Added nonce to download action.

Author: colinmurphy

plugins/wpgraphql-logging/src/Admin/View/List/ListTable.php

@@ -299,8 +299,9 @@ public function column_cb( $item ): string {
 	 * @return string The rendered ID column or null.
 	 */
 	public function column_id( WordPressDatabaseEntity $item ): string {
-		$url     = \WPGraphQL\Logging\Admin\ViewLogsPage::ADMIN_PAGE_SLUG;
-		$actions = [
+		$url            = \WPGraphQL\Logging\Admin\ViewLogsPage::ADMIN_PAGE_SLUG;
+		$download_nonce = wp_create_nonce( 'wpgraphql-logging-download_' . $item->get_id() );
+		$actions        = [
 			'view'     => sprintf(
 				'<a href="?page=%s&action=%s&log=%d">%s</a>',
 				esc_attr( $url ),
@@ -309,10 +310,11 @@ public function column_id( WordPressDatabaseEntity $item ): string {
 				esc_html__( 'View', 'wpgraphql-logging' )
 			),
 			'download' => sprintf(
-				'<a href="?page=%s&action=%s&log=%d">%s</a>',
+				'<a href="?page=%s&action=%s&log=%d&_wpnonce=%s">%s</a>',
 				esc_attr( $url ),
 				'download',
 				$item->get_id(),
+				esc_attr( $download_nonce ),
 				esc_html__( 'Download', 'wpgraphql-logging' )
 			),
 		];

plugins/wpgraphql-logging/src/Admin/ViewLogsPage.php

@@ -128,6 +128,7 @@ public function enqueue_admin_scripts( string $hook_suffix ): void {
 
 		wp_enqueue_style( 'jquery-ui-style', 'https://ajax.googleapis.com/ajax/libs/jqueryui/1.12.1/themes/smoothness/jquery-ui.css', [], '1.12.1' );
 
+		// Add inline script to initialize the datetimepicker.
 		wp_add_inline_script(
 			'jquery-ui-timepicker-addon',
 			'jQuery(document).ready(function($){ $(".wpgraphql-logging-datepicker").datetimepicker({ dateFormat: "yy-mm-dd", timeFormat: "HH:mm:ss" }); });'
@@ -351,7 +352,10 @@ protected function process_log_download(): void {
 			wp_die( esc_html__( 'You do not have sufficient permissions to access this page.', 'wpgraphql-logging' ) );
 		}
 
-		$log_id     = isset( $_GET['log'] ) ? absint( $_GET['log'] ) : 0; // @phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$log_id = isset( $_GET['log'] ) ? absint( $_GET['log'] ) : 0;
+		if ( $log_id > 0 ) {
+			check_admin_referer( 'wpgraphql-logging-download_' . $log_id );
+		}
 		$downloader = new DownloadLogService( $this->get_log_service() );
 		$downloader->generate_csv( $log_id );
 	}

plugins/wpgraphql-logging/tests/wpunit/Admin/View/ViewLogsPageTest.php

@@ -214,4 +214,20 @@ public function test_get_redirect_url_constructs_correct_url(): void {
 			$url
 		);
 	}
+
+	public function test_process_log_download_dies_without_nonce(): void {
+		$this->set_as_admin();
+		$instance = ViewLogsPage::init();
+		$_GET['action'] = 'download';
+		$_GET['log'] = 'nonexistent-log-id';
+		ob_start();
+		$this->expectException(\WPDieException::class);
+		$this->expectExceptionMessage('Invalid log ID.');
+
+		// Use reflection to call the protected method
+		$reflection = new \ReflectionClass($instance);
+		$method = $reflection->getMethod('process_log_download');
+		$method->setAccessible(true);
+		$method->invoke($instance);
+	}
 }