Merge pull request #118 from WordPress/fix/font-upload-permissions

Add capabilities and nonce checks

README.md

@@ -6,6 +6,7 @@ This plugin allows you to:
 - Embed Google Fonts in your theme
 - Embed local font assets in your theme
 
+The plugin is development only — not intended for use on production websites, but used as a tool to create new themes.
 
 ## Create Block Theme
 This feature can be used in six ways:

admin/class-embed-fonts-in-theme.php

@@ -4,8 +4,8 @@ class Embed_Fonts_In_Theme_Admin {
 
 	public function __construct() {
         add_action( 'admin_menu', [ $this, 'create_admin_menu' ] );
-		add_action( 'admin_init', [ $this, 'save_google_fonts_to_theme' ] );
-		add_action( 'admin_init', [ $this, 'save_local_fonts_to_theme' ] );
+        add_action( 'admin_init', [ $this, 'save_google_fonts_to_theme' ] );
+        add_action( 'admin_init', [ $this, 'save_local_fonts_to_theme' ] );
 	}
 
     function create_admin_menu() {
@@ -113,6 +113,7 @@ function add_type_attribute($tag, $handle, $src) {
                     </tbody>
                 </table>
                 <input type="submit" value="<?php _e('Upload local fonts to your theme', 'create-block-theme'); ?>" class="button button-primary" />
+                <input type="hidden" name="nonce" value="<?php echo wp_create_nonce( 'create_block_theme' ); ?>" />
             </form>
         </div>
 
@@ -148,13 +149,16 @@ function google_fonts_admin_page() {
 				<input type="hidden" name="font-name" id="font-name" value="" />
 				<input type="hidden" name="google-font-variants" id="google-font-variants" value="" />
 				<input type="submit" value="<?php _e('Add google fonts to your theme', 'create-block-theme'); ?>" class="button button-primary" id="google-fonts-submit" disabled=true />
+                <input type="hidden" name="nonce" value="<?php echo wp_create_nonce( 'create_block_theme' ); ?>" />
 			</form>
 		</div>
 	<?php
 	}
 
     function save_local_fonts_to_theme () {
         if (
+            current_user_can( 'edit_themes' ) &&
+            wp_verify_nonce( $_POST['nonce'], 'create_block_theme' ) &&
             ! empty( $_FILES['font-file'] ) &&
             ! empty( $_POST['font-name'] ) &&
             ! empty( $_POST['font-style'] ) && 
@@ -190,6 +194,8 @@ function save_local_fonts_to_theme () {
 
     function save_google_fonts_to_theme () {
         if (
+            current_user_can( 'edit_themes' ) &&
+            wp_verify_nonce( $_POST['nonce'], 'create_block_theme' ) &&
             ! empty( $_POST['google-font-variants'] ) &&
             ! empty( $_POST['font-name'] )
         ) {

create-block-theme.php

@@ -5,7 +5,7 @@
  * Plugin Name: Create Block Theme
  * Plugin URI: https://wordpress.org/plugins/create-block-theme
  * Description: Generates a block theme
- * Version: 1.2.1
+ * Version: 1.2.2
  * Author: WordPress.org
  * Author URI: https://wordpress.org/
  * License: GNU General Public License v2 or later

readme.txt

@@ -5,7 +5,7 @@ Donate link: https://automattic.com/
 Tags: themes, theme, block-theme
 Requires at least: 6.0
 Tested up to: 6.0
-Stable tag: 1.2.1
+Stable tag: 1.2.2
 Requires PHP: 7.0
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -19,6 +19,8 @@ This plugin allows you to:
 - Embed Google Fonts in your theme
 - Embed local font assets in your theme
 
+The plugin is development only — not intended for use on production websites, but used as a tool to create new themes.
+
 = Step 1 – Setup =
 Install and activate the [Create Block Theme](https://wordpress.org/plugins/create-block-theme) plugin.