diff --git a/edit.js b/edit.js
index 3fcdea5..c38478e 100644
--- a/edit.js
+++ b/edit.js
@@ -6,7 +6,7 @@
var optly = new OptimizelyAPI( $( '#optimizely_token' ).val() );
if ( !! $( '#optimizely_experiment_id' ).val() ) {
- optly.get( 'experiments/' + $( '#optimizely_experiment_id' ).val(), function( response ) {
+ optly.get(f 'experiments/' + $( '#optimizely_experiment_id' ).val(), function( response ) {
optly.experiment = response;
showExperiment( optly.experiment );
});
@@ -56,6 +56,7 @@
var data = {
action: 'update_experiment_meta',
post_id: $( '#post_ID' ).val(),
+ optimizely_experiment_nonce: $( '#optimizely_experiment_nonce' ).val(),
optimizely_experiment_id: experiment.id,
optimizely_experiment_status: experiment.status
};
diff --git a/edit.php b/edit.php
index 3b147af..0b87999 100644
--- a/edit.php
+++ b/edit.php
@@ -72,6 +72,7 @@ function optimizely_title_variations_render( $post ) {
+
@@ -128,6 +129,14 @@ function optimizely_title_variations_save( $post_id ) {
* @param int $post_id
*/
function optimizely_update_experiment_meta() {
+ // Make sure this is a valid request.
+ check_ajax_referer( OPTIMIZELY_NONCE, 'optimizely_experiment_nonce' );
+
+ // See if the current user has permissions to edit posts.
+ if ( ! current_user_can( 'edit_post', absint( $_POST['post_id'] ) ) ) {
+ die( 'You do not have permission to edit posts.' );
+ }
+
if ( isset( $_POST['post_id'] ) ) {
optimizely_title_variations_save( absint( $_POST['post_id'] ) );
}