Improve nonce handling and permissions in crop settings API (#2624)

* Conditionally include crop settings nonce

* Improve nonce validation and permission checks in crop settings API

* Sanitize nonce input in crop settings API for improved security

Author: mtashjianjr-godaddy

includes/admin/class-coblocks-crop-settings.php

@@ -86,26 +86,22 @@ public function hide_cropped_from_library( $query ) {
 	 * Retrieve the original image.
 	 */
 	public function get_original_image() {
-		$nonce = filter_input( INPUT_POST, 'nonce' );
-
-		if ( ! $nonce ) {
-
-			wp_send_json_error( 'No nonce value present.' );
-
+		if ( ! wp_verify_nonce( sanitize_text_field( filter_input( INPUT_POST, 'nonce' ) ), 'cropSettingsOriginalImageNonce' ) ) {
+			wp_send_json_error( 'Invalid nonce value.', 403 );
 		}
 
-		if ( ! wp_verify_nonce( htmlspecialchars( $nonce ), 'cropSettingsOriginalImageNonce' ) ) {
-
-			wp_send_json_error( 'Invalid nonce value.' );
-
+		if ( ! current_user_can( 'upload_files' ) ) {
+			wp_send_json_error( 'You do not have permission.', 403 );
 		}
 
 		$id = filter_input( INPUT_POST, 'id', FILTER_SANITIZE_NUMBER_INT );
 
 		if ( ! $id ) {
-
 			wp_send_json_error( 'Missing id value.' );
+		}
 
+		if ( ! current_user_can( 'edit_post', $id ) ) {
+			wp_send_json_error( 'You do not have permission to edit this attachment.', 403 );
 		}
 
 		$attachment_meta   = wp_get_attachment_metadata( $id );
@@ -127,18 +123,22 @@ public function get_original_image() {
 	 * Cropping.
 	 */
 	public function api_crop() {
-		$nonce = filter_input( INPUT_POST, 'nonce' );
-
-		if ( ! $nonce ) {
-
-			wp_send_json_error( 'No nonce value present.' );
+		if ( ! wp_verify_nonce( sanitize_text_field( filter_input( INPUT_POST, 'nonce' ) ), 'cropSettingsNonce' ) ) {
+			wp_send_json_error( 'Invalid nonce value.', 403 );
+		}
 
+		if ( ! current_user_can( 'upload_files' ) ) {
+			wp_send_json_error( 'You do not have permission.', 403 );
 		}
 
-		if ( ! wp_verify_nonce( htmlspecialchars( $nonce ), 'cropSettingsNonce' ) ) {
+		$id = filter_input( INPUT_POST, 'id', FILTER_SANITIZE_NUMBER_INT );
 
-			wp_send_json_error( 'Invalid nonce value.' );
+		if ( ! $id ) {
+			wp_send_json_error( 'Missing id value.' );
+		}
 
+		if ( ! current_user_can( 'edit_post', $id ) ) {
+			wp_send_json_error( 'You do not have permission to edit this attachment.', 403 );
 		}
 
 		if (

includes/class-coblocks-block-assets.php

@@ -288,28 +288,28 @@ public function editor_assets() {
 		$form_subject = $form->default_subject();
 		$success_text = $form->default_success_text();
 
-		wp_localize_script(
-			'coblocks-editor',
-			'coblocksBlockData',
-			array(
-				'form'                           => array(
-					'adminEmail'   => $email_to,
-					'emailSubject' => $form_subject,
-					'successText'  => $success_text,
-				),
-				'cropSettingsOriginalImageNonce' => wp_create_nonce( 'cropSettingsOriginalImageNonce' ),
-				'cropSettingsNonce'              => wp_create_nonce( 'cropSettingsNonce' ),
-				'labsSiteDesignNonce'            => wp_create_nonce( 'labsSiteDesignNonce' ),
-				'bundledIconsEnabled'            => $bundled_icons_enabled,
-				'customIcons'                    => $this->get_custom_icons(),
-				'customIconConfigExists'         => file_exists( get_stylesheet_directory() . '/coblocks/icons/config.json' ),
-				'typographyControlsEnabled'      => $typography_controls_enabled,
-				'animationControlsEnabled'       => $animation_controls_enabled,
-				'localeCode'                     => get_locale(),
-				'baseApiNamespace'               => COBLOCKS_API_NAMESPACE,
-			)
+		$localize_data = array(
+			'form'                           => array(
+				'adminEmail'   => $email_to,
+				'emailSubject' => $form_subject,
+				'successText'  => $success_text,
+			),
+			'labsSiteDesignNonce'            => wp_create_nonce( 'labsSiteDesignNonce' ),
+			'bundledIconsEnabled'            => $bundled_icons_enabled,
+			'customIcons'                    => $this->get_custom_icons(),
+			'customIconConfigExists'         => file_exists( get_stylesheet_directory() . '/coblocks/icons/config.json' ),
+			'typographyControlsEnabled'      => $typography_controls_enabled,
+			'animationControlsEnabled'       => $animation_controls_enabled,
+			'localeCode'                     => get_locale(),
+			'baseApiNamespace'               => COBLOCKS_API_NAMESPACE,
 		);
 
+		if ( current_user_can( 'upload_files' ) ) {
+			$localize_data['cropSettingsOriginalImageNonce'] = wp_create_nonce( 'cropSettingsOriginalImageNonce' );
+			$localize_data['cropSettingsNonce']              = wp_create_nonce( 'cropSettingsNonce' );
+		}
+
+		wp_localize_script( 'coblocks-editor', 'coblocksBlockData', $localize_data );
 	}
 
 	/**