From 46067217985f904286ddb2c952ba0e1deb954e56 Mon Sep 17 00:00:00 2001 From: Adam Cassis Date: Tue, 23 Apr 2024 20:42:52 +0200 Subject: [PATCH] fix: ensure only admins can reset starter content and newspack options (#3081) --- includes/class-newspack.php | 3 +++ includes/wizards/class-wizard.php | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/includes/class-newspack.php b/includes/class-newspack.php index 48dfa27f32..8494850b73 100644 --- a/includes/class-newspack.php +++ b/includes/class-newspack.php @@ -207,6 +207,9 @@ class_exists( 'Newspack_Popups' ) && 'edit.php?post_type=' . \Newspack_Popups::N * Handle resetting of various options and content. */ public function handle_resets() { + if ( ! current_user_can( 'manage_options' ) ) { + return; + } $redirect_url = admin_url( 'admin.php?page=newspack' ); $newspack_reset = filter_input( INPUT_GET, 'newspack_reset', FILTER_SANITIZE_FULL_SPECIAL_CHARS ); if ( 'starter-content' === $newspack_reset ) { diff --git a/includes/wizards/class-wizard.php b/includes/wizards/class-wizard.php index aa8fc8de2e..9aa0cb80ef 100644 --- a/includes/wizards/class-wizard.php +++ b/includes/wizards/class-wizard.php @@ -111,7 +111,7 @@ public function enqueue_scripts_and_styles() { $screen = get_current_screen(); - if ( Starter_Content::has_created_starter_content() ) { + if ( Starter_Content::has_created_starter_content() && current_user_can( 'manage_options' ) ) { $urls['remove_starter_content'] = esc_url( add_query_arg( array( @@ -122,7 +122,7 @@ public function enqueue_scripts_and_styles() { ); } - if ( Newspack::is_debug_mode() ) { + if ( Newspack::is_debug_mode() && current_user_can( 'manage_options' ) ) { $urls['components_demo'] = esc_url( admin_url( 'admin.php?page=newspack-components-demo' ) ); $urls['setup_wizard'] = esc_url( admin_url( 'admin.php?page=newspack-setup-wizard' ) ); $urls['reset_url'] = esc_url(