Tidied up nonces.

Author: colinmurphy

plugins/wpgraphql-logging/assets/js/settings/wp-graphql-logging-view.js

@@ -0,0 +1,6 @@
+jQuery(document).ready(function($) {
+	$(".wpgraphql-logging-datepicker").datetimepicker({
+		dateFormat: "yy-mm-dd",
+		timeFormat: "HH:mm:ss"
+	});
+});

plugins/wpgraphql-logging/src/Admin/View/List/ListTable.php

@@ -5,6 +5,7 @@
 namespace WPGraphQL\Logging\Admin\View\List;
 
 use DateTime;
+use WPGraphQL\Logging\Admin\ViewLogsPage;
 use WPGraphQL\Logging\Logger\Api\LogServiceInterface;
 use WPGraphQL\Logging\Logger\Database\WordPressDatabaseEntity;
 use WP_List_Table;
@@ -58,10 +59,6 @@ public function __construct(
 	 * @phpcs:disable WordPress.Security.NonceVerification.Recommended
 	 */
 	public function prepare_items(): void {
-		if ( array_key_exists( 'orderby', $_REQUEST ) || array_key_exists( 'order', $_REQUEST ) ) {
-			check_admin_referer( 'wpgraphql-logging-sort' );
-		}
-
 		$this->process_bulk_action();
 		$this->_column_headers =
 		apply_filters(
@@ -118,8 +115,6 @@ public function get_bulk_actions(): array {
 	/**
 	 * Handle bulk actions.
 	 *
-	 * @phpcs:disable WordPress.Security.NonceVerification.Missing
-	 * @phpcs:disable WordPress.Security.NonceVerification.Recommended
 	 * @phpcs:disable Generic.Metrics.NestingLevel.TooHigh
 	 * @phpcs:disable Generic.Metrics.CyclomaticComplexity.TooHigh
 	 * @phpcs:disable Generic.Metrics.CyclomaticComplexity.MaxExceeded
@@ -299,14 +294,18 @@ public function column_cb( $item ): string {
 	 * @return string The rendered ID column or null.
 	 */
 	public function column_id( WordPressDatabaseEntity $item ): string {
-		$url            = \WPGraphQL\Logging\Admin\ViewLogsPage::ADMIN_PAGE_SLUG;
-		$download_nonce = wp_create_nonce( 'wpgraphql-logging-download_' . $item->get_id() );
+		$url    = \WPGraphQL\Logging\Admin\ViewLogsPage::ADMIN_PAGE_SLUG;
+		$log_id = $item->get_id();
+
+		$view_nonce     = wp_create_nonce( ViewLogsPage::ADMIN_PAGE_VIEW_NONCE . '_' . $log_id );
+		$download_nonce = wp_create_nonce( ViewLogsPage::ADMIN_PAGE_DOWNLOAD_NONCE . '_' . $log_id );
 		$actions        = [
 			'view'     => sprintf(
-				'<a href="?page=%s&action=%s&log=%d">%s</a>',
+				'<a href="?page=%s&action=%s&log=%d&_wpnonce=%s">%s</a>',
 				esc_attr( $url ),
 				'view',
 				$item->get_id(),
+				esc_attr( $view_nonce ),
 				esc_html__( 'View', 'wpgraphql-logging' )
 			),
 			'download' => sprintf(

plugins/wpgraphql-logging/src/Admin/View/Templates/WPGraphQLLoggerList.php

@@ -22,10 +22,7 @@
 	<hr class="wp-header-end">
 
 	<form method="post">
-		<?php wp_nonce_field( 'wpgraphql-logging-sort', 'wpgraphql-logging-sort-nonce' ); ?>
-		<?php
-		$list_table->prepare_items();
-		$list_table->display();
-		?>
+		<?php $list_table->prepare_items(); ?>
+		<?php $list_table->display(); ?>
 	</form>
 </div>

plugins/wpgraphql-logging/src/Admin/ViewLogsPage.php

@@ -24,6 +24,20 @@ class ViewLogsPage {
 	 */
 	public const ADMIN_PAGE_SLUG = 'wpgraphql-logging-view';
 
