FileMaster
Search
Toggle Dark Mode
Home
/
.
/
kiara
/
wp-content
/
plugins
/
woocommerce
/
src
/
StoreApi
/
Utilities
Edit File: OrderAuthorizationTrait.php
<?php namespace Automattic\WooCommerce\StoreApi\Utilities; use Automattic\WooCommerce\StoreApi\Exceptions\RouteException; /** * OrderAuthorizationTrait * * Shared functionality for getting order authorization. */ trait OrderAuthorizationTrait { /** * Check if authorized to get the order. * * @throws RouteException If the order is not found or the order key is invalid. * * @param \WP_REST_Request $request Request object. * @return boolean|\WP_Error */ public function is_authorized( \WP_REST_Request $request ) { $order_id = absint( $request['id'] ); $order_key = sanitize_text_field( wp_unslash( $request->get_param( 'key' ) ) ); $billing_email = sanitize_text_field( wp_unslash( $request->get_param( 'billing_email' ) ) ); try { $order = wc_get_order( $order_id ); if ( ! $order ) { throw new RouteException( 'woocommerce_rest_invalid_order', __( 'Invalid order ID.', 'woocommerce' ), 404 ); } $order_customer_id = $order->get_customer_id(); // If the order belongs to a registered customer, check if the current user is the owner. if ( $order_customer_id ) { // If current user is the order owner, allow access, otherwise reject with an error. if ( get_current_user_id() === $order_customer_id ) { return true; } else { throw new RouteException( 'woocommerce_rest_invalid_user', __( 'This order belongs to a different customer.', 'woocommerce' ), 403 ); } } // Guest order: require order key and billing email validation for all visitors (logged-in or not). $this->order_controller->validate_order_key( $order_id, $order_key ); $this->validate_billing_email_matches_order( $order_id, $billing_email ); } catch ( RouteException $error ) { return new \WP_Error( $error->getErrorCode(), $error->getMessage(), array( 'status' => $error->getCode() ) ); } return true; } /** * Validate a given billing email against an existing order. * * @throws RouteException Exception if invalid data is detected. * @param integer $order_id Order ID. * @param string $billing_email Billing email. */ public function validate_billing_email_matches_order( $order_id, $billing_email ) { $order = wc_get_order( $order_id ); if ( ! $order ) { throw new RouteException( 'woocommerce_rest_invalid_order', __( 'Invalid order ID.', 'woocommerce' ), 404 ); } $order_billing_email = $order->get_billing_email(); // If the order doesn't have an email, then allowing an empty billing_email param is acceptable. It will still be compared to order email below. if ( ! $billing_email && ! empty( $order_billing_email ) ) { throw new RouteException( 'woocommerce_rest_invalid_billing_email', __( 'No billing email provided.', 'woocommerce' ), 401 ); } // For Store API authorization, the provided billing email must exactly match the order's billing email. We use // direct comparison rather than Users::should_user_verify_order_email() because that function has a grace // period for newly created orders which is inappropriate for use when querying orders on the API. if ( 0 !== strcasecmp( $order_billing_email, $billing_email ) ) { throw new RouteException( 'woocommerce_rest_invalid_billing_email', __( 'Invalid billing email provided.', 'woocommerce' ), 401 ); } } }
Save
Back