Merge branch 'develop' into trunk

10up · May 16, 2023 · 043163c · 043163c
2 parents 58cca1d + f0d54e3
commit 043163c
Show file tree

Hide file tree

Showing 7 changed files with 70 additions and 20 deletions.
diff --git a/.distignore b/.distignore
@@ -10,6 +10,8 @@
 # Files to ignore
 /.distignore
 /.editorconfig
+/.eslintignore
+/.eslintrc.js
 /.gitattributes
 /.gitignore
 /.phpcs.xml.dist

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file, per [the Ke
 
 ## [Unreleased] - TBD
 
+## [2.5.1] - 2023-05-16
+### Security
+- Ensure we check user permissions properly in our REST endpoint (props [@mikhail-net](https://github.com/mikhail-net), [@dkotter](https://github.com/dkotter), [@peterwilsoncc](https://github.com/peterwilsoncc)).
+
 ## [2.5.0] - 2023-04-18
 **Note that this release bumps the minimum required versions of PHP from 5.6 to 7.4 and WordPress from 3.8 to 5.7.**
 
@@ -248,6 +252,7 @@ All notable changes to this project will be documented in this file, per [the Ke
 - Updated version requirements.
 
 [Unreleased]: https://github.com/10up/simple-page-ordering/compare/trunk...develop
+[2.5.1]: https://github.com/10up/simple-page-ordering/compare/2.5.0...2.5.1
 [2.5.0]: https://github.com/10up/simple-page-ordering/compare/2.4.4...2.5.0
 [2.4.4]: https://github.com/10up/simple-page-ordering/compare/2.4.3...2.4.4
 [2.4.3]: https://github.com/10up/simple-page-ordering/compare/2.4.2...2.4.3

diff --git a/CREDITS.md b/CREDITS.md
@@ -10,7 +10,7 @@ The following individuals are responsible for curating the list of issues, respo
 
 Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc.
 
-[10up (@10up)](https://github.com/10up), [Jake Goldman (@jakemgold)](https://github.com/jakemgold), [Ryan Welcher (@ryanwelcher)](https://github.com/ryanwelcher), [Helen Hou-Sandí (@helen)](https://github.com/helen), [Oomph, Inc. (@oomphinc)](https://github.com/oomphinc), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Ashar Irfan (@asharirfan)](https://github.com/asharirfan), [William Patton (@pattonwebz)](https://github.com/pattonwebz), [Ben Huson (@benhuson)](https://github.com/benhuson), [Jake Jackson (@jakejackson1)](https://github.com/jakejackson1), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [@dtbaker](https://github.com/dtbaker), [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [Marco Pereirinha (@pereirinha)](https://github.com/pereirinha), [Brent van Rensburg (@brentvr)](https://github.com/brentvr), [Caspar Hübinger (@glueckpress)](https://github.com/glueckpress), [Thomas Griffin (@thomasgriffin)](https://github.com/thomasgriffin), [Simon Waters (@SimonWaters)](https://github.com/SimonWaters), [Dion Hulse (@dd32)](https://github.com/dd32), [Tim Moore (@tmoorewp)](https://github.com/tmoorewp), [Jeffrey Carandang (@phpbits)](https://github.com/phpbits), [Michele Cipriani (@ciprianimike)](https://github.com/ciprianimike), [Sudip Dadhaniya (@sudip-10up)](https://github.com/sudip-10up), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Max Lyuchin (@cadic)](https://github.com/cadic), [Leho Kraav (@lkraav)](https://github.com/lkraav), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Ankit Gupta (@ankitguptaindia)](https://github.com/ankitguptaindia), [Siddharth Thevaril (@Sidsector9)](https://profiles.wordpress.org/Sidsector9/), [(@dzulfriday)](https://profiles.wordpress.org/dzulfriday/), [Erik Betshammar (@kebbet)](https://github.com/kebbet), [Viktor Szépe (@szepeviktor)](https://github.com/szepeviktor), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Dhanendran Rajagopal (@dhanendran)](https://github.com/dhanendran), [Jayedul Kabir (@jayedul)](https://github.com/jayedul), [William Patton (@pattonwebz)](https://github.com/pattonwebz), [Dan Ruscoe (@ruscoe)](https://github.com/ruscoe), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk), [Konstantinos Galanakis (@kmgalanakis)](https://github.com/kmgalanakis), [Dependabot (@dependabot)](https://github.com/apps/dependabot).
+[10up (@10up)](https://github.com/10up), [Jake Goldman (@jakemgold)](https://github.com/jakemgold), [Ryan Welcher (@ryanwelcher)](https://github.com/ryanwelcher), [Helen Hou-Sandí (@helen)](https://github.com/helen), [Oomph, Inc. (@oomphinc)](https://github.com/oomphinc), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Ashar Irfan (@asharirfan)](https://github.com/asharirfan), [William Patton (@pattonwebz)](https://github.com/pattonwebz), [Ben Huson (@benhuson)](https://github.com/benhuson), [Jake Jackson (@jakejackson1)](https://github.com/jakejackson1), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [@dtbaker](https://github.com/dtbaker), [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [Marco Pereirinha (@pereirinha)](https://github.com/pereirinha), [Brent van Rensburg (@brentvr)](https://github.com/brentvr), [Caspar Hübinger (@glueckpress)](https://github.com/glueckpress), [Thomas Griffin (@thomasgriffin)](https://github.com/thomasgriffin), [Simon Waters (@SimonWaters)](https://github.com/SimonWaters), [Dion Hulse (@dd32)](https://github.com/dd32), [Tim Moore (@tmoorewp)](https://github.com/tmoorewp), [Jeffrey Carandang (@phpbits)](https://github.com/phpbits), [Michele Cipriani (@ciprianimike)](https://github.com/ciprianimike), [Sudip Dadhaniya (@sudip-10up)](https://github.com/sudip-10up), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Max Lyuchin (@cadic)](https://github.com/cadic), [Leho Kraav (@lkraav)](https://github.com/lkraav), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Ankit Gupta (@ankitguptaindia)](https://github.com/ankitguptaindia), [Siddharth Thevaril (@Sidsector9)](https://profiles.wordpress.org/Sidsector9/), [(@dzulfriday)](https://profiles.wordpress.org/dzulfriday/), [Erik Betshammar (@kebbet)](https://github.com/kebbet), [Viktor Szépe (@szepeviktor)](https://github.com/szepeviktor), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Dhanendran Rajagopal (@dhanendran)](https://github.com/dhanendran), [Jayedul Kabir (@jayedul)](https://github.com/jayedul), [William Patton (@pattonwebz)](https://github.com/pattonwebz), [Dan Ruscoe (@ruscoe)](https://github.com/ruscoe), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk), [Konstantinos Galanakis (@kmgalanakis)](https://github.com/kmgalanakis), [Dependabot (@dependabot)](https://github.com/apps/dependabot), [Mika (@mikhail-net)](https://github.com/mikhail-net).
 
