Adding our own nonce checks because the WP Plugin Repository team ask…

…ed us (#203) What will they come up with next?
1984hosting · Nov 27, 2024 · 02b44b0 · 02b44b0
1 parent 1b64e6d
commit 02b44b0
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 34 deletions.
diff --git a/src/Hooks/KennitalaField.php b/src/Hooks/KennitalaField.php
@@ -124,6 +124,23 @@ public function __construct() {
 			10,
 			2
 		);
+
+		add_action(
+			'edit_form_top',
+			array( __CLASS__, 'add_nonce_to_order_editor' ),
+			10,
+			2
+		);
+	}
+
+	/**
+	 * Add our own nonce field to the post editor
+	 */
+	public static function add_nonce_to_order_editor(): void {
+		wp_nonce_field(
+			'1984_dk_woo_edit',
+			'1984_dk_woo_edit_nonce_field'
+		);
 	}
 
 	/**
@@ -163,12 +180,25 @@ public static function update_order_meta(
 		int $post_id,
 		WP_Post|WC_Order $wc_order
 	): void {
-		// Nonce check is handled by WooCommerce.
-		// phpcs:ignore WordPress.Security.NonceVerification
+		if ( ! isset( $_POST['1984_dk_woo_edit_nonce_field'] ) ) {
+			return;
+		}
+
+		if (
+			! wp_verify_nonce(
+				sanitize_text_field(
+					wp_unslash(
+						$_POST['1984_dk_woo_edit_nonce_field']
+					)
+				),
+				'1984_dk_woo_edit'
+			)
+		) {
+			return;
+		}
+
 		if ( isset( $_POST['_billing_kennitala'] ) ) {
 			$kennitala = sanitize_text_field(
-				// Nonce check is handled by WooCommerce.
-				// phpcs:ignore WordPress.Security.NonceVerification
 				wp_unslash( $_POST['_billing_kennitala'] )
 			);
 
@@ -402,6 +432,11 @@ public static function render_classic_checkout_field(
 			$kennitala = '';
 		}
 
+		wp_nonce_field(
+			'classic_checkout_set_kennitala',
+			'classic_checkout_set_kennitala_nonce_field'
+		);
+
 		woocommerce_form_field(
 			'billing_kennitala',
 			array(
@@ -439,13 +474,27 @@ public static function render_classic_checkout_field(
 	 * taken care of that for us at this point.
 	 */
 	public static function check_classic_checkout_field(): void {
-		// Nonce check is handled by WooCommerce.
-		// phpcs:ignore WordPress.Security.NonceVerification
+		if ( ! isset( $_POST['classic_checkout_set_kennitala_nonce_field'] ) ) {
+			return;
+		}
+
+		if (
+			! wp_verify_nonce(
+				sanitize_text_field(
+					wp_unslash(
+						$_POST['classic_checkout_set_kennitala_nonce_field']
+					)
+				),
+				'classic_checkout_set_kennitala'
+			)
+		) {
+			wp_die( 'Kennitala nonce not valid!' );
+			return;
+		}
+
 		if ( isset( $_POST['kennitala'] ) ) {
 
 			$kennitala = sanitize_text_field(
-				// Nonce check is handled by WooCommerce.
-				// phpcs:ignore WordPress.Security.NonceVerification
 				wp_unslash( $_POST['kennitala'] )
 			);
 
@@ -467,7 +516,7 @@ public static function check_classic_checkout_field(): void {
 	}
 
 	/**
-	 * Save the kennitala from the block-based checkout process
+	 * Save the kennitala from the "classic" checkout process
 	 *
 	 * This is used by the `woocommerce_checkout_update_order_meta` hook.
 	 *
@@ -477,14 +526,28 @@ public static function check_classic_checkout_field(): void {
 	 * @param int $order_id The order id.
 	 */
 	public static function save_classic_checkout_field( int $order_id ): void {
+		if ( ! isset( $_POST['classic_checkout_set_kennitala_nonce_field'] ) ) {
+			return;
+		}
+
+		if (
+			! wp_verify_nonce(
+				sanitize_text_field(
+					wp_unslash(
+						$_POST['classic_checkout_set_kennitala_nonce_field']
+					)
+				),
+				'classic_checkout_set_kennitala'
+			)
+		) {
+			wp_die( 'Kennitala nonce not valid!' );
+			return;
+		}
+
 		$order_object = new WC_Order( $order_id );
 
-		// Nonce check is handled by WooCommerce.
-		// phpcs:ignore WordPress.Security.NonceVerification
 		if ( isset( $_POST['billing_kennitala'] ) ) {
 			$kennitala = sanitize_text_field(
-				// Nonce check is handled by WooCommerce.
-				// phpcs:ignore WordPress.Security.NonceVerification
 				wp_unslash( $_POST['billing_kennitala'] )
 			);
 
@@ -496,8 +559,6 @@ public static function save_classic_checkout_field( int $order_id ): void {
 			);
 		}
 
-		// Nonce check is handled by WooCommerce.
-		// phpcs:ignore WordPress.Security.NonceVerification
 		if ( isset( $_POST['kennitala_invoice_requested'] ) ) {
 			$order_object->update_meta_data( 'kennitala_invoice_requested', 1 );
 		} else {

diff --git a/views/dk_invoice_metabox.php b/views/dk_invoice_metabox.php
@@ -10,24 +10,7 @@
 
 global $post;
 
-
-if ( $post ) {
-	$wc_order = wc_get_order( $post->ID );
-} else {
-	// Nonce check is handled by the WooCommerce, which does not make a global
-	// "product" object available in this case.
-	// phpcs:ignore WordPress.Security.NonceVerification
-	if ( isset( $_GET['id'] ) ) {
-		$wc_order = wc_get_order(
-			// Nonce check is handled by the WooCommerce, which does not make a
-			// global "product" object available in this case.
-			// phpcs:ignore WordPress.Security.NonceVerification
-			sanitize_text_field( wp_unslash( $_GET['id'] ) )
-		);
-	} else {
-		exit;
-	}
-}
+$wc_order = wc_get_order( $post->ID );
 
 $invoice_number        = $wc_order->get_meta( '1984_woo_dk_invoice_number', true, 'edit' );
 $credit_invoice_number = $wc_order->get_meta( '1984_woo_dk_credit_invoice_number', true, 'edit' );

diff --git a/views/product_options_advanced_partial.php b/views/product_options_advanced_partial.php
@@ -11,7 +11,7 @@
 
 global $post;
 
-$wc_product       = new WC_Product( $post );
+$wc_product       = wc_get_product( $post );
 $product_currency = ProductHelper::get_currency( $wc_product );
 
 ?>