Skip to content

Prevent unauthorized access to private charts#1326

Open
girishpanchal30 wants to merge 1 commit into
developmentfrom
bugfix/pro/589
Open

Prevent unauthorized access to private charts#1326
girishpanchal30 wants to merge 1 commit into
developmentfrom
bugfix/pro/589

Conversation

@girishpanchal30

@girishpanchal30 girishpanchal30 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Summary

Verify the chart status and the user's permissions to access the chart information.

Check before Pull Request is ready:

Closes https://github.com/Codeinwp/visualizer-pro/issues/589

@girishpanchal30 girishpanchal30 requested a review from Copilot June 29, 2026 05:08
@girishpanchal30 girishpanchal30 added the pr-checklist-skip Allow this Pull Request to skip checklist. label Jun 29, 2026
@pirate-bot pirate-bot added the pr-checklist-complete The Pull Request checklist is complete. (automatic label) label Jun 29, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the frontend REST action endpoint (/wp-json/visualizer/v1/action/{chart_id}/{type}/) to prevent unauthorized access to private (non-published) charts. Previously, save/cancel actions bypassed all checks and other actions returned data for any numeric ID. The callback now validates the post is a Visualizer chart, requires edit_post for save/cancel and for non-published charts, and only exposes published charts to viewers via the existing visualizer_pro_show_chart filter.

Changes:

  • Validate that the requested ID resolves to a real visualizer CPT post before granting access.
  • Require edit_post capability for save/cancel and for any non-published chart.
  • Restrict published charts to the visualizer_pro_show_chart filter result.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pirate-bot

Copy link
Copy Markdown
Contributor

Plugin build for 4547cfa is ready 🛎️!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

pr-checklist-complete The Pull Request checklist is complete. (automatic label) pr-checklist-skip Allow this Pull Request to skip checklist.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants