class-wc-ajax.php — WooCommerce 5.0.0

woocommerce / includes / class-wc-ajax.php

woocommerce / includes Last commit date

class-wc-ajax.php

3006 lines

1	<?php
2	/**
3	* WooCommerce WC_AJAX. AJAX Event Handlers.
4	*
5	* @class WC_AJAX
6	* @package WooCommerce\Classes
7	*/
8
9	use Automattic\Jetpack\Constants;
10	use Automattic\WooCommerce\Utilities\NumberUtil;
11
12	defined( 'ABSPATH' ) \|\| exit;
13
14	/**
15	* WC_Ajax class.
16	*/
17	class WC_AJAX {
18
19	/**
20	* Hook in ajax handlers.
21	*/
22	public static function init() {
23	add_action( 'init', array( __CLASS__, 'define_ajax' ), 0 );
24	add_action( 'template_redirect', array( __CLASS__, 'do_wc_ajax' ), 0 );
25	self::add_ajax_events();
26	}
27
28	/**
29	* Get WC Ajax Endpoint.
30	*
31	* @param string $request Optional.
32	*
33	* @return string
34	*/
35	public static function get_endpoint( $request = '' ) {
36	return esc_url_raw( apply_filters( 'woocommerce_ajax_get_endpoint', add_query_arg( 'wc-ajax', $request, remove_query_arg( array( 'remove_item', 'add-to-cart', 'added-to-cart', 'order_again', '_wpnonce' ), home_url( '/', 'relative' ) ) ), $request ) );
37	}
38
39	/**
40	* Set WC AJAX constant and headers.
41	*/
42	public static function define_ajax() {
43	// phpcs:disable
44	if ( ! empty( $_GET['wc-ajax'] ) ) {
45	wc_maybe_define_constant( 'DOING_AJAX', true );
46	wc_maybe_define_constant( 'WC_DOING_AJAX', true );
47	if ( ! WP_DEBUG \|\| ( WP_DEBUG && ! WP_DEBUG_DISPLAY ) ) {
48	@ini_set( 'display_errors', 0 ); // Turn off display_errors during AJAX events to prevent malformed JSON.
49	}
50	$GLOBALS['wpdb']->hide_errors();
51	}
52	// phpcs:enable
53	}
54
55	/**
56	* Send headers for WC Ajax Requests.
57	*
58	* @since 2.5.0
59	*/
60	private static function wc_ajax_headers() {
61	if ( ! headers_sent() ) {
62	send_origin_headers();
63	send_nosniff_header();
64	wc_nocache_headers();
65	header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) );
66	header( 'X-Robots-Tag: noindex' );
67	status_header( 200 );
68	} elseif ( Constants::is_true( 'WP_DEBUG' ) ) {
69	headers_sent( $file, $line );
70	trigger_error( "wc_ajax_headers cannot set headers - headers already sent by {$file} on line {$line}", E_USER_NOTICE ); // @codingStandardsIgnoreLine
71	}
72	}
73
74	/**
75	* Check for WC Ajax request and fire action.
76	*/
77	public static function do_wc_ajax() {
78	global $wp_query;
79
80	// phpcs:disable WordPress.Security.NonceVerification.Recommended
81	if ( ! empty( $_GET['wc-ajax'] ) ) {
82	$wp_query->set( 'wc-ajax', sanitize_text_field( wp_unslash( $_GET['wc-ajax'] ) ) );
83	}
84
85	$action = $wp_query->get( 'wc-ajax' );
86
87	if ( $action ) {
88	self::wc_ajax_headers();
89	$action = sanitize_text_field( $action );
90	do_action( 'wc_ajax_' . $action );
91	wp_die();
92	}
93	// phpcs:enable
94	}
95
96	/**
97	* Hook in methods - uses WordPress ajax handlers (admin-ajax).
98	*/
99	public static function add_ajax_events() {
100	$ajax_events_nopriv = array(
101	'get_refreshed_fragments',
102	'apply_coupon',
103	'remove_coupon',
104	'update_shipping_method',
105	'get_cart_totals',
106	'update_order_review',
107	'add_to_cart',
108	'remove_from_cart',
109	'checkout',
110	'get_variation',
111	'get_customer_location',
112	);
113
114	foreach ( $ajax_events_nopriv as $ajax_event ) {
115	add_action( 'wp_ajax_woocommerce_' . $ajax_event, array( __CLASS__, $ajax_event ) );
116	add_action( 'wp_ajax_nopriv_woocommerce_' . $ajax_event, array( __CLASS__, $ajax_event ) );
117
118	// WC AJAX can be used for frontend ajax requests.
119	add_action( 'wc_ajax_' . $ajax_event, array( __CLASS__, $ajax_event ) );
120	}
121
122	$ajax_events = array(
123	'feature_product',
124	'mark_order_status',
125	'get_order_details',
126	'add_attribute',
127	'add_new_attribute',
128	'remove_variation',
129	'remove_variations',
130	'save_attributes',
131	'add_variation',
132	'link_all_variations',
133	'revoke_access_to_download',
134	'grant_access_to_download',
135	'get_customer_details',
136	'add_order_item',
137	'add_order_fee',
138	'add_order_shipping',
139	'add_order_tax',
140	'add_coupon_discount',
141	'remove_order_coupon',
142	'remove_order_item',
143	'remove_order_tax',
144	'reduce_order_item_stock',
145	'increase_order_item_stock',
146	'add_order_item_meta',
147	'remove_order_item_meta',
148	'calc_line_taxes',
149	'save_order_items',
150	'load_order_items',
151	'add_order_note',
152	'delete_order_note',
153	'json_search_products',
154	'json_search_products_and_variations',
155	'json_search_downloadable_products_and_variations',
156	'json_search_customers',
157	'json_search_categories',
158	'term_ordering',
159	'product_ordering',
160	'refund_line_items',
161	'delete_refund',
162	'rated',
163	'update_api_key',
164	'load_variations',
165	'save_variations',
166	'bulk_edit_variations',
167	'tax_rates_save_changes',
168	'shipping_zones_save_changes',
169	'shipping_zone_add_method',
170	'shipping_zone_methods_save_changes',
171	'shipping_zone_methods_save_settings',
172	'shipping_classes_save_changes',
173	'toggle_gateway_enabled',
174	);
175
176	foreach ( $ajax_events as $ajax_event ) {
177	add_action( 'wp_ajax_woocommerce_' . $ajax_event, array( __CLASS__, $ajax_event ) );
178	}
179	}
180
181	/**
182	* Get a refreshed cart fragment, including the mini cart HTML.
183	*/
184	public static function get_refreshed_fragments() {
185	ob_start();
186
187	woocommerce_mini_cart();
188
189	$mini_cart = ob_get_clean();
190
191	$data = array(
192	'fragments' => apply_filters(
193	'woocommerce_add_to_cart_fragments',
194	array(
195	'div.widget_shopping_cart_content' => '<div class="widget_shopping_cart_content">' . $mini_cart . '</div>',
196	)
197	),
198	'cart_hash' => WC()->cart->get_cart_hash(),
199	);
200
201	wp_send_json( $data );
202	}
203
204	/**
205	* AJAX apply coupon on checkout page.
206	*/
207	public static function apply_coupon() {
208
209	check_ajax_referer( 'apply-coupon', 'security' );
210
211	if ( ! empty( $_POST['coupon_code'] ) ) {
212	WC()->cart->add_discount( wc_format_coupon_code( wp_unslash( $_POST['coupon_code'] ) ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
213	} else {
214	wc_add_notice( WC_Coupon::get_generic_coupon_error( WC_Coupon::E_WC_COUPON_PLEASE_ENTER ), 'error' );
215	}
216
217	wc_print_notices();
218	wp_die();
219	}
220
221	/**
222	* AJAX remove coupon on cart and checkout page.
223	*/
224	public static function remove_coupon() {
225	check_ajax_referer( 'remove-coupon', 'security' );
226
227	$coupon = isset( $_POST['coupon'] ) ? wc_format_coupon_code( wp_unslash( $_POST['coupon'] ) ) : false; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
228
229	if ( empty( $coupon ) ) {
230	wc_add_notice( __( 'Sorry there was a problem removing this coupon.', 'woocommerce' ), 'error' );
231	} else {
232	WC()->cart->remove_coupon( $coupon );
233	wc_add_notice( __( 'Coupon has been removed.', 'woocommerce' ) );
234	}
235
236	wc_print_notices();
237	wp_die();
238	}
239
240	/**
241	* AJAX update shipping method on cart page.
242	*/
243	public static function update_shipping_method() {
244	check_ajax_referer( 'update-shipping-method', 'security' );
245
246	wc_maybe_define_constant( 'WOOCOMMERCE_CART', true );
247
248	$chosen_shipping_methods = WC()->session->get( 'chosen_shipping_methods' );
249	$posted_shipping_methods = isset( $_POST['shipping_method'] ) ? wc_clean( wp_unslash( $_POST['shipping_method'] ) ) : array();
250
251	if ( is_array( $posted_shipping_methods ) ) {
252	foreach ( $posted_shipping_methods as $i => $value ) {
253	$chosen_shipping_methods[ $i ] = $value;
254	}
255	}
256
257	WC()->session->set( 'chosen_shipping_methods', $chosen_shipping_methods );
258
259	self::get_cart_totals();
260	}
261
262	/**
263	* AJAX receive updated cart_totals div.
264	*/
265	public static function get_cart_totals() {
266	wc_maybe_define_constant( 'WOOCOMMERCE_CART', true );
267	WC()->cart->calculate_totals();
268	woocommerce_cart_totals();
269	wp_die();
270	}
271
272	/**
273	* Session has expired.
274	*/
275	private static function update_order_review_expired() {
276	wp_send_json(
277	array(
278	'fragments' => apply_filters(
279	'woocommerce_update_order_review_fragments',
280	array(
281	'form.woocommerce-checkout' => '<div class="woocommerce-error">' . __( 'Sorry, your session has expired.', 'woocommerce' ) . ' <a href="' . esc_url( wc_get_page_permalink( 'shop' ) ) . '" class="wc-backward">' . __( 'Return to shop', 'woocommerce' ) . '</a></div>',
282	)
283	),
284	)
285	);
286	}
287
288	/**
289	* AJAX update order review on checkout.
290	*/
291	public static function update_order_review() {
292	check_ajax_referer( 'update-order-review', 'security' );
293
294	wc_maybe_define_constant( 'WOOCOMMERCE_CHECKOUT', true );
295
296	if ( WC()->cart->is_empty() && ! is_customize_preview() && apply_filters( 'woocommerce_checkout_update_order_review_expired', true ) ) {
297	self::update_order_review_expired();
298	}
299
300	do_action( 'woocommerce_checkout_update_order_review', isset( $_POST['post_data'] ) ? wp_unslash( $_POST['post_data'] ) : '' ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
301
302	$chosen_shipping_methods = WC()->session->get( 'chosen_shipping_methods' );
303	$posted_shipping_methods = isset( $_POST['shipping_method'] ) ? wc_clean( wp_unslash( $_POST['shipping_method'] ) ) : array();
304
305	if ( is_array( $posted_shipping_methods ) ) {
306	foreach ( $posted_shipping_methods as $i => $value ) {
307	$chosen_shipping_methods[ $i ] = $value;
308	}
309	}
310
311	WC()->session->set( 'chosen_shipping_methods', $chosen_shipping_methods );
312	WC()->session->set( 'chosen_payment_method', empty( $_POST['payment_method'] ) ? '' : wc_clean( wp_unslash( $_POST['payment_method'] ) ) );
313	WC()->customer->set_props(
314	array(
315	'billing_country' => isset( $_POST['country'] ) ? wc_clean( wp_unslash( $_POST['country'] ) ) : null,
316	'billing_state' => isset( $_POST['state'] ) ? wc_clean( wp_unslash( $_POST['state'] ) ) : null,
