Fix #454

pluginever · Dec 3, 2024 · f4107ee · f4107ee
1 parent 5e124f6
commit f4107ee
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/includes/Admin/Orders.php b/includes/Admin/Orders.php
@@ -64,6 +64,13 @@ public function add_order_action( $actions ) {
 	 * @since 1.0.0
 	 */
 	public function handle_order_action( $order ) {
+		// Must have manage woocommerce user capability role to access this endpoint.
+		if ( ! current_user_can( 'manage_woocommerce' ) ) { // phpcs:ignore WordPress.WP.Capabilities.Unknown
+			WCSN()->add_notice( __( 'You do not have permission to perform this action.', 'wc-serial-numbers' ), 'error' );
+			wp_safe_redirect( wp_get_referer() );
+			exit;
+		}
+
 		$order_id = $order->get_id();
 		$action   = current_action();
 		$action   = str_replace( 'woocommerce_order_action_', '', $action );
@@ -197,6 +204,13 @@ public function add_order_bulk_action( $actions ) {
 	 * @return string
 	 */
 	public function handle_order_bulk_action( $redirect_to, $action, $order_ids ) {
+		// Must have manage woocommerce user capability role to access this endpoint.
+		if ( ! current_user_can( 'manage_woocommerce' ) ) { // phpcs:ignore WordPress.WP.Capabilities.Unknown
+			WCSN()->add_notice( __( 'You do not have permission to perform this action.', 'wc-serial-numbers' ), 'error' );
+			wp_safe_redirect( wp_get_referer() );
+			exit;
+		}
+
 		if ( in_array( $action, array( 'wcsn_add_keys', 'wcsn_remove_keys' ), true ) ) {
 			foreach ( $order_ids as $order_id ) {
 				switch ( $action ) {