The logic in save_new_alert AJAX action does only check for a valid nonce, but not for authorization. This makes it possible to reuse a valid nonce and trigger the save_new_alert with an unauthorized or unauthenticated user.
This PR adds an authorization check to save_new_alert (as well as to get_new_alert_triggers_notifications, which could be used to retrieve a nonce as an authenticated but unauthorized user), and adds corresponding tests to ensure both wanted and unwanted requests behave as expected with regards to alert creation.
Props to @marcS0H for the report.
Checklist
[x] Project documentation has been updated to reflect the changes in this pull request, if applicable.
[x] I have tested the changes in the local development environment (see contributing.md).
The logic in
save_new_alertAJAX action does only check for a valid nonce, but not for authorization. This makes it possible to reuse a valid nonce and trigger thesave_new_alertwith an unauthorized or unauthenticated user.This PR adds an authorization check to
save_new_alert(as well as toget_new_alert_triggers_notifications, which could be used to retrieve a nonce as an authenticated but unauthorized user), and adds corresponding tests to ensure both wanted and unwanted requests behave as expected with regards to alert creation.Props to @marcS0H for the report.
Checklist
contributing.md).