From 7ccd6fed204c8152352e19080ad63e79fa41da2c Mon Sep 17 00:00:00 2001 From: girishpanchal30 Date: Thu, 7 May 2026 18:00:37 +0530 Subject: [PATCH 1/2] fix: restrict database query action to admins --- classes/Visualizer/Module/AIBuilder.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/classes/Visualizer/Module/AIBuilder.php b/classes/Visualizer/Module/AIBuilder.php index b5ad65e55..5e0dd2c18 100644 --- a/classes/Visualizer/Module/AIBuilder.php +++ b/classes/Visualizer/Module/AIBuilder.php @@ -365,6 +365,12 @@ public function uploadData(): void { // ── Database query ──────────────────────────────────────────────── case 'db_query': + if ( ! current_user_can( 'administrator' ) ) { + wp_send_json_error( array( 'message' => __( 'Action not allowed for this user.', 'visualizer' ) ) ); + } + if ( ! is_super_admin() ) { + wp_send_json_error( array( 'message' => __( 'Action not allowed for this user.', 'visualizer' ) ) ); + } if ( empty( $_POST['db_query'] ) ) { wp_send_json_error( array( 'message' => __( 'No query provided.', 'visualizer' ) ) ); } From f681d3c3135e4c9ba61a0aba3b09fb54ac162996 Mon Sep 17 00:00:00 2001 From: girishpanchal30 Date: Thu, 7 May 2026 18:44:39 +0530 Subject: [PATCH 2/2] refactor: restrict database query action to admins --- classes/Visualizer/Module/AIBuilder.php | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/classes/Visualizer/Module/AIBuilder.php b/classes/Visualizer/Module/AIBuilder.php index 5e0dd2c18..83334c667 100644 --- a/classes/Visualizer/Module/AIBuilder.php +++ b/classes/Visualizer/Module/AIBuilder.php @@ -365,11 +365,8 @@ public function uploadData(): void { // ── Database query ──────────────────────────────────────────────── case 'db_query': - if ( ! current_user_can( 'administrator' ) ) { - wp_send_json_error( array( 'message' => __( 'Action not allowed for this user.', 'visualizer' ) ) ); - } - if ( ! is_super_admin() ) { - wp_send_json_error( array( 'message' => __( 'Action not allowed for this user.', 'visualizer' ) ) ); + if ( ! current_user_can( 'manage_options' ) && ! is_super_admin() ) { + wp_send_json_error( array( 'message' => __( 'Action not allowed for this user.', 'visualizer' ) ), 403 ); } if ( empty( $_POST['db_query'] ) ) { wp_send_json_error( array( 'message' => __( 'No query provided.', 'visualizer' ) ) );