Improved user-specific nonce validation. Fixes #13

Author: anderly

assets/js/admin.js

@@ -16,6 +16,7 @@
 			e.preventDefault();
 			var $this = $(this);
 			var action = $this.attr('data-dul-action');
+			var nonce = $this.attr('data-dul-nonce');
 			var user_id = $this.data('dul-user-id');
 
 			var data = {
@@ -24,7 +25,7 @@
 					user_id: user_id,
 					action: action
 				},
-				nonce: SSDUL.nonces.quick_links
+				nonce: nonce //SSDUL.nonces.quick_links
 			};
 
 			console.log(`${action} user id: ${user_id}`);

disable-user-login.php

@@ -3,7 +3,7 @@
  * Plugin Name: Disable User Login
  * Plugin URI:  http://wordpress.org/plugins/disable-user-login
  * Description: Provides the ability to disable user accounts and prevent them from logging in.
- * Version:     1.3.7
+ * Version:     1.3.8
  *
  * Author:      Saint Systems
  * Author URI:  https://www.saintsystems.com

includes/class-ss-disable-user-login-plugin.php

@@ -15,7 +15,7 @@ final class SS_Disable_User_Login_Plugin {
 	 *
 	 * @var string
 	 */
-	private static $version = '1.3.7';
+	private static $version = '1.3.8';
 
 	/**
 	 * Plugin singleton instance
@@ -165,7 +165,8 @@ function add_quick_links( $actions, $user_object ) {
 				$action = 'enable';
 				$label = _x( 'Enable', 'user row action', 'disable-user-login' );
 			}
-			$actions[ 'disable_user_login' ] = "<a class='dul-quick-links' href='#' data-dul-action='$action' data-dul-user-id='$user_object->ID'>" . $label . '</a>';
+			$nonce = wp_create_nonce( sprintf( 'ssdul_enable_disable_user_%s', $user_object->ID ) );
+			$actions[ 'disable_user_login' ] = "<a class='dul-quick-links' href='#' data-dul-action='$action' data-dul-nonce='$nonce' data-dul-user-id='$user_object->ID'>" . $label . '</a>';
 		}
 		return $actions;
 	}
@@ -321,7 +322,7 @@ public function can_disable( $user_id ) {
 	 */
 	public function enable_disable_user() {
 
-		check_ajax_referer( 'ssdul_quick_links', 'nonce' );
+		// check_ajax_referer( 'ssdul_quick_links', 'nonce' );
 
 		if ( empty( $_POST['data'] ) ) return;
 
@@ -331,6 +332,8 @@ public function enable_disable_user() {
 
 		$action = $data['action'];
 
+		check_ajax_referer( sprintf( 'ssdul_enable_disable_user_%s', $user_id ), 'nonce' );
+
 		if ( ! $this->can_disable( $user_id ) ) {
 			$response = array(
 				'error' => sprintf( 'User %s cannot disable user $s.', get_current_user_id(), $user_id )

readme.txt

@@ -3,10 +3,10 @@ Contributors: saintsystems, anderly
 Donate link: https://ssms.us/donate
 Tags: users, user, login, account, disable
 Requires at least: 4.7.0
-Tested up to: 6.3
+Tested up to: 6.4.2
 Requires PHP: 5.6
-Stable tag: 1.3.7
-Version: 1.3.7
+Stable tag: 1.3.8
+Version: 1.3.8
 License: GPLv3
 
 Provides the ability to disable user accounts and prevent them from logging in.
@@ -49,6 +49,9 @@ Yes, there is a filter in place for that, `disable_user_login.disabled_message`.
 
 == Changelog ==
 
+= 1.3.8 =
+* Improved user-specific nonce validation.
+
 = 1.3.7 =
 * Add hooks for multisite.