add logs, add readme

composer.json

@@ -1,7 +1,7 @@
 {
   "name": "smartling/wordpress-connector",
   "license": "GPL-2.0-or-later",
-  "version": "5.5.2",
+  "version": "5.6.0",
   "description": "",
   "type": "wordpress-plugin",
   "repositories": [

inc/Smartling/Bootstrap.php

@@ -181,10 +181,13 @@ private function initRoles(): void
     #[NoReturn]
     public function updateGlobalExpertSettings(): void
     {
-        check_ajax_referer('smartling_expert_global_settings', '_wpnonce');
+        if (check_ajax_referer('smartling_expert_global_settings', '_wpnonce', false) === false) {
+            static::getLogger()->warning(sprintf('Invalid nonce for action "%s" from userId=%d', 'smartling_expert_global_settings', get_current_user_id()));
+            wp_send_json(['error' => 'Invalid nonce'], 403);
+        }
         if (!current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_PROFILE_CAP)) {
+            static::getLogger()->warning(sprintf('User %d lacks capability "%s"', get_current_user_id(), SmartlingUserCapabilities::SMARTLING_CAPABILITY_PROFILE_CAP));
             wp_send_json(['error' => 'Insufficient permissions'], 403);
-            return;
         }
 
         $data = $_POST['params'];

inc/Smartling/Helpers/UiMessageHelper.php

@@ -2,15 +2,22 @@
 
 namespace Smartling\Helpers;
 
+use Smartling\Bootstrap;
+
 class UiMessageHelper
 {
     private const CACHE_KEY_PREFIX = 'smartling.ui.message.';
     public const DISMISS_MESSAGE_ACTION = 'smartling_dismiss_message';
 
     public static function dismissMessage(): void
     {
-        check_ajax_referer(self::DISMISS_MESSAGE_ACTION, '_wpnonce');
+        if (check_ajax_referer(self::DISMISS_MESSAGE_ACTION, '_wpnonce', false) === false) {
+            Bootstrap::getLogger()->warning(sprintf('Invalid nonce for action "%s" from userId=%d', self::DISMISS_MESSAGE_ACTION, get_current_user_id()));
+            wp_send_json_error(['message' => 'Invalid nonce'], 403);
+            return;
+        }
         if (!current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_MENU_CAP)) {
+            Bootstrap::getLogger()->warning(sprintf('User %d lacks capability "%s"', get_current_user_id(), SmartlingUserCapabilities::SMARTLING_CAPABILITY_MENU_CAP));
             wp_send_json_error(['message' => 'Insufficient permissions'], 403);
             return;
         }

inc/Smartling/Services/ContentRelationsHandler.php

@@ -81,8 +81,13 @@ public function register(): void
      */
     public function createSubmissionsHandler(array $data = null): void
     {
-        $this->wpProxy->check_ajax_referer('smartling_translation', '_wpnonce');
+        if ($this->wpProxy->check_ajax_referer('smartling_translation', '_wpnonce', false) === false) {
+            $this->getLogger()->warning(sprintf('Invalid nonce for action "%s" from userId=%d', 'smartling_translation', get_current_user_id()));
+            $this->returnError('invalid.nonce', 'Invalid nonce', 403);
+            return;
+        }
         if (!$this->wpProxy->current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP)) {
+            $this->getLogger()->warning(sprintf('User %d lacks capability "%s"', get_current_user_id(), SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP));
             $this->returnError('permission.denied', 'Insufficient permissions', 403);
             return;
         }
@@ -104,8 +109,13 @@ public function createSubmissionsHandler(array $data = null): void
 
     public function actionHandler(): void
     {
-        $this->wpProxy->check_ajax_referer('smartling_translation', '_wpnonce');
+        if ($this->wpProxy->check_ajax_referer('smartling_translation', '_wpnonce', false) === false) {
+            $this->getLogger()->warning(sprintf('Invalid nonce for action "%s" from userId=%d', 'smartling_translation', get_current_user_id()));
+            $this->returnError('invalid.nonce', 'Invalid nonce', 403);
+            return;
+        }
         if (!$this->wpProxy->current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP)) {
+            $this->getLogger()->warning(sprintf('User %d lacks capability "%s"', get_current_user_id(), SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP));
             $this->returnError('permission.denied', 'Insufficient permissions', 403);
             return;
         }

