Add nonce for each input form

admin/pages/connections/odoo_connection.php

@@ -22,10 +22,17 @@ class OdooConnOdooConnectionListTableEditable extends OdooConnCustomTableEditabl
 
     protected function row_action_buttons($item)
     {
+        $base_url = wp_nonce_url(get_admin_url(null, "admin.php"));
+        $test_url = add_query_arg([
+            "page" => $_REQUEST["page"],
+            "id" => $item["id"],
+            "page_action" => "test_connection"
+        ], $base_url);
+
         return array_merge(
             parent::row_action_buttons($item),
             [
-                "test" => "<a href='?page=${_REQUEST["page"]}&id=${item["id"]}&page_action=test_connection'>Test Connection</a>"
+                "test" => "<a href='$test_url'>Test Connection</a>"
             ]
         );
     }

admin/pages/connections/odoo_connection_input_form.php

@@ -1,5 +1,6 @@
 <div class="wrap">
     <form method="POST" action="?page=odoo-connection" id="form-data" class="submit-database">
+        <?php wp_nonce_field(); ?>
         <input type="hidden" name="id" value="<?= $_REQUEST["id"] ?? "" ?>"/>
 
         <label for="name">Connection Name</label>

admin/pages/errors/odoo_errors.php

@@ -37,6 +37,8 @@ public function __construct()
     {
         $this->get_backend = new OdooConnGetOdooErrors(ARRAY_A);
         $this->delete_backend = new OdooConnDeleteOdooErrors();
+
+        parent::__construct();
     }
 
     protected function create_table_display()

admin/pages/form_mappings/odoo_form_mapping_input_form.php

@@ -1,4 +1,5 @@
 <form method="POST" action="?page=odoo-form-mapping" id="form-data" class="submit-database">
+    <?php wp_nonce_field(); ?>
     <input type="hidden" name="id" value="<?= $_REQUEST["id"] ?? "" ?>"/>
     <input type="hidden" name="odoo_form_edit_id" id="odoo_form_edit_id" value="<?= $odoo_conn_data->odoo_form_id ?? "" ?>" />
     <input type="hidden" name="constant_value_checkbox" id="constant_value_checkbox" value="<?= ($odoo_conn_data->constant_value ?? false) && ($_REQUEST["id"] ?? false) ?>" />

admin/pages/forms/odoo_form_input_form.php

@@ -1,4 +1,5 @@
 <form method="POST" action="?page=odoo-form" id="form-data" class="submit-database">
+    <?php wp_nonce_field(); ?>
     <input type="hidden" name="id" value="<?= $_REQUEST["id"] ?? "" ?>"/>
     <input type="hidden" name="odoo_connection_edit_id" id="odoo_connection_edit_id" value="<?= $odoo_conn_data->odoo_connection_id ?? "" ?>"/>
     <input type="hidden" name="odoo_7_edit_id" id="odoo_7_edit_id" value="<?= $odoo_conn_data->contact_7_id ?? "" ?>"/>

admin/pages/page_router.php

@@ -6,6 +6,11 @@
 abstract class OdooConnPageRouter
 {
 
+    public function __construct()
+    {
+        $this->table_display = $this->create_table_display();
+    }
+
     public function request()
     {
         $action = $_REQUEST["page_action"] ?? null;
@@ -24,19 +29,19 @@ protected function dont_display_table_actions()
     protected function handle_route($action)
     {
         if ($action === "delete") {
+            check_admin_referer();
             $this->delete($_REQUEST["id"]);
         }
     }
 
     protected function display_table()
     {
         echo "<div class='wrap'>";
-        $table_display = $this->create_table_display();
-        $table_display->check_bulk_action();
+        $this->table_display->check_bulk_action();
 
         echo "<form method='post'>";
-        $table_display->prepare_items();
-        $table_display->display();
+        $this->table_display->prepare_items();
+        $this->table_display->display();
         echo "</form></div>";
     }
 
@@ -54,6 +59,7 @@ abstract class OdooConnPageRouterCreate extends OdooConnPageRouter
 
     public function __construct($menu_slug)
     {
+        parent::__construct();
         $this->menu_slug = $menu_slug;
     }
 
@@ -85,12 +91,22 @@ private function add_form_style()
         wp_enqueue_style("odoo-form-page-style", plugins_url("form_style.css", __FILE__));
     }
 
