-
Notifications
You must be signed in to change notification settings - Fork 192
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Fix nonce verification in Registration class #2298
Conversation
WalkthroughThe changes in Changes
Sequence Diagram(s)sequenceDiagram
participant Client
participant Registration
Client->>+Registration: set_new_vendor_names($data)
alt dokan_register_nonce_check = true
Registration->>Registration: Check empty($nonce_value)
alt $nonce_value is empty or invalid
Registration-->>Client: return $data
else $nonce_value is valid
Registration-->>Client: Process $data
end
else dokan_register_nonce_check = false
Registration-->>Client: Process $data
end
Client->>+Registration: save_vendor_info($user_id, $data)
alt dokan_register_nonce_check = true
Registration->>Registration: Check empty($nonce_value)
alt $nonce_value is empty or invalid
Registration-->>Client: return
else $nonce_value is valid
Registration-->>Client: Save $data
end
else dokan_register_nonce_check = false
Registration-->>Client: Save $data
end
Poem
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (invoked as PR comments)
Additionally, you can add CodeRabbit Configration File (
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 0
Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Files selected for processing (1)
- includes/Registration.php (2 hunks)
Additional comments not posted (2)
includes/Registration.php (2)
95-103
: Review of nonce verification changes inset_new_vendor_names
The changes introduce a conditional check (
$nonce_check
) which is determined by thedokan_register_nonce_check
filter. This allows for more flexible nonce verification, potentially enabling or disabling it based on external conditions. The addition of checking for an empty nonce value before verifying it enhances the robustness of the function against empty or unset nonce values, which could be a security improvement.However, ensure that the
dokan_register_nonce_check
filter is appropriately documented and that it is clear to developers how and when to manipulate this filter. Additionally, verify that this change aligns with all intended use cases of nonce verification in this context.
131-139
: Review of nonce verification changes insave_vendor_info
This function mirrors the changes made in
set_new_vendor_names
by adding a conditional nonce check. The introduction of$nonce_check
controlled by thedokan_register_nonce_check
filter allows for conditional execution of nonce verification, which can be useful in scenarios where nonce verification might need to be bypassed or handled differently.As with the previous function, it's important to ensure that the use of this filter is well understood and documented. The checks for empty nonce values before proceeding with
wp_verify_nonce
are crucial for security, ensuring that invalid or manipulated requests are properly handled.
The issue of this PR is resolved in PR #2301. You can bypass the nonce verification through add_filter( 'dokan_register_nonce_check', '__return_false' ); Thanks for your PR. |
Issue: #2279
Summary by CodeRabbit