From f4107eef17e6e0a086506295614303dab6f582b7 Mon Sep 17 00:00:00 2001 From: kawsarahmedr Date: Tue, 3 Dec 2024 16:26:24 +0600 Subject: [PATCH] Fix #454 --- includes/Admin/Orders.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/includes/Admin/Orders.php b/includes/Admin/Orders.php index 15e24a87..93f40b51 100644 --- a/includes/Admin/Orders.php +++ b/includes/Admin/Orders.php @@ -64,6 +64,13 @@ public function add_order_action( $actions ) { * @since 1.0.0 */ public function handle_order_action( $order ) { + // Must have manage woocommerce user capability role to access this endpoint. + if ( ! current_user_can( 'manage_woocommerce' ) ) { // phpcs:ignore WordPress.WP.Capabilities.Unknown + WCSN()->add_notice( __( 'You do not have permission to perform this action.', 'wc-serial-numbers' ), 'error' ); + wp_safe_redirect( wp_get_referer() ); + exit; + } + $order_id = $order->get_id(); $action = current_action(); $action = str_replace( 'woocommerce_order_action_', '', $action ); @@ -197,6 +204,13 @@ public function add_order_bulk_action( $actions ) { * @return string */ public function handle_order_bulk_action( $redirect_to, $action, $order_ids ) { + // Must have manage woocommerce user capability role to access this endpoint. + if ( ! current_user_can( 'manage_woocommerce' ) ) { // phpcs:ignore WordPress.WP.Capabilities.Unknown + WCSN()->add_notice( __( 'You do not have permission to perform this action.', 'wc-serial-numbers' ), 'error' ); + wp_safe_redirect( wp_get_referer() ); + exit; + } + if ( in_array( $action, array( 'wcsn_add_keys', 'wcsn_remove_keys' ), true ) ) { foreach ( $order_ids as $order_id ) { switch ( $action ) {