Improve authorization on preview generation

[sorinmarta]

No description provided.

[coderabbitai]

Walkthrough

Authorization checks are added to the listing preview generation feature. A new ListingAuthorization dependency is injected into the AJAX handler, constructor signatures are updated, and nonce validation is incorporated into the frontend request payload alongside error handling improvements.

Changes

Cohort / File(s)	Summary
Dependency Injection includes/frontend/class-frontend-container-configuration.php	Added ListingAuthorization as a dependency passed to GenerateListingPreviewAjaxHandler during container registration.
Authorization Logic includes/frontend/class-generate-listing-preview-ajax-handler.php	Extended constructor to accept $authorization parameter, added try-catch wrapper for error handling, introduced is_current_user_allowed_to_preview_listing() and try_to_generate_listing_preview() methods to perform nonce and permission checks before content rendering.
Frontend AJAX Request resources/js/frontend/save-section-controller.js	Added save_listing_information_nonce to the data payload in doGenerateListingPreviewRequest for server-side validation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to assess relevance to the changeset.	Add a description explaining why authorization improvements are needed, what specific vulnerabilities are being addressed, and how the changes mitigate them.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Improve authorization on preview generation' clearly describes the main change across all files: adding authorization checks to the listing preview generation feature.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch improve-preview-validation

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

includes/frontend/class-generate-listing-preview-ajax-handler.php (1)

67-84: Consider verifying the nonce before fetching the listing from the database.

Currently the listing is loaded from the DB (line 69) before the nonce is checked (line 72). On forged/replayed requests, this performs an unnecessary database query. Since the nonce action string only needs the raw $listing_id, you can verify the nonce first:

Proposed reorder

     private function try_to_generate_listing_preview() {
         $listing_id = $this->request->post( 'ad_id' );
-        $listing    = $this->listings->get( $listing_id );
         $nonce      = $this->request->post( 'nonce' );
 
-        if ( ! wp_verify_nonce( $nonce, "awpcp-save-listing-information-{$listing->ID}" ) ) {
+        if ( ! wp_verify_nonce( $nonce, "awpcp-save-listing-information-{$listing_id}" ) ) {
             throw new AWPCP_Exception( esc_html__( 'You are not authorized to perform this action.', 'another-wordpress-classifieds-plugin' ) );
         }
 
+        $listing = $this->listings->get( $listing_id );
+
         if ( ! $this->is_current_user_allowed_to_preview_listing( $listing ) ) {

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}