pr: [Nightly Fix] - Security - Restrict Preview Access

[jewel-claw]

What

• require the current user to actually have the Ninja Tables admin capability before rendering table preview endpoints

Why

• the preview handlers were checking whether ninja_table_admin_role() returned a role string, not whether the current visitor had that capability
• unauthenticated visitors could load admin preview output by hitting the preview query args directly

Fix

• resolve the role once per preview handler
• gate both preview endpoints behind an explicit capability check for the current user

Confidence

• linted app/Hooks/Handlers/PreviewHandler.php with php -l

[greptile-apps]

PR author is not in the allowed authors list.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Overview

This is a solid security fix that addresses an authorization bypass vulnerability in the preview handlers.

Severity	Count
CRITICAL	0
WARNING	0
SUGGESTION	0

Security Analysis

The original code:

if (ninja_table_admin_role()) {

Only checked if ninja_table_admin_role() returned a truthy value (a role string), but did not verify whether the current user actually had that capability. This allowed unauthenticated visitors to access admin preview endpoints.

The fix properly:

1. Stores the role in a variable: $role = ninja_table_admin_role();
2. Checks both conditions: if ($role && current_user_can($role))

This ensures only users who actually possess the Ninja Tables admin capability can access the preview endpoints.

Changes Applied To

• defaultTable() - Lines 19, 21
• dragAndDropTable() - Lines 44, 46

Files Reviewed (1 file)

• app/Hooks/Handlers/PreviewHandler.php - No issues