From ef536cc9777312bdee3d39cc17f09ce968ed5e73 Mon Sep 17 00:00:00 2001
From: Matthias Pfefferle <pfefferle@users.noreply.github.com>
Date: Fri, 21 Apr 2023 16:40:46 +0200
Subject: [PATCH] verify requests

---
 includes/table/class-followers.php | 14 +++++++++++++-
 templates/followers-list.php       |  1 +
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/includes/table/class-followers.php b/includes/table/class-followers.php
index dbd2647..3cf4946 100644
--- a/includes/table/class-followers.php
+++ b/includes/table/class-followers.php
@@ -82,7 +82,19 @@ class Followers extends WP_List_Table {
 	}
 
 	public function process_action() {
-		$followers = isset( $_REQUEST['followers'] ) ? $_REQUEST['followers'] : array(); // phpcs:ignore
+		if ( ! isset( $_REQUEST['followers'] ) || ! isset( $_REQUEST['_apnonce'] ) ) {
+			return false;
+		}
+
+		if ( ! wp_verify_nonce( $_REQUEST['_apnonce'], 'activitypub-followers-list' ) ) {
+			return false;
+		}
+
+		if ( ! current_user_can( 'edit_user', \get_current_user_id() ) ) {
+			return false;
+		}
+
+		$followers = $_REQUEST['followers']; // phpcs:ignore
 
 		switch ( $this->current_action() ) {
 			case 'delete':
diff --git a/templates/followers-list.php b/templates/followers-list.php
index e76a45d..c79c961 100644
--- a/templates/followers-list.php
+++ b/templates/followers-list.php
@@ -12,5 +12,6 @@
 		$token_table->prepare_items();
 		$token_table->display();
 		?>
+		<?php wp_nonce_field( 'activitypub-followers-list', '_apnonce' ); ?>
 		</form>
 </div>