inc/Smartling/WP/Controller/CheckStatusController.php

@@ -39,8 +39,13 @@ public function register(): void
      */
     public function ajaxHandler()
     {
-        check_ajax_referer('smartling_check_status', '_wpnonce');
+        if (check_ajax_referer('smartling_check_status', '_wpnonce', false) === false) {
+            $this->getLogger()->warning(sprintf('Invalid nonce for action "%s" from userId=%d', 'smartling_check_status', get_current_user_id()));
+            wp_send_json(['error' => 'Invalid nonce'], 403);
+            return false;
+        }
         if (!current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP)) {
+            $this->getLogger()->warning(sprintf('User %d lacks capability "%s"', get_current_user_id(), SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP));
             wp_send_json(['error' => 'Insufficient permissions'], 403);
             return false;
         }

inc/Smartling/WP/Controller/ConfigurationProfileFormController.php

@@ -50,8 +50,13 @@ public function register(): void
 
     public function initTestConnectionEndpoint(): void
     {
-        check_ajax_referer('smartling_test_connection', '_wpnonce');
+        if (check_ajax_referer('smartling_test_connection', '_wpnonce', false) === false) {
+            $this->getLogger()->warning(sprintf('Invalid nonce for action "%s" from userId=%d', 'smartling_test_connection', get_current_user_id()));
+            wp_send_json(['status' => 403, 'message' => 'Invalid nonce'], 403);
+            return;
+        }
         if (!current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_PROFILE_CAP)) {
+            $this->getLogger()->warning(sprintf('User %d lacks capability "%s"', get_current_user_id(), SmartlingUserCapabilities::SMARTLING_CAPABILITY_PROFILE_CAP));
             wp_send_json(['status' => 403, 'message' => 'Insufficient permissions'], 403);
             return;
         }

inc/Smartling/WP/Controller/ContentEditJobController.php

@@ -27,8 +27,6 @@ class ContentEditJobController extends WPAbstract implements WPHookInterface
 {
     public const SMARTLING_JOB_API_PROXY = 'smartling_job_api_proxy';
 
-    private WordpressFunctionProxyHelper $wpProxy;
-
     public function __construct(
         ApiWrapperInterface $api,
         LocalizationPluginProxyInterface $localizationPluginProxy,
@@ -37,10 +35,9 @@ public function __construct(
         SiteHelper $siteHelper,
         SubmissionManager $submissionManager,
         Cache $cache,
-        WordpressFunctionProxyHelper $wpProxy,
+        private WordpressFunctionProxyHelper $wpProxy,
     ) {
         parent::__construct($api, $localizationPluginProxy, $pluginInfo, $settingsManager, $siteHelper, $submissionManager, $cache);
-        $this->wpProxy = $wpProxy;
     }
     /**
      * @var string
@@ -87,8 +84,13 @@ public function setServedContentType($servedContentType)
     public function initJobApiProxy(): void
     {
         add_action('wp_ajax_' . self::SMARTLING_JOB_API_PROXY, function () {
-            $this->wpProxy->check_ajax_referer('smartling_translation', '_wpnonce');
+            if ($this->wpProxy->check_ajax_referer('smartling_translation', '_wpnonce', false) === false) {
+                $this->getLogger()->warning(sprintf('Invalid nonce for action "%s" from userId=%d', 'smartling_translation', get_current_user_id()));
+                $this->wpProxy->wp_send_json(['status' => 403, 'message' => 'Invalid nonce'], 403);
+                return;
+            }
             if (!$this->wpProxy->current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP)) {
+                $this->getLogger()->warning(sprintf('User %d lacks capability "%s"', get_current_user_id(), SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP));
                 $this->wpProxy->wp_send_json(['status' => 403, 'message' => 'Insufficient permissions'], 403);
                 return;
             }

