Prevent unauthorized access to private charts

[girishpanchal30]

Summary

Verify the chart status and the user's permissions to access the chart information.

Check before Pull Request is ready:

• I have written a test and included it in this PR
• I have run all tests and they pass
• The code passes when running the PHP CodeSniffer
• Code meets WordPress Coding Standards for PHP, HTML, CSS and JS
• Security and Sanitization requirements have been followed
• I have assigned a reviewer or two to review this PR

Closes https://github.com/Codeinwp/visualizer-pro/issues/589

[Copilot]

Pull request overview

This PR hardens the frontend REST action endpoint (/wp-json/visualizer/v1/action/{chart_id}/{type}/) to prevent unauthorized access to private (non-published) charts. Previously, save/cancel actions bypassed all checks and other actions returned data for any numeric ID. The callback now validates the post is a Visualizer chart, requires edit_post for save/cancel and for non-published charts, and only exposes published charts to viewers via the existing visualizer_pro_show_chart filter.

Changes:

• Validate that the requested ID resolves to a real visualizer CPT post before granting access.
• Require edit_post capability for save/cancel and for any non-published chart.
• Restrict published charts to the visualizer_pro_show_chart filter result.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[pirate-bot]

Plugin build for 4547cfa is ready 🛎️!

• Download build