Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added nonce for reviews and checking user limits. #2592

Merged
merged 9 commits into from
Feb 14, 2024
Merged

Added nonce for reviews and checking user limits. #2592

merged 9 commits into from
Feb 14, 2024

Conversation

ideadude
Copy link
Member

@ideadude ideadude commented Feb 1, 2024

Description

The reviews form did not have a nonce. Adding one makes sure people are on the site when submitting a review.

Further, while the form was hidden if the one review per person setting was enabled and the user already submitted a review, the code that processed the AJAX calls did not also check this setting or the user limits.

Together, the above could allow someone to create unlimited reviews from offsite by posting to the admin-ajax.php with the correct values.

This PR adds the nonce and also abstracts the limit check into it's own method and then uses that to see if the form should be shown AND uses it again on the backend before creating the review posts.

How has this been tested?

Make sure to build llms.js or the nonce check will not work.

This has been tested locally by creating a course and enabling reviews and the prevent multiple reviews setting. You can open the course page in multiple tabs before submitting a review. Then submit a review in the first tab. A review should show up in the dashboard. Then submit a review in the second tab. While it still says "Thanks" on the frontend, there will be no review in the backend.

I also tested using Postman and sending authenticated POST requests directly to admin-ajax to create reviews. They do not work without the nonce.

We could consider showing better error messages when the limit is hit, but I don't think this is important in these edge cases.

Screenshots

Types of changes

Checklist:

  • This PR requires and contains at least one changelog file.
  • My code has been tested.
  • My code passes all existing automated tests.
  • My code follows the LifterLMS Coding & Documentation Standards.

@ideadude ideadude requested a review from brianhogg February 1, 2024 21:55
@ideadude ideadude changed the base branch from trunk to dev February 1, 2024 21:56
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 1, 2024

Coverage report

St.
 Category Percentage Covered / Total
🟡 Statements 77.18% 328/425
🟡 Branches 68.45% 141/206
🟢 Functions 82.93% 68/82
🟡 Lines 76.68% 319/416

Test suite run success

169 tests passing in 22 suites.

Report generated by 🧪jest coverage report action from 129264c

codeclimate[bot]
codeclimate bot reviewed Feb 1, 2024
View reviewed changes
@codeclimate CodeClimate
Copy link

codeclimate bot commented Feb 1, 2024

Code Climate has analyzed commit 129264c and detected 3 issues on this pull request.

Here's the issue category breakdown:

Category Count
Complexity 3

The test coverage on the diff in this pull request is 1.5% (50% is the threshold).

This pull request will bring the total coverage in the repository to 56.3%.

View more on Code Climate.

brianhogg
brianhogg requested changes Feb 5, 2024
View reviewed changes
@ideadude ideadude merged commit 7379438 into dev Feb 14, 2024
32 checks passed
@ideadude ideadude deleted the fix/reviews branch February 14, 2024 20:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@codeclimate codeclimate[bot] codeclimate[bot] left review comments

@brianhogg brianhogg brianhogg requested changes

Assignees
No one assigned
Labels
None yet
Projects
Development
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ideadude @brianhogg