Check user permissions for subscriber actions.

Camwyn · Camwyn · commit 0a9feec5af9c · 2025-04-25T11:10:27.000-04:00
diff --git a/src/Telemetry/Exit_Interview/Exit_Interview_Subscriber.php b/src/Telemetry/Exit_Interview/Exit_Interview_Subscriber.php
@@ -80,6 +80,18 @@ public function render_exit_interview() {
 	 * @return void
 	 */
 	public function ajax_exit_interview() {
+		$nonce = filter_input( INPUT_POST, 'nonce', FILTER_SANITIZE_SPECIAL_CHARS );
+		$nonce = ! empty( $nonce ) ? $nonce : '';
+
+		if ( ! wp_verify_nonce( $nonce, self::AJAX_ACTION ) ) {
+			wp_send_json_error( 'Invalid nonce' );
+		}
+
+		// Check if the user has the necessary permissions.
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( 'User does not have proper permissions plugins' );
+		}
+
 		$uninstall_reason_id = filter_input( INPUT_POST, 'uninstall_reason_id', FILTER_SANITIZE_SPECIAL_CHARS );
 		$uninstall_reason_id = ! empty( $uninstall_reason_id ) ? $uninstall_reason_id : false;
 		if ( ! $uninstall_reason_id ) {
@@ -97,13 +109,6 @@ public function ajax_exit_interview() {
 		$comment = filter_input( INPUT_POST, 'comment', FILTER_SANITIZE_SPECIAL_CHARS );
 		$comment = ! empty( $comment ) ? $comment : '';
 
-		$nonce = filter_input( INPUT_POST, 'nonce', FILTER_SANITIZE_SPECIAL_CHARS );
-		$nonce = ! empty( $nonce ) ? $nonce : '';
-
-		if ( ! wp_verify_nonce( $nonce, self::AJAX_ACTION ) ) {
-			wp_send_json_error( 'Invalid nonce' );
-		}
-
 		$telemetry = $this->container->get( Telemetry::class );
 		$telemetry->send_uninstall( $plugin_slug, $uninstall_reason_id, $uninstall_reason, $comment );
 
diff --git a/src/Telemetry/Opt_In/Opt_In_Subscriber.php b/src/Telemetry/Opt_In/Opt_In_Subscriber.php
@@ -61,6 +61,10 @@ public function set_optin_status() {
 			return;
 		}
 
+		if ( ! current_user_can( 'manage_options' ) ) {
+			return;
+		}
+
 		// We're not attempting a telemetry action.
 		if ( isset( $_POST['action'] ) && 'stellarwp-telemetry' !== $_POST['action'] ) {
 			return;
