Merge pull request #513 from razorpay/rzp-route-add-nonce

added authentication and authorization for route
razorpay · Nov 27, 2023 · 45350e2 · 45350e2
2 parents f5c9c2d + 5b4db88
commit 45350e2
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 37 deletions.
diff --git a/includes/razorpay-route-actions.php b/includes/razorpay-route-actions.php
@@ -23,10 +23,35 @@ public function redirect($pageUrl)
         wp_redirect($pageUrl);
     }
 
+    public function authorizeAndAuthenticate($nonce, $action)
+    {
+        if(current_user_can('manage_woocommerce') === false)
+        {
+            rzpLogError("Authorization Failed");
+            wp_die('<div class="error notice">
+                <p>RAZORPAY ERROR: User is not Authorized to perform Operation</p>
+             </div>');
+        }
+
+        $verifyReq = wp_verify_nonce($nonce, $action);
+
+        if ($verifyReq === false)
+        {
+            rzpLogError("nonce Authentication failed");
+            wp_die('<div class="error notice">
+                <p>RAZORPAY ERROR: Authentication Failed</p>
+             </div>');
+        }
+    }
+
     function directTransfer()
     {
         $trfAccount = sanitize_text_field($_POST['drct_trf_account']);
         $trfAmount = sanitize_text_field($_POST['drct_trf_amount']);
+        $nonce = sanitize_text_field($_POST['nonce']);
+
+        $this->authorizeAndAuthenticate($nonce, 'rzp_direct_transfer');
+
         $pageUrl = admin_url('admin.php?page=razorpayRouteWoocommerce');
         try {
             $transferData = array(
@@ -51,9 +76,12 @@ function directTransfer()
 
     function reverseTransfer()
     {
-
         $transferId = sanitize_text_field($_POST['transfer_id']);
         $reversalAmount = sanitize_text_field($_POST['reversal_amount']);
+        $nonce = sanitize_text_field($_POST['nonce']);
+
+        $this->authorizeAndAuthenticate($nonce, 'rzp_reverse_transfer');
+
         $pageUrl = admin_url('admin.php?page=razorpayTransfers&id=' . $transferId);
         try {
             $reversalData = array(
@@ -75,9 +103,12 @@ function reverseTransfer()
 
     function updateTransferSettlement()
     {
-
         $transferId = sanitize_text_field($_POST['transfer_id']);
         $trfHoldStatus = sanitize_text_field($_POST['on_hold']);
+        $nonce = sanitize_text_field($_POST['nonce']);
+
+        $this->authorizeAndAuthenticate($nonce, 'rzp_settlement_change');
+
         if ($trfHoldStatus == "on_hold_until") {
             $trfHoldUntil = sanitize_text_field($_POST['hold_until']);
             $unixTime = strtotime($trfHoldUntil);
@@ -110,10 +141,13 @@ function updateTransferSettlement()
 
     function createPaymentTransfer()
     {
-
         $paymentId = sanitize_text_field($_POST['payment_id']);
         $trfAccount = sanitize_text_field($_POST['pay_trf_account']);
         $trfAmount = sanitize_text_field($_POST['pay_trf_amount']);
+        $nonce = sanitize_text_field($_POST['nonce']);
+
+        $this->authorizeAndAuthenticate($nonce, 'rzp_payment_transfer');
+
         $pageUrl = admin_url('admin.php?page=razorpayPaymentsView&id=' . $paymentId);
 
         $trfHoldStatus = sanitize_text_field($_POST['on_hold']);

diff --git a/includes/razorpay-route.php b/includes/razorpay-route.php
@@ -9,14 +9,33 @@
 use Automattic\WooCommerce\Internal\DataStores\Orders\CustomOrdersTableController;
 
 add_action('setup_extra_setting_fields', 'addRouteModuleSettingFields');
-add_action('admin_post_rzp_direct_transfer', 'razorpayDirectTransfer');
-add_action('admin_post_rzp_reverse_transfer', 'razorpayReverseTransfer');
-add_action('admin_post_rzp_settlement_change', 'razorpaySettlementUpdate');
-add_action('admin_post_rzp_payment_transfer', 'razorpayPaymentTransfer');
-
 add_action( 'check_route_enable_status', 'razorpayRouteModule',0 );
 do_action('check_route_enable_status');
 
