From 826d97e93af43f431bddf453a5ecd1131f250057 Mon Sep 17 00:00:00 2001
From: girishpanchal30 <girish@krishaweb.com>
Date: Fri, 27 Feb 2026 12:40:38 +0530
Subject: [PATCH 1/2] fix: prevent unauthorized users from updating chart data

---
 classes/Visualizer/Module/Chart.php      | 15 ++++++++++++---
 classes/Visualizer/Render/Layout.php     |  4 ++--
 classes/Visualizer/Render/Page/Types.php |  2 +-
 3 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/classes/Visualizer/Module/Chart.php b/classes/Visualizer/Module/Chart.php
index 8bf503f6e..bd0752f42 100644
--- a/classes/Visualizer/Module/Chart.php
+++ b/classes/Visualizer/Module/Chart.php
@@ -379,7 +379,7 @@ public function getCharts() {
 	 *
 	 * @return array The array of chart data.
 	 */
-	private function _getChartArray( ?WP_Post $chart = null ) {
+	private function _getChartArray( $chart = null ) {
 		if ( is_null( $chart ) ) {
 			$chart = $this->_chart;
 		}
@@ -1139,7 +1139,11 @@ public function uploadData() {
 		$can_die    = ! ( defined( 'VISUALIZER_DO_NOT_DIE' ) && VISUALIZER_DO_NOT_DIE );
 
 		// validate nonce
-		if ( ! isset( $_GET['nonce'] ) || ! wp_verify_nonce( $_GET['nonce'] ) ) {
+		if (
+			! isset( $_GET['nonce'] ) ||
+			! wp_verify_nonce( $_GET['nonce'], 'visualizer-upload-data' ) ||
+			! current_user_can( 'edit_posts' )
+		) {
 			if ( ! $can_die ) {
 				return;
 			}
@@ -1150,7 +1154,12 @@ public function uploadData() {
 		// check chart, if chart exists
 		// do not use filter_input as it does not work for phpunit test cases, use filter_var instead
 		$chart_id = isset( $_GET['chart'] ) ? filter_var( $_GET['chart'], FILTER_VALIDATE_INT ) : '';
-		if ( ! $chart_id || ! ( $chart = get_post( $chart_id ) ) || $chart->post_type !== Visualizer_Plugin::CPT_VISUALIZER ) {
+		if (
+			! $chart_id ||
+			! ( $chart = get_post( $chart_id ) ) ||
+			$chart->post_type !== Visualizer_Plugin::CPT_VISUALIZER ||
+			! current_user_can( 'edit_post', $chart_id )
+		) {
 			if ( ! $can_die ) {
 				return;
 			}
diff --git a/classes/Visualizer/Render/Layout.php b/classes/Visualizer/Render/Layout.php
index 8d42d6820..7018ced9f 100644
--- a/classes/Visualizer/Render/Layout.php
+++ b/classes/Visualizer/Render/Layout.php
@@ -360,7 +360,7 @@ public static function _renderSimpleEditorScreen( $args ) {
 			add_query_arg(
 				array(
 					'action' => Visualizer_Plugin::ACTION_UPLOAD_DATA,
-					'nonce'  => wp_create_nonce(),
+					'nonce'  => wp_create_nonce( 'visualizer-upload-data' ),
 					'chart'  => $chart_id,
 				),
 				admin_url( 'admin-ajax.php' )
@@ -726,7 +726,7 @@ public static function _renderTabBasic( $args ) {
 			add_query_arg(
 				array(
 					'action' => Visualizer_Plugin::ACTION_UPLOAD_DATA,
-					'nonce'  => wp_create_nonce(),
+					'nonce'  => wp_create_nonce( 'visualizer-upload-data' ),
 					'chart'  => $chart_id,
 				),
 				admin_url( 'admin-ajax.php' )
diff --git a/classes/Visualizer/Render/Page/Types.php b/classes/Visualizer/Render/Page/Types.php
index 5259b0c94..e58b3e554 100644
--- a/classes/Visualizer/Render/Page/Types.php
+++ b/classes/Visualizer/Render/Page/Types.php
@@ -39,7 +39,7 @@ class Visualizer_Render_Page_Types extends Visualizer_Render_Page {
 	 */
 	protected function _toHTML() {
 		echo '<form method="post" id="viz-types-form">';
-			echo '<input type="hidden" name="nonce" value="', wp_create_nonce(), '">';
+			echo '<input type="hidden" name="nonce" value="', wp_create_nonce( 'visualizer-upload-data' ), '">';
 			parent::_toHTML();
 		echo '</form>';
 	}

From f5f9c7ab34876be635458946f1c1dbfe262384fe Mon Sep 17 00:00:00 2001
From: girishpanchal30 <girish@krishaweb.com>
Date: Fri, 27 Feb 2026 14:56:49 +0530
Subject: [PATCH 2/2] fix: update nonce creation for import tests

---
 tests/test-import.php    | 4 ++--
 tests/test-revisions.php | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/tests/test-import.php b/tests/test-import.php
index 8a1894881..b18df0331 100644
--- a/tests/test-import.php
+++ b/tests/test-import.php
@@ -89,7 +89,7 @@ public function test_url_import( $url, $content, $series ) {
 			'remote_data' => $url,
 		);
 		$_GET  = array(
-			'nonce' => wp_create_nonce(),
+			'nonce' => wp_create_nonce( 'visualizer-upload-data' ),
 			'chart' => $this->chart,
 		);
 		// swallow the output
@@ -163,7 +163,7 @@ public function test_file_import( $file, $content, $series ) {
 			),
 		);
 		$_GET   = array(
-			'nonce' => wp_create_nonce(),
+			'nonce' => wp_create_nonce( 'visualizer-upload-data' ),
 			'chart' => $this->chart,
 		);
 		// swallow the output
diff --git a/tests/test-revisions.php b/tests/test-revisions.php
index 13422fa2c..6a05185eb 100644
--- a/tests/test-revisions.php
+++ b/tests/test-revisions.php
@@ -79,7 +79,7 @@ public function test_chart_edit_cancel( $file_orig, $file_new ) {
 			),
 		);
 		$_GET   = array(
-			'nonce' => wp_create_nonce(),
+			'nonce' => wp_create_nonce( 'visualizer-upload-data' ),
 			'chart' => $this->chart,
 			'tab'   => 'type',
 		);
@@ -151,7 +151,7 @@ public function test_chart_edit_again( $file_orig, $file_new ) {
 			),
 		);
 		$_GET   = array(
-			'nonce' => wp_create_nonce(),
+			'nonce' => wp_create_nonce( 'visualizer-upload-data' ),
 			'chart' => $this->chart,
 			'tab'   => 'type',
 		);
@@ -218,7 +218,7 @@ public function test_chart_edit_save( $file_orig, $file_new ) {
 			),
 		);
 		$_GET   = array(
-			'nonce' => wp_create_nonce(),
+			'nonce' => wp_create_nonce( 'visualizer-upload-data' ),
 			'chart' => $this->chart,
 			'tab'   => 'type',
 		);