fix plguin

2025-11-21 15:26:44 +00:00
parent c35b3c3641
commit 9ec1aa8948
4 changed files with 54 additions and 23 deletions
--- a/igny8-wp-integration-plugin/admin/class-admin.php
+++ b/igny8-wp-integration-plugin/admin/class-admin.php
@@ -161,31 +161,58 @@ class Igny8Admin {
     * Render settings page
     */
    public function render_settings_page() {
-        // Handle form submission
-        if (isset($_POST['igny8_connect']) && check_admin_referer('igny8_settings_nonce')) {
-            $this->handle_connection();
+        // Handle form submission (use wp_verify_nonce to avoid wp_die on failure)
+        if (isset($_POST['igny8_connect'])) {
+            if (empty($_POST['_wpnonce']) || !wp_verify_nonce($_POST['_wpnonce'], 'igny8_settings_nonce')) {
+                add_settings_error(
+                    'igny8_settings',
+                    'igny8_nonce',
+                    __('Security check failed. Please refresh the page and try again.', 'igny8-bridge'),
+                    'error'
+                );
+            } else {
+                $this->handle_connection();
+            }
        }
-        
-        // Handle revoke API key
-        if (isset($_POST['igny8_revoke_api_key']) && check_admin_referer('igny8_revoke_api_key')) {
-            self::revoke_api_key();
-            add_settings_error(
-                'igny8_settings',
-                'igny8_api_key_revoked',
-                __('API key revoked and removed from this site.', 'igny8-bridge'),
-                'updated'
-            );
+
+        // Handle revoke API key (use wp_verify_nonce)
+        if (isset($_POST['igny8_revoke_api_key'])) {
+            if (empty($_POST['_wpnonce']) || !wp_verify_nonce($_POST['_wpnonce'], 'igny8_revoke_api_key')) {
+                add_settings_error(
+                    'igny8_settings',
+                    'igny8_nonce_revoke',
+                    __('Security check failed. Could not revoke API key.', 'igny8-bridge'),
+                    'error'
+                );
+            } else {
+                self::revoke_api_key();
+                add_settings_error(
+                    'igny8_settings',
+                    'igny8_api_key_revoked',
+                    __('API key revoked and removed from this site.', 'igny8-bridge'),
+                    'updated'
+                );
+            }
        }
-        
-        // Handle webhook secret regeneration
-        if (isset($_POST['igny8_regenerate_secret']) && check_admin_referer('igny8_regenerate_secret')) {
-            $new_secret = igny8_regenerate_webhook_secret();
-            add_settings_error(
-                'igny8_settings',
-                'igny8_secret_regenerated',
-                __('Webhook secret regenerated. Update it in your IGNY8 SaaS app settings.', 'igny8-bridge'),
-                'updated'
-            );
+
+        // Handle webhook secret regeneration (use wp_verify_nonce)
+        if (isset($_POST['igny8_regenerate_secret'])) {
+            if (empty($_POST['_wpnonce']) || !wp_verify_nonce($_POST['_wpnonce'], 'igny8_regenerate_secret')) {
+                add_settings_error(
+                    'igny8_settings',
+                    'igny8_nonce_regen',
+                    __('Security check failed. Could not regenerate secret.', 'igny8-bridge'),
+                    'error'
+                );
+            } else {
+                $new_secret = igny8_regenerate_webhook_secret();
+                add_settings_error(
+                    'igny8_settings',
+                    'igny8_secret_regenerated',
+                    __('Webhook secret regenerated. Update it in your IGNY8 SaaS app settings.', 'igny8-bridge'),
+                    'updated'
+                );
+            }
        }
        
        // Include settings template