Trying to improve the code below, which is missing a capability check on the function below, to stop the vulnerability where people can create arbitary post creation, and content, but not sure how to change and amend the below code to make it safe.
Any ideas would be really appreciated.
Existing code below:
public static function check_for_saas_push() {
if ( ! isset( $_REQUEST['json_product_push'] ) || ( isset( $_REQUEST['json_product_push'] ) && 'true' !== $_REQUEST['json_product_push'] ) )
return;
error_reporting( E_ERROR );
if ( ! empty( $_POST['product'] ) ) {
$product = stripslashes( $_POST['product'] );
$product = json_decode( $product );
$download_url = Sputnik::API_BASE . '/download/' . $product->post_name . '.zip';
$thumb_url = $product->thumbnail_url;
//Check if local product exists - if so, update it, if not, don't.
$local = get_posts( array(
'pagename' => $product->post_name,
'post_type' => 'wpsc-product',
'post_status' => 'publish',
'numberposts' => 1 )
);
$user_check = get_user_by( 'email', $product->author_email );
if ( $user_check ) {
$product->post_author = $user_check->ID;
if ( ! in_array( 'vendor-administrator', $user_check->roles ) )
$user_check->add_role( 'vendor-administrator' );
}
else {
$product->post_author = wp_insert_user( array( 'role' => 'vendor-administrator', 'user_email' => $product->author_email, 'user_pass' => wp_generate_password(), 'user_login' => $product->author_email ) );
}
$product = (array) $product;
unset( $product['guid'] );
unset( $product['post_date_gmt'] );
unset( $product['post_date'] );
require_once(ABSPATH . 'wp-admin/includes/media.php');
require_once(ABSPATH . 'wp-admin/includes/file.php');
require_once(ABSPATH . 'wp-admin/includes/image.php');
if ( ! empty( $local ) ) {
$product['ID'] = $local[0]->ID;
$new_id = wp_update_post( $product );
} else {
unset( $product['ID'] );
// Doesn't exist, create it. Then, after created, add download URL and thumbnail.
$new_id = wp_insert_post( $product );
}
update_post_meta( $new_id, '_download_url', $download_url );
foreach ( $product['meta'] as $key => $val ) {
if ( '_wpsc_product_metadata' == $key )
continue;
if ( '_wpsc_currency' == $key )
continue;
update_post_meta( $new_id, $key, $val[0] );
}
$thumb = media_sideload_image( $thumb_url, $new_id, 'Product Thumbnail' );
if ( ! is_wp_error( $thumb ) ) {
$thumbnail_id = get_posts( array( 'post_type' => 'attachment', 'post_parent' => $new_id ) );
if ( ! empty( $thumbnail_id ) ) {
$thumbnail = set_post_thumbnail( $new_id, $thumbnail_id[0]->ID );
echo json_encode( array( 'set_thumbnail' => $thumbnail, 'post_id' => $new_id ) );
die;
}
die;
}
die;
}
exit;
}
Researching online, and looking into ways of changing things.
Would incorporating the below code help with (this new to php and learning):
if ( ! current_user_can( 'manage_options' ) ) {
wp_die(); }