fix: ensure only admins can reset starter content and newspack options (

#3081)
Automattic · Apr 23, 2024 · 4606721 · 4606721
1 parent 7d4ee61
commit 4606721
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/includes/class-newspack.php b/includes/class-newspack.php
@@ -207,6 +207,9 @@ class_exists( 'Newspack_Popups' ) && 'edit.php?post_type=' . \Newspack_Popups::N
 	 * Handle resetting of various options and content.
 	 */
 	public function handle_resets() {
+		if ( ! current_user_can( 'manage_options' ) ) {
+			return;
+		}
 		$redirect_url   = admin_url( 'admin.php?page=newspack' );
 		$newspack_reset = filter_input( INPUT_GET, 'newspack_reset', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
 		if ( 'starter-content' === $newspack_reset ) {

diff --git a/includes/wizards/class-wizard.php b/includes/wizards/class-wizard.php
@@ -111,7 +111,7 @@ public function enqueue_scripts_and_styles() {
 
 		$screen = get_current_screen();
 
-		if ( Starter_Content::has_created_starter_content() ) {
+		if ( Starter_Content::has_created_starter_content() && current_user_can( 'manage_options' ) ) {
 			$urls['remove_starter_content'] = esc_url(
 				add_query_arg(
 					array(
@@ -122,7 +122,7 @@ public function enqueue_scripts_and_styles() {
 			);
 		}
 
-		if ( Newspack::is_debug_mode() ) {
+		if ( Newspack::is_debug_mode() && current_user_can( 'manage_options' ) ) {
 			$urls['components_demo'] = esc_url( admin_url( 'admin.php?page=newspack-components-demo' ) );
 			$urls['setup_wizard']    = esc_url( admin_url( 'admin.php?page=newspack-setup-wizard' ) );
 			$urls['reset_url']       = esc_url(