fix: only allow admin and select

preda-bogdan · preda-bogdan · commit dafb6d927c1c · 2024-04-17T13:40:31.000+03:00
References: Codeinwp/visualizer-pro#433
diff --git a/.gitignore b/.gitignore
@@ -11,4 +11,5 @@ cypress.env.json
 .DS_Store
 /cypress/videos/
 /cypress/screenshots/
-artifacts
+artifacts
+.phpunit.result.cache
diff --git a/classes/Visualizer/Module/Chart.php b/classes/Visualizer/Module/Chart.php
@@ -1421,7 +1421,7 @@ private function _handleDataPage() {
 	public function getQueryData() {
 		check_ajax_referer( Visualizer_Plugin::ACTION_FETCH_DB_DATA . Visualizer_Plugin::VERSION, 'security' );
 
-		if ( ! current_user_can( 'edit_posts' ) ) {
+		if ( ! current_user_can( 'manage_options' ) ) {
 			wp_send_json_error( array( 'msg' => __( 'Action not allowed for this user.', 'visualizer' ) ) );
 		}
 
diff --git a/classes/Visualizer/Source/Query.php b/classes/Visualizer/Source/Query.php
@@ -80,7 +80,7 @@ public function fetch( $as_html = false, $results_as_numeric_array = false, $raw
 		}
 
 		// only select queries allowed.
-		if ( preg_match( '/\s*(\binsert\b|\bdelete\b|\bupdate\b|\breplace\b|\bcreate\b|\balter\b|\bdrop\b|\btruncate\b)\s/i', $this->_query ) ) {
+		if ( ! preg_match( '/\s*(\bselect\b)\s/i', $this->_query ) ) {
 			$this->_error = __( 'Only SELECT queries are allowed', 'visualizer' );
 			return false;
 		}
diff --git a/tests/test-ajax.php b/tests/test-ajax.php
@@ -20,10 +20,17 @@ class Test_Visualizer_Ajax extends WP_Ajax_UnitTestCase {
 	 */
 	private $admin_user_id;
 
+	/**
+	 * Subscriber user ID.
+	 *
+	 * @var int
+	 */
+	private $subscriber_user_id;
+
 	/**
 	 * Set up.
 	 */
-	public function setUp() {
+	public function setUp(): void {
 		parent::setUp();
 		$this->admin_user_id = $this->factory->user->create(
 			array(
@@ -32,6 +39,12 @@ public function setUp() {
 		);
 		wp_set_current_user( $this->admin_user_id );
 
+		$this->subscriber_user_id = $this->factory->user->create(
+			array(
+				'role' => 'subscriber',
+			)
+		);
+
 	}
 
 	/**
@@ -117,6 +130,7 @@ public function test_ajax_response_get_query_data_valid_query_with_filtered_colu
 	 * Test the AJAX response for fetching the database data with user capability.
 	 */
 	public function test_ajax_response_get_query_data_subcriber_dissallow() {
+		wp_set_current_user( $this->subscriber_user_id );
 		$this->_setRole( 'subscriber' );
 
 		$_GET['security'] = wp_create_nonce( Visualizer_Plugin::ACTION_FETCH_DB_DATA . Visualizer_Plugin::VERSION );

Original file line number	Diff line number	Diff line change
`@@ -1421,7 +1421,7 @@ private function _handleDataPage() {`
`1421`	`1421`	`public function getQueryData() {`
`1422`	`1422`	`check_ajax_referer( Visualizer_Plugin::ACTION_FETCH_DB_DATA . Visualizer_Plugin::VERSION, 'security' );`
`1423`	`1423`
`1424`		`- if ( ! current_user_can( 'edit_posts' ) ) {`
	`1424`	`+ if ( ! current_user_can( 'manage_options' ) ) {`
`1425`	`1425`	`wp_send_json_error( array( 'msg' => __( 'Action not allowed for this user.', 'visualizer' ) ) );`
`1426`	`1426`	`}`
`1427`	`1427`
Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ public function fetch( $as_html = false, $results_as_numeric_array = false, $raw`
`80`	`80`	`}`
`81`	`81`
`82`	`82`	`// only select queries allowed.`
`83`		`- if ( preg_match( '/\s*(\binsert\b\|\bdelete\b\|\bupdate\b\|\breplace\b\|\bcreate\b\|\balter\b\|\bdrop\b\|\btruncate\b)\s/i', $this->_query ) ) {`
	`83`	`+ if ( ! preg_match( '/\s*(\bselect\b)\s/i', $this->_query ) ) {`
`84`	`84`	`$this->_error = __( 'Only SELECT queries are allowed', 'visualizer' );`
`85`	`85`	`return false;`
`86`	`86`	`}`