+    private function verify_nonce() {
+        $action = ($_REQUEST["action"] ?? "") === "delete_bulk" ? "bulk-" . $this->table_display->_args["plural"] : -1;
+
+        if (!wp_verify_nonce($_REQUEST["_wpnonce"], $action)) {
+            die();
+        }
+    }
+
     protected function display_table()
     {
         $request_method = $_SERVER["REQUEST_METHOD"];
         $menu_page_slug = menu_page_url($this->menu_slug, false);
 
         if ($request_method == "POST") {
+            $this->verify_nonce();
+
             if ($_REQUEST["id"]) {
                 $this->update_record();
             } else {

admin/table_display.php

@@ -26,8 +26,15 @@ public function __construct($get_backend, $delete_backend, $args = array())
 
     protected function row_action_buttons($item)
     {
+        $base_url = wp_nonce_url(get_admin_url(null, "admin.php"));
+        $delete_url = add_query_arg([
+            "page" => $_REQUEST["page"],
+            "id" => $item["id"],
+            "page_action" => "delete"
+        ], $base_url);
+
         return array(
-            "delete" => "<a href='?page=${_REQUEST["page"]}&id=${item["id"]}&page_action=delete'>Delete</a>"
+            "delete" => "<a href='$delete_url'>Delete</a>"
         );
     }
 
@@ -109,10 +116,17 @@ class OdooConnCustomTableEditableDisplay extends OdooConnCustomTableDeletableDis
 
     protected function row_action_buttons($item)
     {
+        $base_url = wp_nonce_url(get_admin_url(null, "admin.php"));
+        $edit_url = add_query_arg([
+            "page" => $_REQUEST["page"],
+            "id" => $item["id"],
+            "page_action" => "edit"
+        ], $base_url);
+
         return array_merge(
             parent::row_action_buttons($item),
             array(
-                "edit" => "<a href='?page=${_REQUEST["page"]}&id=${item["id"]}&page_action=edit'>Edit</a>"
+                "edit" => "<a href='$edit_url'>Edit</a>"
             )
         );
     }

tests/php/admin/pages/connections/OdooConnOdooConnectionRouter_request_Test.php

@@ -19,6 +19,7 @@ function setUp(): void
         parent::setUp();
 
         \Mockery::mock("WP_List_Table");
+        \Mockery::mock("check_admin_referer");
 
         require_once(__DIR__ . "/../../../../../admin/api/main.php");
         require_once(__DIR__ . "/../../../../../admin/table_display.php");
@@ -36,6 +37,7 @@ function test_request_delete()
         $GLOBALS["_REQUEST"] = ["id" => 3, "page_action" => "delete"];
         $this->odoo_conn_page_router->shouldReceive("delete")->with(3)->once();
         $this->odoo_conn_page_router->shouldReceive("display_table")->once();
+        Functions\expect("check_admin_referer")->once();
 
         $this->odoo_conn_page_router->request();
     }

tests/php/admin/pages/errors/OdooConnErrorsRouter_request_Test.php

@@ -36,6 +36,7 @@ function test_request_delete()
         $GLOBALS["_REQUEST"] = ["id" => 3, "page_action" => "delete"];
         $this->odoo_conn_page_router->shouldReceive("delete")->with(3)->once();
         $this->odoo_conn_page_router->shouldReceive("display_table")->once();
+        Functions\expect("check_admin_referer")->once();
 
         $this->odoo_conn_page_router->request();
     }

tests/php/admin/pages/form_mappings/OdooConnOdooFormMappingRouter_request_Test.php

@@ -36,6 +36,7 @@ function test_request_delete()
         $GLOBALS["_REQUEST"] = ["id" => 3, "page_action" => "delete"];
         $this->odoo_conn_page_router->shouldReceive("delete")->with(3)->once();
         $this->odoo_conn_page_router->shouldReceive("display_table")->once();
+        Functions\expect("check_admin_referer")->once();
 
         $this->odoo_conn_page_router->request();
     }

tests/php/admin/pages/forms/OdooConnOdooFormRouter_request_Test.php

@@ -36,6 +36,7 @@ function test_request_delete()
         $GLOBALS["_REQUEST"] = ["id" => 3, "page_action" => "delete"];
         $this->odoo_conn_page_router->shouldReceive("delete")->with(3)->once();
         $this->odoo_conn_page_router->shouldReceive("display_table")->once();
+        Functions\expect("check_admin_referer")->once();
 
         $this->odoo_conn_page_router->request();
     }