inc/Smartling/WP/Controller/InstantTranslationController.php

@@ -37,9 +37,14 @@ public function register(): void
 
     public function handleRequestTranslation(): void
     {
-        $this->wpProxy->check_ajax_referer('smartling_translation', '_wpnonce');
+        if ($this->wpProxy->check_ajax_referer('smartling_translation', '_wpnonce', false) === false) {
+            $this->getLogger()->warning(sprintf('Invalid nonce for action "%s" from userId=%d', 'smartling_translation', get_current_user_id()));
+            $this->wpProxy->wp_send_json_error(['message' => 'Invalid nonce'], 403);
+            return;
+        }
 
         if (!$this->wpProxy->current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP)) {
+            $this->getLogger()->warning(sprintf('User %d lacks capability "%s"', get_current_user_id(), SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP));
             $this->wpProxy->wp_send_json_error(['message' => 'Insufficient permissions'], 403);
             return;
         }
@@ -139,9 +144,14 @@ public function handleRequestTranslation(): void
 
     public function handlePollStatus(): void
     {
-        $this->wpProxy->check_ajax_referer('smartling_translation', '_wpnonce');
+        if ($this->wpProxy->check_ajax_referer('smartling_translation', '_wpnonce', false) === false) {
+            $this->getLogger()->warning(sprintf('Invalid nonce for action "%s" from userId=%d', 'smartling_translation', get_current_user_id()));
+            $this->wpProxy->wp_send_json_error(['message' => 'Invalid nonce'], 403);
+            return;
+        }
 
         if (!$this->wpProxy->current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP)) {
+            $this->getLogger()->warning(sprintf('User %d lacks capability "%s"', get_current_user_id(), SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP));
             $this->wpProxy->wp_send_json_error(['message' => 'Insufficient permissions'], 403);
             return;
         }

inc/Smartling/WP/Controller/LiveNotificationController.php

@@ -116,8 +116,13 @@ public function placeJsConfig(): void
 
     public function deleteNotificationAjaxHandler(): void
     {
-        check_ajax_referer(self::DELETE_NOTIFICATION_ACTION_NAME, '_wpnonce');
+        if (check_ajax_referer(self::DELETE_NOTIFICATION_ACTION_NAME, '_wpnonce', false) === false) {
+            $this->getLogger()->warning(sprintf('Invalid nonce for action "%s" from userId=%d', self::DELETE_NOTIFICATION_ACTION_NAME, get_current_user_id()));
+            wp_send_json(['code' => 'error', 'message' => 'Invalid nonce'], 403);
+            return;
+        }
         if (!current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP)) {
+            $this->getLogger()->warning(sprintf('User %d lacks capability "%s"', get_current_user_id(), SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP));
             wp_send_json(['code' => 'error', 'message' => 'Insufficient permissions'], 403);
             return;
         }

inc/Smartling/WP/Controller/PostBasedWidgetControllerStd.php

@@ -116,8 +116,13 @@ public function setNoOriginalFound($noOriginalFound)
 
     public function ajaxDownloadHandler(): void
     {
-        check_ajax_referer(self::AJAX_NONCE_ACTION, '_wpnonce');
+        if (check_ajax_referer(self::AJAX_NONCE_ACTION, '_wpnonce', false) === false) {
+            $this->getLogger()->warning(sprintf('Invalid nonce for action "%s" from userId=%d', self::AJAX_NONCE_ACTION, get_current_user_id()));
+            wp_send_json(['status' => self::RESPONSE_AJAX_STATUS_FAIL, 'message' => 'Invalid nonce'], 403);
+            return;
+        }
         if (!current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP)) {
+            $this->getLogger()->warning(sprintf('User %d lacks capability "%s"', get_current_user_id(), SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP));
             wp_send_json(['status' => self::RESPONSE_AJAX_STATUS_FAIL, 'message' => 'Insufficient permissions'], 403);
             return;
         }
@@ -182,8 +187,13 @@ private function validateTargetBlog($blogId)
 