317	'billing_postcode' => isset( $_POST['postcode'] ) ? wc_clean( wp_unslash( $_POST['postcode'] ) ) : null,
318	'billing_city' => isset( $_POST['city'] ) ? wc_clean( wp_unslash( $_POST['city'] ) ) : null,
319	'billing_address_1' => isset( $_POST['address'] ) ? wc_clean( wp_unslash( $_POST['address'] ) ) : null,
320	'billing_address_2' => isset( $_POST['address_2'] ) ? wc_clean( wp_unslash( $_POST['address_2'] ) ) : null,
321	)
322	);
323
324	if ( wc_ship_to_billing_address_only() ) {
325	WC()->customer->set_props(
326	array(
327	'shipping_country' => isset( $_POST['country'] ) ? wc_clean( wp_unslash( $_POST['country'] ) ) : null,
328	'shipping_state' => isset( $_POST['state'] ) ? wc_clean( wp_unslash( $_POST['state'] ) ) : null,
329	'shipping_postcode' => isset( $_POST['postcode'] ) ? wc_clean( wp_unslash( $_POST['postcode'] ) ) : null,
330	'shipping_city' => isset( $_POST['city'] ) ? wc_clean( wp_unslash( $_POST['city'] ) ) : null,
331	'shipping_address_1' => isset( $_POST['address'] ) ? wc_clean( wp_unslash( $_POST['address'] ) ) : null,
332	'shipping_address_2' => isset( $_POST['address_2'] ) ? wc_clean( wp_unslash( $_POST['address_2'] ) ) : null,
333	)
334	);
335	} else {
336	WC()->customer->set_props(
337	array(
338	'shipping_country' => isset( $_POST['s_country'] ) ? wc_clean( wp_unslash( $_POST['s_country'] ) ) : null,
339	'shipping_state' => isset( $_POST['s_state'] ) ? wc_clean( wp_unslash( $_POST['s_state'] ) ) : null,
340	'shipping_postcode' => isset( $_POST['s_postcode'] ) ? wc_clean( wp_unslash( $_POST['s_postcode'] ) ) : null,
341	'shipping_city' => isset( $_POST['s_city'] ) ? wc_clean( wp_unslash( $_POST['s_city'] ) ) : null,
342	'shipping_address_1' => isset( $_POST['s_address'] ) ? wc_clean( wp_unslash( $_POST['s_address'] ) ) : null,
343	'shipping_address_2' => isset( $_POST['s_address_2'] ) ? wc_clean( wp_unslash( $_POST['s_address_2'] ) ) : null,
344	)
345	);
346	}
347
348	if ( isset( $_POST['has_full_address'] ) && wc_string_to_bool( wc_clean( wp_unslash( $_POST['has_full_address'] ) ) ) ) {
349	WC()->customer->set_calculated_shipping( true );
350	} else {
351	WC()->customer->set_calculated_shipping( false );
352	}
353
354	WC()->customer->save();
355
356	// Calculate shipping before totals. This will ensure any shipping methods that affect things like taxes are chosen prior to final totals being calculated. Ref: #22708.
357	WC()->cart->calculate_shipping();
358	WC()->cart->calculate_totals();
359
360	// Get order review fragment.
361	ob_start();
362	woocommerce_order_review();
363	$woocommerce_order_review = ob_get_clean();
364
365	// Get checkout payment fragment.
366	ob_start();
367	woocommerce_checkout_payment();
368	$woocommerce_checkout_payment = ob_get_clean();
369
370	// Get messages if reload checkout is not true.
371	$reload_checkout = isset( WC()->session->reload_checkout );
372	if ( ! $reload_checkout ) {
373	$messages = wc_print_notices( true );
374	} else {
375	$messages = '';
376	}
377
378	unset( WC()->session->refresh_totals, WC()->session->reload_checkout );
379
380	wp_send_json(
381	array(
382	'result' => empty( $messages ) ? 'success' : 'failure',
383	'messages' => $messages,
384	'reload' => $reload_checkout,
385	'fragments' => apply_filters(
386	'woocommerce_update_order_review_fragments',
387	array(
388	'.woocommerce-checkout-review-order-table' => $woocommerce_order_review,
389	'.woocommerce-checkout-payment' => $woocommerce_checkout_payment,
390	)
391	),
392	)
393	);
394	}
395
396	/**
397	* AJAX add to cart.
