Fix ajax call with nonce

Author: kevinverschoor

assets/js/payorder.js

@@ -43,7 +43,8 @@ function doAjaxRequest($, amount, type)
         'terminal': terminal,
         'order_id': paynl_order.order_id,
         'returnUrl': window.location.href,
-        'type': type
+        'type': type,
+        'security': paynl_order.nonce
     };
 
     $.ajax({

includes/classes/PPMFWC/Gateways.php

@@ -1207,6 +1207,16 @@ public static function ppmfwc_retourpinReturn()
      */
     public static function ppmfwc_onPinRefund()
     {
+        $security = PPMFWC_Helper_Data::getPostTextField('security');
+        check_ajax_referer($security, 'security');
+
+        // If execution reaches here, the nonce is valid.
+        if (AjaxSecurityHelper::isUserAdminAjax()) {
+            wp_send_json_success(['message' => 'Nonce valid and user is Admin!']);
+        } else {
+            wp_send_json_error(['message' => 'Unauthorized User'], 403);
+        }
+        
         try {
             $amount = PPMFWC_Helper_Data::getPostTextField('amount');
             $terminal = PPMFWC_Helper_Data::getPostTextField('terminal');

woocommerce-payment-paynl.php

@@ -457,6 +457,7 @@ function ppmfwc_setup_instore_scripts(array $terminals, $texts, $additionalData)
         array(
             'texts' => $texts,
             'terminals' => $terminals,
+            'nonce' => wp_create_nonce('ajax_nonce')
         ),
         $additionalData
     );