Skip to content

Commit

Permalink
When our cache clearing AJAX action runs, check if the current user h…
Browse files Browse the repository at this point in the history
…as proper permissions
  • Loading branch information
dkotter committed Nov 6, 2024
1 parent 53b5f53 commit dde07df
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions includes/class-simple-local-avatars.php
Original file line number Diff line number Diff line change
Expand Up @@ -1388,6 +1388,13 @@ public function admin_body_class( $classes ) {
*/
public function sla_clear_user_cache() {
check_ajax_referer( 'sla_clear_cache_nonce', 'nonce' );

// Ensure this was run by a user with proper privileges.
if ( ! current_user_can( 'manage_options' ) ) {
// Match what `check_ajax_referer` does.
wp_die( -1, 403 );
}

$step = isset( $_REQUEST['step'] ) ? intval( $_REQUEST['step'] ) : 1;

// Setup defaults.
Expand Down

0 comments on commit dde07df

Please sign in to comment.