398	*/
399	public static function add_to_cart() {
400	ob_start();
401
402	// phpcs:disable WordPress.Security.NonceVerification.Missing
403	if ( ! isset( $_POST['product_id'] ) ) {
404	return;
405	}
406
407	$product_id = apply_filters( 'woocommerce_add_to_cart_product_id', absint( $_POST['product_id'] ) );
408	$product = wc_get_product( $product_id );
409	$quantity = empty( $_POST['quantity'] ) ? 1 : wc_stock_amount( wp_unslash( $_POST['quantity'] ) );
410	$passed_validation = apply_filters( 'woocommerce_add_to_cart_validation', true, $product_id, $quantity );
411	$product_status = get_post_status( $product_id );
412	$variation_id = 0;
413	$variation = array();
414
415	if ( $product && 'variation' === $product->get_type() ) {
416	$variation_id = $product_id;
417	$product_id = $product->get_parent_id();
418	$variation = $product->get_variation_attributes();
419	}
420
421	if ( $passed_validation && false !== WC()->cart->add_to_cart( $product_id, $quantity, $variation_id, $variation ) && 'publish' === $product_status ) {
422
423	do_action( 'woocommerce_ajax_added_to_cart', $product_id );
424
425	if ( 'yes' === get_option( 'woocommerce_cart_redirect_after_add' ) ) {
426	wc_add_to_cart_message( array( $product_id => $quantity ), true );
427	}
428
429	self::get_refreshed_fragments();
430
431	} else {
432
433	// If there was an error adding to the cart, redirect to the product page to show any errors.
434	$data = array(
435	'error' => true,
436	'product_url' => apply_filters( 'woocommerce_cart_redirect_after_error', get_permalink( $product_id ), $product_id ),
437	);
438
439	wp_send_json( $data );
440	}
441	// phpcs:enable
442	}
443
444	/**
445	* AJAX remove from cart.
446	*/
447	public static function remove_from_cart() {
448	ob_start();
449
450	// phpcs:ignore WordPress.Security.NonceVerification.Missing
451	$cart_item_key = wc_clean( isset( $_POST['cart_item_key'] ) ? wp_unslash( $_POST['cart_item_key'] ) : '' );
452
453	if ( $cart_item_key && false !== WC()->cart->remove_cart_item( $cart_item_key ) ) {
454	self::get_refreshed_fragments();
455	} else {
456	wp_send_json_error();
457	}
458	}
459
460	/**
461	* Process ajax checkout form.
462	*/
463	public static function checkout() {
464	wc_maybe_define_constant( 'WOOCOMMERCE_CHECKOUT', true );
465	WC()->checkout()->process_checkout();
466	wp_die( 0 );
467	}
468
469	/**
470	* Get a matching variation based on posted attributes.
471	*/
472	public static function get_variation() {
473	ob_start();
474
475	// phpcs:disable WordPress.Security.NonceVerification.Missing
476	if ( empty( $_POST['product_id'] ) ) {
477	wp_die();
478	}
479
480	$variable_product = wc_get_product( absint( $_POST['product_id'] ) );
481
482	if ( ! $variable_product ) {
483	wp_die();
484	}
485
486	$data_store = WC_Data_Store::load( 'product' );
487	$variation_id = $data_store->find_matching_product_variation( $variable_product, wp_unslash( $_POST ) );
488	$variation = $variation_id ? $variable_product->get_available_variation( $variation_id ) : false;
489	wp_send_json( $variation );
490	// phpcs:enable
491	}
492
493	/**
494	* Locate user via AJAX.
495	*/
496	public static function get_customer_location() {
497	$location_hash = WC_Cache_Helper::geolocation_ajax_get_location_hash();
498	wp_send_json_success( array( 'hash' => $location_hash ) );
499	}
500
501	/**
502	* Toggle Featured status of a product from admin.
