AgenticCheckoutUtils.php
4 months ago
ArrayUtils.php
2 years ago
CartController.php
1 month ago
CartTokenUtils.php
1 year ago
CheckoutTrait.php
1 month ago
DraftOrderTrait.php
1 year ago
JsonWebToken.php
11 months ago
LocalPickupUtils.php
5 months ago
NoticeHandler.php
1 year ago
OrderAuthorizationTrait.php
6 months ago
OrderController.php
1 month ago
Pagination.php
2 years ago
PaymentUtils.php
1 year ago
ProductItemTrait.php
1 month ago
ProductLinksTrait.php
3 months ago
ProductQuery.php
2 months ago
ProductQueryFilters.php
11 months ago
QuantityLimits.php
11 months ago
RateLimits.php
1 year ago
SanitizationUtils.php
2 years ago
ValidationUtils.php
2 years ago
OrderAuthorizationTrait.php
87 lines
| 1 | <?php |
| 2 | namespace Automattic\WooCommerce\StoreApi\Utilities; |
| 3 | |
| 4 | use Automattic\WooCommerce\StoreApi\Exceptions\RouteException; |
| 5 | |
| 6 | /** |
| 7 | * OrderAuthorizationTrait |
| 8 | * |
| 9 | * Shared functionality for getting order authorization. |
| 10 | */ |
| 11 | trait OrderAuthorizationTrait { |
| 12 | /** |
| 13 | * Check if authorized to get the order. |
| 14 | * |
| 15 | * @throws RouteException If the order is not found or the order key is invalid. |
| 16 | * |
| 17 | * @param \WP_REST_Request $request Request object. |
| 18 | * @return boolean|\WP_Error |
| 19 | */ |
| 20 | public function is_authorized( \WP_REST_Request $request ) { |
| 21 | $order_id = absint( $request['id'] ); |
| 22 | $order_key = sanitize_text_field( wp_unslash( $request->get_param( 'key' ) ) ); |
| 23 | $billing_email = sanitize_text_field( wp_unslash( $request->get_param( 'billing_email' ) ) ); |
| 24 | |
| 25 | try { |
| 26 | $order = wc_get_order( $order_id ); |
| 27 | |
| 28 | if ( ! $order ) { |
| 29 | throw new RouteException( 'woocommerce_rest_invalid_order', esc_html__( 'Invalid order ID.', 'woocommerce' ), 404 ); |
| 30 | } |
| 31 | |
| 32 | $order_customer_id = $order->get_customer_id(); |
| 33 | |
| 34 | // If the order belongs to a registered customer, check if the current user is the owner. |
| 35 | if ( $order_customer_id ) { |
| 36 | // If current user is the order owner, allow access, otherwise reject with an error. |
| 37 | if ( get_current_user_id() === $order_customer_id ) { |
| 38 | return true; |
| 39 | } else { |
| 40 | throw new RouteException( 'woocommerce_rest_invalid_user', esc_html__( 'This order belongs to a different customer.', 'woocommerce' ), 403 ); |
| 41 | } |
| 42 | } |
| 43 | |
| 44 | // Guest order: require order key and billing email validation for all visitors (logged-in or not). |
| 45 | $this->order_controller->validate_order_key( $order_id, $order_key ); |
| 46 | $this->validate_billing_email_matches_order( $order_id, $billing_email ); |
| 47 | } catch ( RouteException $error ) { |
| 48 | return new \WP_Error( |
| 49 | $error->getErrorCode(), |
| 50 | $error->getMessage(), |
| 51 | array( 'status' => $error->getCode() ) |
| 52 | ); |
| 53 | } |
| 54 | |
| 55 | return true; |
| 56 | } |
| 57 | |
| 58 | /** |
| 59 | * Validate a given billing email against an existing order. |
| 60 | * |
| 61 | * @throws RouteException Exception if invalid data is detected. |
| 62 | * @param integer $order_id Order ID. |
| 63 | * @param string $billing_email Billing email. |
| 64 | */ |
| 65 | public function validate_billing_email_matches_order( $order_id, $billing_email ) { |
| 66 | $order = wc_get_order( $order_id ); |
| 67 | |
| 68 | if ( ! $order ) { |
| 69 | throw new RouteException( 'woocommerce_rest_invalid_order', esc_html__( 'Invalid order ID.', 'woocommerce' ), 404 ); |
| 70 | } |
| 71 | |
| 72 | $order_billing_email = $order->get_billing_email(); |
| 73 | |
| 74 | // If the order doesn't have an email, then allowing an empty billing_email param is acceptable. It will still be compared to order email below. |
| 75 | if ( ! $billing_email && ! empty( $order_billing_email ) ) { |
| 76 | throw new RouteException( 'woocommerce_rest_invalid_billing_email', esc_html__( 'No billing email provided.', 'woocommerce' ), 401 ); |
| 77 | } |
| 78 | |
| 79 | // For Store API authorization, the provided billing email must exactly match the order's billing email. We use |
| 80 | // direct comparison rather than Users::should_user_verify_order_email() because that function has a grace |
| 81 | // period for newly created orders which is inappropriate for use when querying orders on the API. |
| 82 | if ( 0 !== strcasecmp( $order_billing_email, $billing_email ) ) { |
| 83 | throw new RouteException( 'woocommerce_rest_invalid_billing_email', esc_html__( 'Invalid billing email provided.', 'woocommerce' ), 401 ); |
| 84 | } |
| 85 | } |
| 86 | } |
| 87 |