 ## Libraries
 

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "simple-page-ordering",
   "description": "Order your pages and other hierarchical post types with simple drag and drop right from the standard page list.",
-  "version": "2.5.0",
+  "version": "2.5.1",
   "author": "10up <[email protected]>",
   "license": "GPLv2 ( or later )",
   "devDependencies": {

diff --git a/readme.txt b/readme.txt
@@ -5,7 +5,7 @@ Tags:              order, re-order, ordering, pages, page, manage, menu_order, h
 Requires at least: 5.7
 Requires PHP:      7.4
 Tested up to:      6.2
-Stable tag:        2.5.0
+Stable tag:        2.5.1
 License:           GPLv2 or later
 License URI:       http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -110,6 +110,9 @@ Yes. The plugin registers the REST endpoint `simple-page-ordering/v1/page_orderi
 
 == Changelog ==
 
+= 2.5.1 - 2023-05-16 =
+* **Security:** Ensure we check user permissions properly in our REST endpoint (props [@mikhail-net](https://github.com/mikhail-net), [@dkotter](https://github.com/dkotter), [@peterwilsoncc](https://github.com/peterwilsoncc)).
+
 = 2.5.0 - 2023-04-18 =
 **Note that this release bumps the minimum required versions of PHP from 5.6 to 7.4 and WordPress from 3.8 to 5.7.**
 
@@ -269,7 +272,7 @@ Yes. The plugin registers the REST endpoint `simple-page-ordering/v1/page_orderi
 * **Changed:** Simplified code - consolidated hooks.
 * **Changed:** Updated version requirements.
 
-== Upgrade Notice == 
+== Upgrade Notice ==
 
 = 2.5.0 =
 This release bumps the minimum required versions of PHP from 5.6 to 7.4 and WordPress from 3.8 to 5.7.
diff --git a/simple-page-ordering.php b/simple-page-ordering.php
@@ -3,7 +3,7 @@
  * Plugin Name:       Simple Page Ordering
  * Plugin URI:        http://10up.com/plugins/simple-page-ordering-wordpress/
  * Description:       Order your pages and hierarchical post types using drag and drop on the built in page list. For further instructions, open the "Help" tab on the Pages screen.
- * Version:           2.5.0
+ * Version:           2.5.1
  * Requires at least: 5.7
  * Requires PHP:      7.4
  * Author:            10up
@@ -16,7 +16,7 @@
  */
 
