Merge pull request from GHSA-mf7v-fq88-cf62

Improve checks on proxy endpoints on v3.4
Parsely · Feb 13, 2023 · fd56ae0 · fd56ae0
2 parents 34067b1 + 2fdbed6
commit fd56ae0
Show file tree

Hide file tree

Showing 9 changed files with 44 additions and 32 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.4.3](https://github.com/Parsely/wp-parsely/compare/3.4.2...3.4.3) - 2023-02-13
+
+### Fixed
+
+- Improve checks on proxy endpoints
+
 ## [3.4.2](https://github.com/Parsely/wp-parsely/compare/3.4.1...3.4.2) - 2022-07-07
 
 ### Fixed

diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # Parse.ly
 
-Stable tag: 3.4.2  
+Stable tag: 3.4.3  
 Requires at least: 5.0  
 Tested up to: 6.0  
 Requires PHP: 7.1  

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "wp-parsely",
-	"version": "3.4.2",
+	"version": "3.4.3",
 	"private": true,
 	"description": "The Parse.ly plugin facilitates real-time and historical analytics to your content through a platform designed and built for digital publishing.",
 	"author": "parsely, hbbtstar, jblz, mikeyarce, GaryJ, parsely_mike, pauarge",

diff --git a/src/Endpoints/class-analytics-posts-api-proxy.php b/src/Endpoints/class-analytics-posts-api-proxy.php
@@ -22,7 +22,7 @@ final class Analytics_Posts_API_Proxy extends Base_API_Proxy {
 	 * Registers the endpoint's WP REST route.
 	 */
 	public function run(): void {
-		$this->register_endpoint( '/analytics/posts' );
+		$this->register_endpoint( '/analytics/posts', 'publish_posts' );
 	}
 
 	/**
@@ -58,14 +58,4 @@ static function( stdClass $item ) use ( $date_format ) {
 
 		return $result;
 	}
-
-	/**
-	 * Determines if there are enough permissions to call the endpoint.
-	 *
-	 * @return bool
-	 */
-	public function permission_callback(): bool {
-		// Unauthenticated.
-		return true;
-	}
 }
diff --git a/src/Endpoints/class-base-api-proxy.php b/src/Endpoints/class-base-api-proxy.php
@@ -28,6 +28,15 @@ abstract class Base_API_Proxy {
 	 */
 	private $parsely;
 
+	/**
+	 * Capability of the user based on which we should allow access to endpoint.
+	 *
+	 * `null` should be used for all public endpoints.
+	 *
+	 * @var string|null
+	 */
+	protected $user_capability;
+
 	/**
 	 * Proxy object which does the actual calls to the Parse.ly API.
 	 *
@@ -60,7 +69,19 @@ abstract public function get_items( WP_REST_Request $request ): stdClass;
 	 *
 	 * @return bool
 	 */
-	abstract public function permission_callback(): bool;
+	public function permission_callback(): bool {
+		// This endpoint does not require any capability checks.
+		if ( is_null( $this->user_capability ) ) {
+			return true;
+		}
+
+		// The user has the required capability to access this endpoint.
+		if ( current_user_can( $this->user_capability ) ) {
+			return true;
+		}
+
+		return false;
+	}
 
 	/**
 	 * Constructor.
@@ -77,9 +98,13 @@ public function __construct( Parsely $parsely, Proxy $proxy ) {
 	/**
 	 * Registers the endpoint's WP REST route.
 	 *
-	 * @param string $endpoint The endpoint (e.g. /analytics/posts).
+	 * @param string      $endpoint The endpoint's route (e.g. /stats/posts).
+	 * @param string|null $user_capability Capability of the user based on which we should allow access to endpoint.
+	 * @param bool        $show_in_index Show endpoint in /wp-json view if TRUE.
 	 */
-	protected function register_endpoint( string $endpoint ): void {
+	protected function register_endpoint( string $endpoint, ?string $user_capability, $show_in_index = false ): void {
+		$this->user_capability = $user_capability;
+
 		$filter_key = trim( str_replace( '/', '_', $endpoint ), '_' );
 		if ( ! apply_filters( 'wp_parsely_enable_' . $filter_key . '_api_proxy', true ) ) {
 			return;
@@ -105,6 +130,7 @@ protected function register_endpoint( string $endpoint ): void {
 				'callback'            => array( $this, 'get_items' ),
 				'permission_callback' => array( $this, 'permission_callback' ),
 				'args'                => $get_items_args,
+				'show_in_index'       => $show_in_index,
 			),
 		);
 

diff --git a/src/Endpoints/class-related-api-proxy.php b/src/Endpoints/class-related-api-proxy.php
@@ -22,7 +22,7 @@ final class Related_API_Proxy extends Base_API_Proxy {
 	 * Registers the endpoint's WP REST route.
 	 */
 	public function run(): void {
-		$this->register_endpoint( '/related' );
+		$this->register_endpoint( '/related', null, true );
 	}
 
 	/**
@@ -55,14 +55,4 @@ static function( stdClass $item ) {
 
 		return $result;
 	}
-
-	/**
-	 * Determines if there are enough permissions to call the endpoint.
-	 *
-	 * @return bool
-	 */
-	public function permission_callback(): bool {
-		// Unauthenticated.
-		return true;
-	}
 }
diff --git a/tests/e2e/utils.js b/tests/e2e/utils.js
@@ -1,6 +1,6 @@
 import { activatePlugin, loginUser, visitAdminPage } from '@wordpress/e2e-test-utils';
 
-export const PLUGIN_VERSION = '3.4.2';
+export const PLUGIN_VERSION = '3.4.3';
 
 export const waitForWpAdmin = () => page.waitForSelector( 'body.wp-admin' );
 

diff --git a/wp-parsely.php b/wp-parsely.php
@@ -11,7 +11,7 @@
  * Plugin Name:       Parse.ly
  * Plugin URI:        https://www.parse.ly/help/integration/wordpress
  * Description:       This plugin makes it a snap to add Parse.ly tracking code and metadata to your WordPress blog.
- * Version:           3.4.2
+ * Version:           3.4.3
  * Author:            Parse.ly
  * Author URI:        https://www.parse.ly
  * Text Domain:       wp-parsely
@@ -52,7 +52,7 @@
 	return;
 }
 
-const PARSELY_VERSION = '3.4.2';
+const PARSELY_VERSION = '3.4.3';
 const PARSELY_FILE    = __FILE__;
 
 require __DIR__ . '/src/class-parsely.php';