+	/**
+	 * The nonce for the view page.
+	 *
+	 * @var string
+	 */
+	public const ADMIN_PAGE_VIEW_NONCE = 'wp_graphql_logging_admin';
+
+	/**
+	 * The nonce for the download page.
+	 *
+	 * @var string
+	 */
+	public const ADMIN_PAGE_DOWNLOAD_NONCE = 'wp_graphql_logging_download';
+
 	/**
 	 * The hook suffix for the admin page.
 	 *
@@ -124,36 +138,33 @@ public function enqueue_admin_scripts( string $hook_suffix ): void {
 
 		wp_enqueue_style( 'jquery-ui-style', 'https://ajax.googleapis.com/ajax/libs/jqueryui/1.12.1/themes/smoothness/jquery-ui.css', [], '1.12.1' );
 
-		// Add inline script to initialize the datetimepicker.
-		wp_add_inline_script(
-			'jquery-ui-timepicker-addon',
-			'jQuery(document).ready(function($){ $(".wpgraphql-logging-datepicker").datetimepicker({ dateFormat: "yy-mm-dd", timeFormat: "HH:mm:ss" }); });'
-		);
-
-		// Add nonce to sorting links.
-		wp_add_inline_script(
-			'jquery',
-			'jQuery(document).ready(function($){
-				var nonce = $("#wpgraphql-logging-sort-nonce").val();
-				if ( nonce ) {
-					$("th.sortable a").each(function(){
-						this.href = this.href + "&_wpnonce=" + nonce;
-					});
-				}
-			});'
-		);
+		// Enqueue admin scripts if they exist.
+		$script_path = trailingslashit( WPGRAPHQL_LOGGING_PLUGIN_URL ) . 'assets/js/settings/wp-graphql-logging-view.js';
+		if ( file_exists( trailingslashit( WPGRAPHQL_LOGGING_PLUGIN_DIR ) . 'assets/js/settings/wp-graphql-logging-view.js' ) ) {
+			wp_enqueue_script(
+				'wpgraphql-logging-view-js',
+				$script_path,
+				[ 'jquery' ],
+				WPGRAPHQL_LOGGING_VERSION,
+				true
+			);
+		}
 
 		// Allow other plugins to enqueue their own scripts/styles.
 		do_action( 'wpgraphql_logging_view_logs_admin_enqueue_scripts', $hook_suffix );
 	}
 
 	/**
 	 * Renders the admin page for the logs.
+	 *
+	 * @phpcs:disable WordPress.Security.NonceVerification.Recommended
 	 */
 	public function render_admin_page(): void {
+
+
 		$action = isset( $_REQUEST['action'] ) && is_string( $_REQUEST['action'] )
 			? sanitize_text_field( $_REQUEST['action'] )
-			: 'link'; // @phpcs:ignore WordPress.Security.NonceVerification.Recommended
+			: 'list';
 
 		switch ( $action ) {
 			case 'view':
@@ -173,8 +184,10 @@ public function render_admin_page(): void {
 	 * This runs before any HTML is output.
 	 */
 	public function process_page_actions_before_rendering(): void {
-		// Check for a download request.
-		if ( isset( $_GET['action'] ) && 'download' === $_GET['action'] ) { // @phpcs:ignore WordPress.Security.NonceVerification.Recommended
+
+		// Nonce handled in process_log_download and process_filters_redirect.
+		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		if ( isset( $_GET['action'] ) && 'download' === $_GET['action'] ) {
 			$this->process_log_download();
 		}
 
@@ -238,14 +251,16 @@ public function get_redirect_url(): string {
 	 *
 	 * @param string $key The key to retrieve from $_POST.
 	 *
+	 * @phpcs:disable WordPress.Security.NonceVerification.Missing
+	 *
 	 * @return string|null The sanitized value or null if not set or invalid.
 	 */
 	protected function get_post_value(string $key): ?string {
-		$value = $_POST[ $key ] ?? null; // @phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
-		if ( ! is_string( $value ) || '' === $value ) {
+		if ( ! array_key_exists( $key, $_POST ) || ! is_string( $_POST[ $key ] ) ) {
 			return null;
 		}
-		return sanitize_text_field( wp_unslash( $value ) );
+		$post_value = sanitize_text_field( wp_unslash( $_POST[ $key ] ) );
+		return '' !== $post_value ? $post_value : null;
 	}
 
 	/**
@@ -257,17 +272,14 @@ protected function render_list_page(): void {
 		require_once $list_template; // @phpcs:ignore WordPressVIPMinimum.Files.IncludingFile.UsingVariable
 	}
 