 // Useful global constants.
-define( 'SIMPLE_PAGE_ORDERING_VERSION', '2.5.0' );
+define( 'SIMPLE_PAGE_ORDERING_VERSION', '2.5.1' );
 
 if ( ! class_exists( 'Simple_Page_Ordering' ) ) :
 
@@ -270,7 +270,7 @@ public static function page_ordering( $post_id, $previd, $nextid, $start, $exclu
 			// real post?
 			$post = empty( $post_id ) ? false : get_post( (int) $post_id );
 			if ( ! $post ) {
-				return new WP_Error( __( 'Missing mandatory parameters.', 'simple-page-ordering' ) );
+				return new WP_Error( 'invalid', __( 'Missing mandatory parameters.', 'simple-page-ordering' ) );
 			}
 
 			// Badly written plug-in hooks for save post can break things.
@@ -496,40 +496,80 @@ public static function rest_api_init() {
 				[
 					'methods'             => 'POST',
 					'callback'            => array( __CLASS__, 'rest_page_ordering' ),
-					'permission_callback' => '__return_true',
+					'permission_callback' => array( __CLASS__, 'rest_page_ordering_permissions_check' ),
 					'args'                => [
 						'id'      => [
-							'description' => __( 'Post ID.', 'simple-page-ordering' ),
+							'description' => __( 'ID of item we want to sort', 'simple-page-ordering' ),
 							'required'    => true,
-							'type'        => 'numeric',
+							'type'        => 'integer',
+							'minimum'     => 1,
 						],
 						'previd'  => [
-							'description' => __( 'Previous post ID', 'simple-page-ordering' ),
+							'description' => __( 'ID of item we want to be previous to after sorting', 'simple-page-ordering' ),
 							'required'    => true,
-							'type'        => 'numeric',
+							'type'        => [ 'boolean', 'integer' ],
 						],
 						'nextid'  => [
-							'description' => __( 'Next post ID', 'simple-page-ordering' ),
+							'description' => __( 'ID of item we want to be next to after sorting', 'simple-page-ordering' ),
 							'required'    => true,
-							'type'        => 'numeric',
+							'type'        => [ 'boolean', 'integer' ],
 						],
 						'start'   => [
 							'default'     => 1,
-							'description' => __( 'Start index', 'simple-page-ordering' ),
+							'description' => __( 'Index we start with when sorting', 'simple-page-ordering' ),
 							'required'    => false,
-							'type'        => 'numeric',
+							'type'        => 'integer',
 						],
 						'exclude' => [
 							'default'     => [],
-							'description' => __( 'Array of excluded post IDs', 'simple-page-ordering' ),
+							'description' => __( 'Array of IDs we want to exclude', 'simple-page-ordering' ),
 							'required'    => false,
 							'type'        => 'array',
+							'items'       => [
+								'type' => 'integer',
+							],
 						],
 					],
 				]
 			);
 		}
 
+		/**
+		 * Check if a given request has access to reorder content.
+		 *
+		 * This check ensures the current user making the request has
+		 * proper permissions to edit the item, that the post type
+		 * is allowed in REST requests and the post type is sortable.
+		 *
+		 * @since 2.5.1
+		 *
+		 * @param WP_REST_Request $request Full data about the request.
+		 * @return bool|WP_Error
+		 */
+		public static function rest_page_ordering_permissions_check( WP_REST_Request $request ) {
+			$post_id = $request->get_param( 'id' );
+
+			// Ensure we have a logged in user that can edit the item.
+			if ( ! current_user_can( 'edit_post', $post_id ) ) {
+				return false;
+			}
+
+			$post_type     = get_post_type( $post_id );
+			$post_type_obj = get_post_type_object( $post_type );
+
+			// Ensure the post type is allowed in REST endpoints.
+			if ( ! $post_type || empty( $post_type_obj ) || empty( $post_type_obj->show_in_rest ) ) {
+				return false;
+			}
+
+			// Ensure this post type is sortable.
+			if ( ! self::is_post_type_sortable( $post_type ) ) {
+				return new WP_Error( 'not_enabled', esc_html__( 'This post type is not sortable.', 'simple-page-ordering' ) );
+			}
+
+			return true;
+		}
+
 		/**
 		 * Handle REST page sorting
 		 *
@@ -544,7 +584,7 @@ public static function rest_page_ordering( WP_REST_Request $request ) {
 
 			// Check and make sure we have what we need.
 			if ( false === $post_id || ( false === $previd && false === $nextid ) ) {
-				return new WP_Error( __( 'Missing mandatory parameters.', 'simple-page-ordering' ) );
+				return new WP_Error( 'invalid', __( 'Missing mandatory parameters.', 'simple-page-ordering' ) );
 			}
 
 			$page_ordering = self::page_ordering( $post_id, $previd, $nextid, $start, $excluded );