE * FROM test_table /* WHERE post_type = 'post' */");
 		$this->assertEquals( 'DELETE * FROM test_table', $source->get_query() );
 	}
+
+	/**
+	 * Test Save Query not allowed for subscriber.
+	 */
+	public function test_sql_save_chart_subscriber() {
+		$this->_setRole( 'subscriber' );
+
+		$_GET['security'] = wp_create_nonce( Visualizer_Plugin::ACTION_SAVE_DB_QUERY . Visualizer_Plugin::VERSION );
+		$_GET['chart']    = '1';
+
+		$_POST['params'] = array(
+			'query' => "SELECT * FROM wp_posts LIMIT 1",
+		);
+		try {
+			// Trigger the AJAX action
+			$this->_handleAjax( Visualizer_Plugin::ACTION_SAVE_DB_QUERY );
+		} catch ( WPAjaxDieContinueException $e ) {
+			// We expected this, do nothing.
+		}
+
+		$response = json_decode( $this->_last_response );
+		$this->assertIsObject( $response );
+		$this->assertObjectHasAttribute( 'success', $response );
+		$this->assertObjectHasAttribute( 'data', $response );
+		$this->assertEquals( 'Action not allowed for this user.', $response->data->msg );
+		$this->assertFalse( $response->success );
+	}
+
+	/**
+	 * Test Save Query not allowed if not pro.
+	 */
+	public function test_sql_save_chart_admin() {
+		wp_set_current_user( $this->admin_user_id );
+		$this->_setRole( 'administrator' );
+
+		$_GET['security'] = wp_create_nonce( Visualizer_Plugin::ACTION_SAVE_DB_QUERY . Visualizer_Plugin::VERSION );
+		$_GET['chart']    = '1';
+
+		$_POST['params'] = array(
+			'query' => "SELECT * FROM wp_posts LIMIT 1",
+		);
+		try {
+			// Trigger the AJAX action
+			$this->_handleAjax( Visualizer_Plugin::ACTION_SAVE_DB_QUERY );
+		} catch ( WPAjaxDieContinueException $e ) {
+			// We expected this, do nothing.
+		}
+
+		$response = json_decode( $this->_last_response );
+		$this->assertIsObject( $response );
+		$this->assertObjectHasAttribute( 'success', $response );
+		$this->assertObjectHasAttribute( 'data', $response );
+		$this->assertEquals( 'Feature is not available.', $response->data->msg );
+		$this->assertFalse( $response->success );
+	}
+
+	/**
+	 * Utility method to mock pro version.
+	 */
+	private function enable_pro() {
+		add_filter( 'visualizer_is_pro', '__return_true' );
+	}
 }