503	*/
504	public static function feature_product() {
505	if ( current_user_can( 'edit_products' ) && check_admin_referer( 'woocommerce-feature-product' ) && isset( $_GET['product_id'] ) ) {
506	$product = wc_get_product( absint( $_GET['product_id'] ) );
507
508	if ( $product ) {
509	$product->set_featured( ! $product->get_featured() );
510	$product->save();
511	}
512	}
513
514	wp_safe_redirect( wp_get_referer() ? remove_query_arg( array( 'trashed', 'untrashed', 'deleted', 'ids' ), wp_get_referer() ) : admin_url( 'edit.php?post_type=product' ) );
515	exit;
516	}
517
518	/**
519	* Mark an order with a status.
520	*/
521	public static function mark_order_status() {
522	if ( current_user_can( 'edit_shop_orders' ) && check_admin_referer( 'woocommerce-mark-order-status' ) && isset( $_GET['status'], $_GET['order_id'] ) ) {
523	$status = sanitize_text_field( wp_unslash( $_GET['status'] ) );
524	$order = wc_get_order( absint( wp_unslash( $_GET['order_id'] ) ) );
525
526	if ( wc_is_order_status( 'wc-' . $status ) && $order ) {
527	// Initialize payment gateways in case order has hooked status transition actions.
528	WC()->payment_gateways();
529
530	$order->update_status( $status, '', true );
531	do_action( 'woocommerce_order_edit_status', $order->get_id(), $status );
532	}
533	}
534
535	wp_safe_redirect( wp_get_referer() ? wp_get_referer() : admin_url( 'edit.php?post_type=shop_order' ) );
536	exit;
537	}
538
539	/**
540	* Get order details.
541	*/
542	public static function get_order_details() {
543	check_admin_referer( 'woocommerce-preview-order', 'security' );
544
545	if ( ! current_user_can( 'edit_shop_orders' ) \|\| ! isset( $_GET['order_id'] ) ) {
546	wp_die( -1 );
547	}
548
549	$order = wc_get_order( absint( $_GET['order_id'] ) );
550
551	if ( $order ) {
552	include_once __DIR__ . '/admin/list-tables/class-wc-admin-list-table-orders.php';
553
554	wp_send_json_success( WC_Admin_List_Table_Orders::order_preview_get_order_details( $order ) );
555	}
556	wp_die();
557	}
558
559	/**
560	* Add an attribute row.
561	*/
562	public static function add_attribute() {
563	ob_start();
564
565	check_ajax_referer( 'add-attribute', 'security' );
566
567	if ( ! current_user_can( 'edit_products' ) \|\| ! isset( $_POST['taxonomy'], $_POST['i'] ) ) {
568	wp_die( -1 );
569	}
570
571	$i = absint( $_POST['i'] );
572	$metabox_class = array();
573	$attribute = new WC_Product_Attribute();
574
575	$attribute->set_id( wc_attribute_taxonomy_id_by_name( sanitize_text_field( wp_unslash( $_POST['taxonomy'] ) ) ) );
576	$attribute->set_name( sanitize_text_field( wp_unslash( $_POST['taxonomy'] ) ) );
577	$attribute->set_visible( apply_filters( 'woocommerce_attribute_default_visibility', 1 ) );
578	$attribute->set_variation( apply_filters( 'woocommerce_attribute_default_is_variation', 0 ) );
579
580	if ( $attribute->is_taxonomy() ) {
581	$metabox_class[] = 'taxonomy';
582	$metabox_class[] = $attribute->get_name();
583	}
584
585	include __DIR__ . '/admin/meta-boxes/views/html-product-attribute.php';
586	wp_die();
587	}
588
589	/**
590	* Add a new attribute via ajax function.
