Merge pull request #1313 from Codeinwp/bugfix/pro/587

vytisbulkevicius · web-flow · commit 09ed3f9d9b06 · 2026-05-19T09:47:15.000+03:00
Restricted database query action to admins
diff --git a/classes/Visualizer/Module/AIBuilder.php b/classes/Visualizer/Module/AIBuilder.php
@@ -365,6 +365,9 @@ public function uploadData(): void {
 
 			// ── Database query ────────────────────────────────────────────────
 			case 'db_query':
+				if ( ! current_user_can( 'manage_options' ) && ! is_super_admin() ) {
+					wp_send_json_error( array( 'message' => __( 'Action not allowed for this user.', 'visualizer' ) ), 403 );
+				}
 				if ( empty( $_POST['db_query'] ) ) {
 					wp_send_json_error( array( 'message' => __( 'No query provided.', 'visualizer' ) ) );
 				}

Original file line number	Diff line number	Diff line change
`@@ -365,6 +365,9 @@ public function uploadData(): void {`
`365`	`365`
`366`	`366`	`// ── Database query ────────────────────────────────────────────────`
`367`	`367`	`case 'db_query':`
	`368`	`+ if ( ! current_user_can( 'manage_options' ) && ! is_super_admin() ) {`
	`369`	`+ wp_send_json_error( array( 'message' => __( 'Action not allowed for this user.', 'visualizer' ) ), 403 );`
	`370`	`+ }`
`368`	`371`	`if ( empty( $_POST['db_query'] ) ) {`
`369`	`372`	`wp_send_json_error( array( 'message' => __( 'No query provided.', 'visualizer' ) ) );`
`370`	`373`	`}`