From 4606f0955a723b4f36f8630e3db0f508503b0dac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alda=20Vigd=C3=ADs=20Skarph=C3=A9=C3=B0insd=C3=B3ttir?=
 <aldavigdis@aldavigdis.is>
Date: Wed, 27 Nov 2024 15:22:20 +0100
Subject: [PATCH] Adding a nonce value to the product bulk action

---
 js/products.js      |  7 +++++++
 src/Hooks/Admin.php | 18 +++++++++++++++---
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/js/products.js b/js/products.js
index 4081a65..0af31c9 100644
--- a/js/products.js
+++ b/js/products.js
@@ -10,6 +10,7 @@ class NineteenEightyWooProducts {
 		let actionButton     = document.getElementById( 'doaction' );
 		let productIdInput   = document.createElement( 'input' );
 		let spacerTextNode   = document.createTextNode( ' ' );
+		let nonceInput       = document.createElement( 'input' );
 
 		productIdInput.setAttribute( 'type', 'text' );
 		productIdInput.setAttribute( 'name', 'action_post_id' );
@@ -19,8 +20,14 @@ class NineteenEightyWooProducts {
 			__( 'Parent ID', '1984-dk-woo' )
 		);
 
+		nonceInput.setAttribute( 'type', 'hidden' );
+		nonceInput.setAttribute( 'name', 'action_1984_dk_woo_nonce' );
+		nonceInput.setAttribute( 'id', 'action_1984_dk_woo_nonce_input' );
+		nonceInput.value = wpApiSettings.nonce;
+
 		actionsContainer.insertBefore( productIdInput, actionButton );
 		actionsContainer.insertBefore( spacerTextNode, actionButton );
+		actionsContainer.insertBefore( nonceInput, actionButton );
 	}
 
 	static removeProductInputFromActions() {
diff --git a/src/Hooks/Admin.php b/src/Hooks/Admin.php
index bf5738d..1447e01 100644
--- a/src/Hooks/Admin.php
+++ b/src/Hooks/Admin.php
@@ -239,6 +239,14 @@ public static function handle_product_to_variant_bulk_action(
 		string $doaction,
 		array $post_ids
 	): string {
+		if ( ! isset( $_GET['action_1984_dk_woo_nonce'] ) ) {
+			return $sendback;
+		}
+
+		if ( ! isset( $_GET['action_post_id'] ) ) {
+			return $sendback;
+		}
+
 		if ( ! current_user_can( 'edit_others_posts' ) ) {
 			return $sendback;
 		}
@@ -247,9 +255,13 @@ public static function handle_product_to_variant_bulk_action(
 			return $sendback;
 		}
 
-		// Nonce check is handled by the WP Core.
-		// phpcs:ignore WordPress.Security.NonceVerification
-		if ( ! isset( $_GET['action_post_id'] ) ) {
+		if ( ! wp_verify_nonce(
+			sanitize_text_field(
+				wp_unslash( $_GET['action_1984_dk_woo_nonce'] )
+			),
+			'wp_rest'
+		)
+		) {
 			return $sendback;
 		}