Contact Form: improve security of the form endpoint (#39759)

* Contact Form: improve security of the form endpoint

Ensure that submitted forms can only be accessed by logged in users with the necessary capabilities.

Reference: p9dueE-8ng-p2

Co-authored-by:	Chris Jean <[email protected]>

* changelog

---------

Co-authored-by: Chris Jean <[email protected]>

Committed via a GitHub action: https://github.com/Automattic/jetpack/actions/runs/11323183689

Upstream-Ref: Automattic/jetpack@1a544bc

Author: jeherve

CHANGELOG.md

@@ -15,6 +15,7 @@ This is an alpha version! The changes listed here are not final.
 - Related Posts: allow Related Posts on non-post CPTs where the block is already able to be used.
 
 ### Bug fixes
+- Contact Form: ensure that submitted forms can only be accessed by logged in users allowed to view form submissions.
 - Fixed rendering of goodreads block when there is not id attribute so to not result in a PHP warning
 - General: Only include `wp-polyfill` as a script dependency when needed.
 - Newsletter: ensure `Enable featured image on your new post emails` setting displays the right value.

jetpack_vendor/automattic/jetpack-forms/CHANGELOG.md

@@ -13,6 +13,9 @@ This is an alpha version! The changes listed here are not final.
 - Only include `wp-polyfill` as a script dependency when needed.
 - Updated package dependencies.
 
+### Fixed
+- Improve security of the form endpoint
+
 ## [0.33.2] - 2024-10-07
 ### Changed
 - Updated package dependencies. [#39594]

jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-endpoint.php

@@ -22,6 +22,9 @@ class Contact_Form_Endpoint extends \WP_REST_Posts_Controller {
 	 * @return WP_Error|boolean
 	 */
 	public function get_items_permissions_check( $request ) { //phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
+		if ( ! current_user_can( 'edit_pages' ) ) {
+			return false;
+		}
 		if ( ! is_user_member_of_blog( get_current_user_id(), get_current_blog_id() ) ) {
 			return new WP_Error(
 				'rest_cannot_view',
@@ -40,6 +43,9 @@ public function get_items_permissions_check( $request ) { //phpcs:ignore Variabl
 	 * @return WP_Error|boolean
 	 */
 	public function get_item_permissions_check( $request ) { //phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
+		if ( ! current_user_can( 'edit_pages' ) ) {
+			return false;
+		}
 		if ( ! is_user_member_of_blog( get_current_user_id(), get_current_blog_id() ) ) {
 			return new WP_Error(
 				'rest_cannot_view',

jetpack_vendor/i18n-map.php

@@ -50,7 +50,7 @@
     ),
     'jetpack-forms' => array(
       'path' => 'jetpack_vendor/automattic/jetpack-forms',
-      'ver' => '0.33.3-alpha1728575216',
+      'ver' => '0.33.3-alpha1728892143',
     ),
     'jetpack-image-cdn' => array(
       'path' => 'jetpack_vendor/automattic/jetpack-image-cdn',