-		/**
-		 * Renders the list page for log entries.
-		 */
+	/**
+	 * Renders the list page for log entries.
+	 */
 	protected function process_log_download(): void {
-		if ( ! current_user_can( 'manage_options' ) || ! is_admin() ) {
-			wp_die( esc_html__( 'You do not have sufficient permissions to access this page.', 'wpgraphql-logging' ) );
-		}
-
 		$log_id = isset( $_GET['log'] ) ? absint( $_GET['log'] ) : 0;
-		if ( $log_id > 0 ) {
-			check_admin_referer( 'wpgraphql-logging-download_' . $log_id );
+		$this->verify_admin_page_nonce( self::ADMIN_PAGE_DOWNLOAD_NONCE . '_' . $log_id );
+		if ( 0 === (int) $log_id ) {
+			wp_die( esc_html__( 'Invalid log ID.', 'wpgraphql-logging' ) );
 		}
 		$downloader = new DownloadLogService( $this->get_log_service() );
 		$downloader->generate_csv( $log_id );
@@ -277,7 +289,8 @@ protected function process_log_download(): void {
 	 * Renders the view page for a single log entry.
 	 */
 	protected function render_view_page(): void {
-		$log_id = isset( $_GET['log'] ) ? absint( $_GET['log'] ) : 0; // @phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$log_id = isset( $_GET['log'] ) ? absint( $_GET['log'] ) : 0;
+		$this->verify_admin_page_nonce( self::ADMIN_PAGE_DOWNLOAD_NONCE . '_' . $log_id );
 
 		if ( 0 === (int) $log_id ) {
 			echo '<div class="notice notice-error"><p>' . esc_html__( 'Invalid log ID.', 'wpgraphql-logging' ) . '</p></div>';
@@ -297,6 +310,18 @@ protected function render_view_page(): void {
 		require_once $log_template; // @phpcs:ignore WordPressVIPMinimum.Files.IncludingFile.UsingVariable
 	}
 
+	/**
+	 * Verifies the admin page nonce.
+	 *
+	 * @param string $nonce The nonce to verify.
+	 */
+	protected function verify_admin_page_nonce(string $nonce): void {
+		if ( ! current_user_can( 'manage_options' ) || ! is_admin() ) {
+			wp_die( esc_html__( 'You do not have sufficient permissions to access this page.', 'wpgraphql-logging' ) );
+		}
+		check_admin_referer( $nonce );
+	}
+
 	/**
 	 * Retrieves the log service instance.
 	 *

plugins/wpgraphql-logging/tests/wpunit/Admin/View/ViewLogsPageTest.php

@@ -116,27 +116,6 @@ public function test_register_admin_page() : void {
 		$instance = ViewLogsPage::init();
 		$instance->register_settings_page();
 
-		// View
-		$_REQUEST['action'] = 'view';
-		$_GET['log'] = '123';
-
-		ob_start();
-		$instance->render_admin_page();
-		$output = ob_get_clean();
-		$this->assertNotFalse($output);
-
-		// Download
-		$_REQUEST['action'] = 'download';
-		ob_start();
-		$instance->render_admin_page();
-		$output = ob_get_clean();
-
-		$this->assertEquals('', $output);
-
-		// Clean up
-		unset($_REQUEST['action'], $_GET['log']);
-
-
 		// Default
 		ob_start();
 		$instance->render_admin_page();
@@ -156,7 +135,7 @@ public function test_process_page_actions_before_rendering_as_download_action()
 
 		ob_start();
 		$this->expectException(\WPDieException::class);
-		$this->expectExceptionMessage('Invalid log ID.');
+		$this->expectExceptionMessage('The link you followed has expired.');
 		$instance->process_page_actions_before_rendering();
 		$output = ob_get_clean();
 
@@ -222,7 +201,7 @@ public function test_process_log_download_dies_without_nonce(): void {
 		$_GET['log'] = 'nonexistent-log-id';
 		ob_start();
 		$this->expectException(\WPDieException::class);
-		$this->expectExceptionMessage('Invalid log ID.');
+		$this->expectExceptionMessage('The link you followed has expired.');
 
 		// Use reflection to call the protected method
 		$reflection = new \ReflectionClass($instance);