591	*/
592	public static function add_new_attribute() {
593	check_ajax_referer( 'add-attribute', 'security' );
594
595	if ( current_user_can( 'manage_product_terms' ) && isset( $_POST['taxonomy'], $_POST['term'] ) ) {
596	$taxonomy = esc_attr( wp_unslash( $_POST['taxonomy'] ) ); // phpcs:ignore
597	$term = wc_clean( wp_unslash( $_POST['term'] ) );
598
599	if ( taxonomy_exists( $taxonomy ) ) {
600
601	$result = wp_insert_term( $term, $taxonomy );
602
603	if ( is_wp_error( $result ) ) {
604	wp_send_json(
605	array(
606	'error' => $result->get_error_message(),
607	)
608	);
609	} else {
610	$term = get_term_by( 'id', $result['term_id'], $taxonomy );
611	wp_send_json(
612	array(
613	'term_id' => $term->term_id,
614	'name' => $term->name,
615	'slug' => $term->slug,
616	)
617	);
618	}
619	}
620	}
621	wp_die( -1 );
622	}
623
624	/**
625	* Delete variations via ajax function.
626	*/
627	public static function remove_variations() {
628	check_ajax_referer( 'delete-variations', 'security' );
629
630	if ( current_user_can( 'edit_products' ) && isset( $_POST['variation_ids'] ) ) {
631	$variation_ids = array_map( 'absint', (array) wp_unslash( $_POST['variation_ids'] ) );
632
633	foreach ( $variation_ids as $variation_id ) {
634	if ( 'product_variation' === get_post_type( $variation_id ) ) {
635	$variation = wc_get_product( $variation_id );
636	$variation->delete( true );
637	}
638	}
639	}
640
641	wp_die( -1 );
642	}
643
644	/**
645	* Save attributes via ajax.
646	*/
647	public static function save_attributes() {
648	check_ajax_referer( 'save-attributes', 'security' );
649
650	if ( ! current_user_can( 'edit_products' ) \|\| ! isset( $_POST['data'], $_POST['post_id'] ) ) {
651	wp_die( -1 );
652	}
653
654	$response = array();
655
656	try {
657	parse_str( wp_unslash( $_POST['data'] ), $data ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
658
659	$attributes = WC_Meta_Box_Product_Data::prepare_attributes( $data );
660	$product_id = absint( wp_unslash( $_POST['post_id'] ) );
661	$product_type = ! empty( $_POST['product_type'] ) ? wc_clean( wp_unslash( $_POST['product_type'] ) ) : 'simple';
662	$classname = WC_Product_Factory::get_product_classname( $product_id, $product_type );
663	$product = new $classname( $product_id );
664
665	$product->set_attributes( $attributes );
666	$product->save();
667
668	ob_start();
669	$attributes = $product->get_attributes( 'edit' );
670	$i = -1;
671	if ( ! empty( $data['attribute_names'] ) ) {
672	foreach ( $data['attribute_names'] as $attribute_name ) {
673	$attribute = isset( $attributes[ sanitize_title( $attribute_name ) ] ) ? $attributes[ sanitize_title( $attribute_name ) ] : false;
674	if ( ! $attribute ) {
675	continue;
676	}
677	$i++;
678	$metabox_class = array();
679
680	if ( $attribute->is_taxonomy() ) {
681	$metabox_class[] = 'taxonomy';
682	$metabox_class[] = $attribute->get_name();
683	}
684
685	include __DIR__ . '/admin/meta-boxes/views/html-product-attribute.php';
686	}
687	}
688
689	$response['html'] = ob_get_clean();
690	} catch ( Exception $e ) {
691	wp_send_json_error( array( 'error' => $e->getMessage() ) );
692	}
693
694	// wp_send_json_success must be outside the try block not to break phpunit tests.
695	wp_send_json_success( $response );
696	}
697
698	/**
699	* Add variation via ajax function.
700	*/
701	public static function add_variation() {
702	check_ajax_referer( 'add-variation', 'security' );
703
704	if ( ! current_user_can( 'edit_products' ) \|\| ! isset( $_POST['post_id'], $_POST['loop'] ) ) {
705	wp_die( -1 );
706	}
707
708	global $post; // Set $post global so its available, like within the admin screens.
