I'm saving sensitive data via JSON ajax request, it is not sanitized, literally anything can be passed.

I need to make sure that only admins with edit_options permission can save it.

So I do:

function received_ajax_request() {
  if ( !current_user_can('edit_options') ) {
    return;
  }

  save_to_database( $_POST['something']) );
}

My question is how safe it is? Do I need to check for anything else besides current_user_can?

For example, I saw some other plugins check also for nonce, but when rest API is used - nonces are generally not used.

I'm saving sensitive data via JSON ajax request, it is not sanitized, literally anything can be passed.

I need to make sure that only admins with edit_options permission can save it.

So I do:

function received_ajax_request() {
  if ( !current_user_can('edit_options') ) {
    return;
  }

  save_to_database( $_POST['something']) );
}

My question is how safe it is? Do I need to check for anything else besides current_user_can?

For example, I saw some other plugins check also for nonce, but when rest API is used - nonces are generally not used.

• security

1 Answer 1

current_user_can checks whether current user has a specific capability. And only that...

It won’t protect you from XSS attacks - so it would be a good idea to check some nonces too - this way you can be certain that user wants to perform given action.

Let’s say there’s a link to delete a post. Of course you will check if user can delete posts. But what if a user is logged in and I make him click the link? He doesn’t have to know - it can be a shortened link or an image.

It also won’t check if the current user is owner of given object.

Let’s day I’m a customer in shop. Of course I can add comments to orders. But only for my orders.

So you should always check full access rights and not only roles and capabilities.

And of course it won’t make the action safe. So you still have to sanitize, and escape, and so on...