Skip to content

Issue 12 - Security improvements #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jan 25, 2017
Merged

Issue 12 - Security improvements #14

merged 7 commits into from
Jan 25, 2017

Conversation

@guillaumemolter
Copy link
Contributor

@guillaumemolter guillaumemolter commented Aug 6, 2016

  • using wp_nonce for ajax calls
  • validating data on the backend
  • escaping data on the frontend
  • checking for user priviledge

Closing #12

@guillaumemolter
Adding wp nonce
9117d37 
Related to ActiveCampaign#12
@guillaumemolter
Checking for user permission
df1e2d1 
Related to ActiveCampaign#12
@guillaumemolter
Adding strong data validation to settings
aa8e0a2 
Related to ActiveCampaign#12
@guillaumemolter
Adding strong data validation to test email
65a4d7e 
Related to ActiveCampaign#12
@guillaumemolter
Indentation fix
48646a2
@guillaumemolter
Escaping form data/values
cf10b7f 
Related to ActiveCampaign#12
@guillaumemolter
Removing duplicate check
7c3dc8b 
This should be done inside the function in case someone to call the
method directly.

The check is also already done for add_options_page.

Related to ActiveCampaign#12
@mgibbs189
Copy link
Contributor

mgibbs189 commented Aug 6, 2016

Thanks @guillaumemolter

Any specific reason why the access check was moved outside of init?

E.g. df1e2d1 / 7c3dc8b

@guillaumemolter guillaumemolter mentioned this pull request Aug 6, 2016
Open
@guillaumemolter
Copy link
Contributor Author

guillaumemolter commented Aug 6, 2016
edited
Loading

@mgibbs189

  1. Security wise it's generally recommended to check later than sooner.
  2. I felt it made more sense to have all the validation together
  3. Unless I'm missing something, the way it's currently implemented will only work when the method (ie: save_settings) is called via admin-ajax.php. If someone was to instanciate the class and call the method directly, no check would be done...

@atheken atheken merged commit 7c3dc8b into ActiveCampaign:master Jan 25, 2017
@atheken
Copy link
Contributor

atheken commented Jan 25, 2017

@guillaumemolter Thanks for this update. I had to do some tweaking due to the UI overhaul that landed in October, but the nonce and user permission checks are both still intact.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@guillaumemolter @mgibbs189 @atheken