     public function ajaxUploadHandler()
     {
-        check_ajax_referer(self::AJAX_NONCE_ACTION, '_wpnonce');
+        if (check_ajax_referer(self::AJAX_NONCE_ACTION, '_wpnonce', false) === false) {
+            $this->getLogger()->warning(sprintf('Invalid nonce for action "%s" from userId=%d', self::AJAX_NONCE_ACTION, get_current_user_id()));
+            wp_send_json(['status' => self::RESPONSE_AJAX_STATUS_FAIL, 'message' => 'Invalid nonce'], 403);
+            return;
+        }
         if (!current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP)) {
+            $this->getLogger()->warning(sprintf('User %d lacks capability "%s"', get_current_user_id(), SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP));
             wp_send_json(['status' => self::RESPONSE_AJAX_STATUS_FAIL, 'message' => 'Insufficient permissions'], 403);
             return;
         }

inc/Smartling/WP/Controller/TaxonomyLinksController.php

@@ -152,8 +152,13 @@ private function getMappedTerms()
 
     public function linkTaxonomies($data)
     {
-        $this->wordpressProxy->check_ajax_referer(self::NONCE_ACTION, '_wpnonce');
+        if ($this->wordpressProxy->check_ajax_referer(self::NONCE_ACTION, '_wpnonce', false) === false) {
+            $this->getLogger()->warning(sprintf('Invalid nonce for action "%s" from userId=%d', self::NONCE_ACTION, get_current_user_id()));
+            $this->wordpressProxy->wp_send_json_error(['message' => 'Invalid nonce'], 403);
+            return;
+        }
         if (!$this->wordpressProxy->current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_MENU_CAP)) {
+            $this->getLogger()->warning(sprintf('User %d lacks capability "%s"', get_current_user_id(), SmartlingUserCapabilities::SMARTLING_CAPABILITY_MENU_CAP));
             $this->wordpressProxy->wp_send_json_error(['message' => 'Insufficient permissions'], 403);
             return;
         }

inc/Smartling/WP/Controller/TestRunController.php

@@ -152,8 +152,13 @@ public function getBlogs(): array
 
     public function testRun($data): void
     {
-        check_ajax_referer('smartling_test_run', '_wpnonce');
+        if (check_ajax_referer('smartling_test_run', '_wpnonce', false) === false) {
+            $this->getLogger()->warning(sprintf('Invalid nonce for action "%s" from userId=%d', 'smartling_test_run', get_current_user_id()));
+            wp_send_json_error(['message' => 'Invalid nonce'], 403);
+            return;
+        }
         if (!current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_PROFILE_CAP)) {
+            $this->getLogger()->warning(sprintf('User %d lacks capability "%s"', get_current_user_id(), SmartlingUserCapabilities::SMARTLING_CAPABILITY_PROFILE_CAP));
             wp_send_json_error(['message' => 'Insufficient permissions'], 403);
             return;
         }

inc/Smartling/WP/Controller/VisualConfiguratorPage.php

@@ -2,6 +2,7 @@
 
 namespace Smartling\WP\Controller;
 
+use Smartling\Helpers\LoggerSafeTrait;
 use Smartling\Helpers\PluginInfo;
 use Smartling\Helpers\SmartlingUserCapabilities;
 use Smartling\Helpers\WordpressFunctionProxyHelper;
@@ -12,6 +13,8 @@
 
 class VisualConfiguratorPage extends ControllerAbstract implements WPHookInterface
 {
+    use LoggerSafeTrait;
+
     public const SLUG = 'smartling_visual_configurator';
     public const NONCE_ACTION = 'smartling_visual_configurator';
     public const ACTION_LIST_RULES = 'smartling_visual_configurator_list_rules';
@@ -87,7 +90,7 @@ public function enqueue(string $hook): void
 
     public function ajaxListRules(): void
     {
-        if (!$this->verifyNonce()) {
+        if (!$this->verifyNonceAndCapabilities()) {
             return;
         }
         $this->rulesManager->loadData();
@@ -100,7 +103,7 @@ public function ajaxListRules(): void
 
