Skip to content

Commit

Permalink
Merge pull request #309 from 10up/fix/cache-clear-user-privilege-check
Browse files Browse the repository at this point in the history
Add a `current_user_can` check to our cache clearing method
  • Loading branch information
faisal-alvi authored Nov 8, 2024
2 parents a473412 + dde07df commit 3912e38
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions includes/class-simple-local-avatars.php
Original file line number Diff line number Diff line change
Expand Up @@ -1388,6 +1388,13 @@ public function admin_body_class( $classes ) {
*/
public function sla_clear_user_cache() {
check_ajax_referer( 'sla_clear_cache_nonce', 'nonce' );

// Ensure this was run by a user with proper privileges.
if ( ! current_user_can( 'manage_options' ) ) {
// Match what `check_ajax_referer` does.
wp_die( -1, 403 );
}

$step = isset( $_REQUEST['step'] ) ? intval( $_REQUEST['step'] ) : 1;

// Setup defaults.
Expand Down

0 comments on commit 3912e38

Please sign in to comment.