需要强化以下 php 代码,以便执行能力检查,这将防止未经授权的用户在我们的 WordPress 网站上创建任意帖子。
代码需要更改,以便不易受到访问控制破坏的影响。
public static function check_for_saas_push() {
if ( ! isset( $_REQUEST['json_product_push'] ) || ( isset( $_REQUEST['json_product_push'] ) && 'true' !== $_REQUEST['json_product_push'] ) )
return;
error_reporting( E_ERROR );
if ( ! empty( $_POST['product'] ) ) {
$product = stripslashes( $_POST['product'] );
$product = json_decode( $product );
$download_url = Sputnik::API_BASE . '/download/' . $product->post_name . '.zip';
$thumb_url = $product->thumbnail_url;
//Check if local product exists - if so, update it, if not, don't.
$local = get_posts( array(
'pagename' => $product->post_name,
'post_type' => 'wpsc-product',
'post_status' => 'publish',
'numberposts' => 1 )
);
$user_check = get_user_by( 'email', $product->author_email );
if ( $user_check ) {
$product->post_author = $user_check->ID;
if ( ! in_array( 'vendor-administrator', $user_check->roles ) )
$user_check->add_role( 'vendor-administrator' );
}
else {
$product->post_author = wp_insert_user( array( 'role' => 'vendor-administrator', 'user_email' => $product->author_email, 'user_pass' => wp_generate_password(), 'user_login' => $product->author_email ) );
}
$product = (array) $product;
unset( $product['guid'] );
unset( $product['post_date_gmt'] );
unset( $product['post_date'] );
require_once(ABSPATH . 'wp-admin/includes/media.php');
require_once(ABSPATH . 'wp-admin/includes/file.php');
require_once(ABSPATH . 'wp-admin/includes/image.php');
if ( ! empty( $local ) ) {
$product['ID'] = $local[0]->ID;
$new_id = wp_update_post( $product );
} else {
unset( $product['ID'] );
// Doesn't exist, create it. Then, after created, add download URL and thumbnail.
$new_id = wp_insert_post( $product );
}
update_post_meta( $new_id, '_download_url', $download_url );
foreach ( $product['meta'] as $key => $val ) {
if ( '_wpsc_product_metadata' == $key )
continue;
if ( '_wpsc_currency' == $key )
continue;
update_post_meta( $new_id, $key, $val[0] );
}
$thumb = media_sideload_image( $thumb_url, $new_id, 'Product Thumbnail' );
if ( ! is_wp_error( $thumb ) ) {
$thumbnail_id = get_posts( array( 'post_type' => 'attachment', 'post_parent' => $new_id ) );
if ( ! empty( $thumbnail_id ) ) {
$thumbnail = set_post_thumbnail( $new_id, $thumbnail_id[0]->ID );
echo json_encode( array( 'set_thumbnail' => $thumbnail, 'post_id' => $new_id ) );
die;
}
die;
}
die;
}
exit;
}
在网上研究后,我找到了以下代码,但作为 php 的新手,不确定我是否走在正确的道路上,或者这是否是合并到上面代码中的正确代码?
if (current_user_can('manage_options')) {
正如您在评论中提到的,检查用户是否拥有权限是最简单的途径。
Admins = 'manage_options',但您可以使用'edit_others_posts'将其提供给编辑者。
public static function check_for_saas_push() {
if ( ! isset( $_REQUEST['json_product_push'] ) || ( isset( $_REQUEST['json_product_push'] ) && 'true' !== $_REQUEST['json_product_push'] ) )
return;
error_reporting( E_ERROR );
if( current_user_can( 'manage_options' ) ) { // or use 'edit_others_posts'
if ( ! empty( $_POST['product'] ) ) {
// THE REST OF YOUR CODE HERE
}
}
exit;
}