     public function ajaxSaveRule(): void
     {
-        if (!$this->verifyNonce()) {
+        if (!$this->verifyNonceAndCapabilities()) {
             return;
         }
         try {
@@ -141,7 +144,7 @@ public function ajaxSaveRule(): void
 
     public function ajaxResolveType(): void
     {
-        if (!$this->verifyNonce()) {
+        if (!$this->verifyNonceAndCapabilities()) {
             return;
         }
         $id = isset($_POST['id']) ? (int)$_POST['id'] : 0;
@@ -159,7 +162,7 @@ public function ajaxResolveType(): void
 
     public function ajaxDeleteRule(): void
     {
-        if (!$this->verifyNonce()) {
+        if (!$this->verifyNonceAndCapabilities()) {
             return;
         }
         $id = isset($_POST['id']) && is_string($_POST['id'])
@@ -177,10 +180,15 @@ public function ajaxDeleteRule(): void
         $this->wpProxy->wp_send_json_success(['id' => $id]);
     }
 
-    private function verifyNonce(): bool
+    private function verifyNonceAndCapabilities(): bool
     {
-        $this->wpProxy->check_ajax_referer(self::NONCE_ACTION, '_wpnonce');
+        if ($this->wpProxy->check_ajax_referer(self::NONCE_ACTION, '_wpnonce', false) === false) {
+            $this->getLogger()->warning(sprintf('Invalid nonce for action "%s" from userId=%d', self::NONCE_ACTION, get_current_user_id()));
+            $this->wpProxy->wp_send_json_error(['message' => 'Invalid nonce'], 403);
+            return false;
+        }
         if (!$this->wpProxy->current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_PROFILE_CAP)) {
+            $this->getLogger()->warning(sprintf('User %d lacks capability "%s"', get_current_user_id(), SmartlingUserCapabilities::SMARTLING_CAPABILITY_PROFILE_CAP));
             $this->wpProxy->wp_send_json_error(['message' => 'Insufficient permissions'], 403);
             return false;
         }

readme.txt

@@ -4,7 +4,7 @@ Tags: translation, localization, multilingual, internationalization, smartling
 Requires at least: 5.5
 Tested up to: 7.0
 Requires PHP: 8.0
-Stable tag: 5.5.2
+Stable tag: 5.6.0
 License: GPLv2 or later
 
 Translate content in WordPress quickly and seamlessly with Smartling, the industry-leading Translation Management System.
@@ -62,8 +62,11 @@ Additional information on the Smartling Connector for WordPress can be found [he
 3. Track translation status within WordPress from the Submissions Board. View overall progress of submitted translation requests as well as resend updated content.
 
 == Changelog ==
-= 5.5.2 =
+= 5.6.0 =
+* Added visual configurator for JSON metadata fields
 * Added "Check All" and "Uncheck All" buttons to the related assets list
+* Fixed reusable blocks support
+* Added capability and nonce checks for ajax endpoints
 
 = 5.5.1 =
 * Fixed broken HTML in the content edit view that prevented WordPress postboxes below the Smartling box from opening after the Smartling box was collapsed

smartling-connector.php

@@ -11,7 +11,7 @@
  * Plugin Name:       Smartling Connector
  * Plugin URI:        https://www.smartling.com/products/automate/integrations/wordpress/
  * Description:       Integrate your WordPress site with Smartling to upload your content and download translations.
- * Version:           5.5.2
+ * Version:           5.6.0
  * Author:            Smartling
  * Author URI:        https://www.smartling.com
  * License:           GPL-2.0+

tests/Smartling/WP/Controller/VisualConfiguratorPageTest.php

@@ -180,6 +180,7 @@ public function testAjaxDeleteRuleRemovesItem(): void
             'propertyPath' => '$.title',
             'replacerId' => 'translate',
         ]);
+        $manager->saveData(); // persist so loadData() inside ajaxDeleteRule() reloads this exact item
         $_POST = ['id' => $id];
 
         $wpProxy = $this->createWpProxy();