From 2c8f89788e07a95251bcda6a75e24a1bccac66b7 Mon Sep 17 00:00:00 2001
From: Bogdan Preda <bogdan.preda@themeisle.com>
Date: Fri, 9 Feb 2024 17:30:34 +0200
Subject: [PATCH] fix: authorization for page creation

Fix actions allowing non-admin user to take action if valid nonce was passed

References: Codeinwp/feedzy-rss-feeds-pro#680
---
 includes/admin/feedzy-rss-feeds-admin.php  | 4 ++++
 includes/admin/feedzy-rss-feeds-import.php | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/includes/admin/feedzy-rss-feeds-admin.php b/includes/admin/feedzy-rss-feeds-admin.php
index ce55b9fa..917822d7 100644
--- a/includes/admin/feedzy-rss-feeds-admin.php
+++ b/includes/admin/feedzy-rss-feeds-admin.php
@@ -1080,6 +1080,10 @@ public function feedzy_dismiss_wizard( $redirect_to_dashboard = true ) {
 	 * Setup wizard process.
 	 */
 	public function feedzy_wizard_step_process() {
+		if ( ! feedzy_current_user_can() ) {
+			return wp_send_json( array( 'status' => 0 ) );
+		}
+
 		check_ajax_referer( FEEDZY_BASEFILE, 'security' );
 		$step = ! empty( $_POST['step'] ) ? filter_input( INPUT_POST, 'step', FILTER_UNSAFE_RAW ) : 1;
 		switch ( $step ) {
diff --git a/includes/admin/feedzy-rss-feeds-import.php b/includes/admin/feedzy-rss-feeds-import.php
index 6c70afb1..f3fc9494 100644
--- a/includes/admin/feedzy-rss-feeds-import.php
+++ b/includes/admin/feedzy-rss-feeds-import.php
@@ -1020,6 +1020,11 @@ public function ajax() {
 	 * @access  private
 	 */
 	private function import_status() {
+
+		if ( ! feedzy_current_user_can() ) {
+			return wp_send_json_error( array( 'msg' => __( 'You do not have permission to do this.', 'feedzy-rss-feeds' ) ) );
+		}
+
 		global $wpdb;
 
 		check_ajax_referer( FEEDZY_BASEFILE, 'security' );