Security: enforce object ownership in customer-panel AJAX handlers

[vuckro]

Summary

Several customer-panel modal handlers (registered as wu_form actions with the
exist capability, i.e. available to any logged-in user) acted on an object
referenced by a client-supplied id/hash without verifying the caller owns it.
Sibling handlers in the same files already enforce ownership
(handle_user_add_new_domain_modal, the DNS-record handlers via
customer_can_manage_dns), so this restores a consistent check.

Because the object identifiers are not secret, any authenticated user (including
a subscriber on any sub-site) could reach another tenant's objects — a
cross-tenant (IDOR / broken access control) issue.

Changes

Adds the project's existing Site::is_customer_allowed() /
Membership::is_customer_allowed() ownership guard to:

• Domain_Mapping_Element::handle_user_delete_domain_modal (delete a domain)
• Domain_Mapping_Element::handle_user_make_domain_primary_modal
• Current_Site_Element::handle_edit_site (rename a site)
• Billing_Info_Element::handle_update_billing_address

Network admins (manage_network) are unaffected — is_customer_allowed()
returns true for them.

Compatibility

No behavior change for legitimate users acting on their own objects; the guard
only rejects cross-tenant requests. No DB or API changes.

---

Part of a small series of focused security hardening PRs. Full technical detail
is available privately to the maintainers on request (coordinated disclosure).

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Strengthened authorization checks when updating billing address information
  • Enhanced permission verification for site editing operations
  • Implemented stricter authorization controls for domain management actions

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bcaa380d-d1d7-4d34-9d26-34e2cfd75b57

📥 Commits

Reviewing files that changed from the base of the PR and between 1310078 and 8224724.

📒 Files selected for processing (3)

• inc/ui/class-billing-info-element.php
• inc/ui/class-current-site-element.php
• inc/ui/class-domain-mapping-element.php

---

📝 Walkthrough

Walkthrough

This PR adds customer authorization enforcement across three UI element handlers. A new domain-specific authorization helper is introduced for domain management, while billing and site operations receive simpler inline permission guards. All denied requests return a no-permissions JSON error before proceeding with modifications.

Changes

Customer Authorization Enforcement

Layer / File(s)	Summary
Domain authorization helper and handlers inc/ui/class-domain-mapping-element.php	New current_user_can_manage_domain() method grants network admins full access and restricts others to customers permitted by the domain's mapped site. The delete and make-primary domain handlers use this helper to reject unauthorized requests.
Billing and site handler permission guards inc/ui/class-billing-info-element.php, inc/ui/class-current-site-element.php	Authorization checks are added to handle_update_billing_address() and handle_edit_site() to verify customer permissions before processing updates. Both return a no-permissions error on failed checks.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Permissions guarded, paths are tight,
Customers checked from left and right,
Domain, billing, site updates cease,
When authorization finds no peace!
A rabbit's fence keeps secure the way. 🛡️

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main security improvement: adding ownership enforcement to customer-panel AJAX handlers.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[superdav42]

LGTM! Thanks @vuckro

[superdav42]

Stuck-merge detector: PR has been merge-eligible but unmerged past the threshold

The pulse merge pass has classified PR #1370 as STUCK_OTHER and it has been sitting unmerged longer than AIDEVOPS_MERGE_STUCK_AGE_MINUTES (currently 240m). The deterministic merge gates are evaluated every cycle (~120s) and this PR has consistently failed them.

Failing checks on PR #1370

• (no FAILURE entries in rollup; check rollup manually)

Worker guidance for the next attempt

1. Read PR Security: enforce object ownership in customer-panel AJAX handlers #1370 body + the latest check run logs:

   gh pr checks 1370 --repo Ultimate-Multisite/ultimate-multisite

2. If the failing checks are environment/Setup-step (Format, Lint, Typecheck all FAIL at the same step), the canonical default branch likely has a broken lockfile or a CI infra change — fix at the base, not on this PR. Look for a sibling outage meta-issue in this repo (filed by the same detector) before forking off here.
3. If the failures are PR-specific (e.g. a Typecheck error introduced by this PR's code), rebase onto the latest default branch and address the diagnosed errors. Use full-loop-helper.sh start from the linked PR's worktree.
4. If the linked issue body lacks the worker-ready file paths and verification commands required by t1900, post a comment naming the missing context before dispatching another worker — the next attempt will burn tokens on exploration otherwise.

Why you're seeing this

Every pulse cycle (~120s) the deterministic merge pass re-evaluates open PRs. PRs that pass APPROVED + MERGEABLE but fail required checks have historically been re-evaluated silently every cycle until a human noticed. The stuck-merge detector (t3193) surfaces them after AIDEVOPS_MERGE_STUCK_AGE_MINUTES minutes idle. This comment is posted exactly once per linked issue — repeated stuck cycles will NOT spam the thread. If the PR merges and the issue is reopened later with a fresh stuck PR, the marker will allow a second comment.

_{Posted automatically by pulse-merge-stuck.sh (t3193 / GH#21895). Threshold env: AIDEVOPS_MERGE_STUCK_AGE_MINUTES=240.}

---

aidevops.sh v3.20.53 automated scan.