Merge pull request #201 from paynl/feature/ajax_nonce

woutse · web-flow · commit 7d82c19bf1fb · 2026-01-30T10:08:41.000+01:00
Fix ajax call with nonce
diff --git a/assets/js/payorder.js b/assets/js/payorder.js
@@ -43,7 +43,8 @@ function doAjaxRequest($, amount, type)
         'terminal': terminal,
         'order_id': paynl_order.order_id,
         'returnUrl': window.location.href,
-        'type': type
+        'type': type,
+        'security': paynl_order.nonce
     };
 
     $.ajax({
diff --git a/includes/classes/PPMFWC/Gateways.php b/includes/classes/PPMFWC/Gateways.php
@@ -1207,6 +1207,16 @@ public static function ppmfwc_retourpinReturn()
      */
     public static function ppmfwc_onPinRefund()
     {
+        $security = PPMFWC_Helper_Data::getPostTextField('security');
+        if ((empty($security) || !wp_verify_nonce($security, 'ajax_nonce')) || (!current_user_can('manage_woocommerce') && !current_user_can('manage_options'))) {
+            $returnArray = array(
+                'success' => false,
+                'message' => __('You do not have permission to perform this action.', PPMFWC_WOOCOMMERCE_TEXTDOMAIN),
+            );
+            header('Content-Type: application/json;charset=UTF-8');
+            die(json_encode($returnArray));
+        }
+                
         try {
             $amount = PPMFWC_Helper_Data::getPostTextField('amount');
             $terminal = PPMFWC_Helper_Data::getPostTextField('terminal');
diff --git a/woocommerce-payment-paynl.php b/woocommerce-payment-paynl.php
@@ -457,6 +457,7 @@ function ppmfwc_setup_instore_scripts(array $terminals, $texts, $additionalData)
         array(
             'texts' => $texts,
             'terminals' => $terminals,
+            'nonce' => wp_create_nonce('ajax_nonce')
         ),
         $additionalData
     );