+add_action('admin_post_rzp_direct_transfer', function(){
+    $routeAction = new RZP_Route_Action();
+
+    $routeAction->directTransfer();
+});
+
+add_action('admin_post_rzp_reverse_transfer', function(){
+    $routeAction = new RZP_Route_Action();
+
+    $routeAction->reverseTransfer();
+});
+
+add_action('admin_post_rzp_settlement_change', function(){
+    $routeAction = new RZP_Route_Action();
+
+    $routeAction->updateTransferSettlement();
+});
+
+add_action('admin_post_rzp_payment_transfer', function(){
+    $routeAction = new RZP_Route_Action();
+
+    $routeAction->createPaymentTransfer();
+});
+
 function addRouteModuleSettingFields(&$defaultFormFields){
     if( get_woocommerce_currency() == "INR") {
 
@@ -166,6 +185,7 @@ function rzpTransfers()
                             <div>
                             <button type="submit" onclick="' . $hide . '" name="trf_create" class="btn btn-primary">Create</button>
                             <input type="hidden" name="action" value="rzp_direct_transfer">
+                            <input type="hidden" name="nonce" value="' . wp_create_nonce('rzp_direct_transfer') . '">
                             </div>
                             </form>
                         </div>
@@ -439,7 +459,7 @@ function rzpTransferDetails()
                                 <input type="hidden" name="action" value="rzp_reverse_transfer">
                                 <input type="hidden" name="transfer_id" value="' . $transferDetail['id'] . '">
                                 <input type="hidden" name="transfer_amount" value="' . $transferDetail['amount'] . '">
-
+                                <input type="hidden" name="nonce" value="' . wp_create_nonce('rzp_reverse_transfer') . '">
                                 </div>
                                 </form>
                             </div>
@@ -507,6 +527,7 @@ function rzpTransferDetails()
                                 <button type="submit" onclick="' . $hideSetl . '" name="update_setl_status"  class="btn btn-primary">Save</button>
                                 <input type="hidden" name="action" value="rzp_settlement_change">
                                 <input type="hidden" name="transfer_id" value="' . $transferDetail['id'] . '">
+                                <input type="hidden" name="nonce" value="' . wp_create_nonce('rzp_settlement_change') . '">
                                 </div>
                                 </form>
                             </div>
@@ -977,6 +998,7 @@ function rzpPaymentDetails()
                                 <button type="submit" onclick="' . $hide . '" name="trf_create" class="btn btn-primary" id="payment_transfer_btn">Create</button>
                                 <input type="hidden" name="payment_id" value="' . $paymentDetail['id'] . '">
                                 <input type="hidden" name="action" value="rzp_payment_transfer">
+                                <input type="hidden" name="nonce" value="' . wp_create_nonce('rzp_payment_transfer') . '">
                                 </div>
                                 </form>
                             </div>
@@ -1270,31 +1292,3 @@ function renderPaymentMetaBox(){
 
 }
 
-function razorpayDirectTransfer()
-{
-    $routeAction = new RZP_Route_Action();
-
-    $routeAction->directTransfer();
-}
-
-function razorpayReverseTransfer()
-{
-    $routeAction = new RZP_Route_Action();
-
-    $routeAction->reverseTransfer();
-}
-
-function razorpaySettlementUpdate()
-{
-    $routeAction = new RZP_Route_Action();
-
-    $routeAction->updateTransferSettlement();
-}
-
-function razorpayPaymentTransfer()
-{
-    $routeAction = new RZP_Route_Action();
-
-    $routeAction->createPaymentTransfer();
-}
-