709
710	$product_id = intval( $_POST['post_id'] );
711	$post = get_post( $product_id ); // phpcs:ignore
712	$loop = intval( $_POST['loop'] );
713	$product_object = wc_get_product_object( 'variable', $product_id ); // Forces type to variable in case product is unsaved.
714	$variation_object = wc_get_product_object( 'variation' );
715	$variation_object->set_parent_id( $product_id );
716	$variation_object->set_attributes( array_fill_keys( array_map( 'sanitize_title', array_keys( $product_object->get_variation_attributes() ) ), '' ) );
717	$variation_id = $variation_object->save();
718	$variation = get_post( $variation_id );
719	$variation_data = array_merge( get_post_custom( $variation_id ), wc_get_product_variation_attributes( $variation_id ) ); // kept for BW compatibility.
720	include __DIR__ . '/admin/meta-boxes/views/html-variation-admin.php';
721	wp_die();
722	}
723
724	/**
725	* Link all variations via ajax function.
726	*/
727	public static function link_all_variations() {
728	check_ajax_referer( 'link-variations', 'security' );
729
730	if ( ! current_user_can( 'edit_products' ) ) {
731	wp_die( -1 );
732	}
733
734	wc_maybe_define_constant( 'WC_MAX_LINKED_VARIATIONS', 50 );
735	wc_set_time_limit( 0 );
736
737	$post_id = isset( $_POST['post_id'] ) ? intval( $_POST['post_id'] ) : 0;
738
739	if ( ! $post_id ) {
740	wp_die();
741	}
742
743	$product = wc_get_product( $post_id );
744	$data_store = $product->get_data_store();
745
746	if ( ! is_callable( array( $data_store, 'create_all_product_variations' ) ) ) {
747	wp_die();
748	}
749
750	echo esc_html( $data_store->create_all_product_variations( $product, Constants::get_constant( 'WC_MAX_LINKED_VARIATIONS' ) ) );
751
752	$data_store->sort_all_product_variations( $product->get_id() );
753	wp_die();
754	}
755
756	/**
757	* Delete download permissions via ajax function.
758	*/
759	public static function revoke_access_to_download() {
760	check_ajax_referer( 'revoke-access', 'security' );
761
762	if ( ! current_user_can( 'edit_shop_orders' ) \|\| ! isset( $_POST['download_id'], $_POST['product_id'], $_POST['order_id'], $_POST['permission_id'] ) ) {
763	wp_die( -1 );
764	}
765	$download_id = wc_clean( wp_unslash( $_POST['download_id'] ) );
766	$product_id = intval( $_POST['product_id'] );
767	$order_id = intval( $_POST['order_id'] );
768	$permission_id = absint( $_POST['permission_id'] );
769	$data_store = WC_Data_Store::load( 'customer-download' );
770	$data_store->delete_by_id( $permission_id );
771
772	do_action( 'woocommerce_ajax_revoke_access_to_product_download', $download_id, $product_id, $order_id, $permission_id );
773
774	wp_die();
775	}
776
777	/**
778	* Grant download permissions via ajax function.
779	*/
780	public static function grant_access_to_download() {
781
782	check_ajax_referer( 'grant-access', 'security' );
783
784	if ( ! current_user_can( 'edit_shop_orders' ) \|\| ! isset( $_POST['loop'], $_POST['order_id'], $_POST['product_ids'] ) ) {
785	wp_die( -1 );
786	}
787
788	global $wpdb;
789
790	$wpdb->hide_errors();
791
792	$order_id = intval( $_POST['order_id'] );
793	$product_ids = array_filter( array_map( 'absint', (array) wp_unslash( $_POST['product_ids'] ) ) );
794	$loop = intval( $_POST['loop'] );
795	$file_counter = 0;
796	$order = wc_get_order( $order_id );
797
798	foreach ( $product_ids as $product_id ) {
799	$product = wc_get_product( $product_id );
800	$files = $product->get_downloads();
801
802	if ( ! $order->get_billing_email() ) {
803	wp_die();
804	}
805
806	if ( ! empty( $files ) ) {
807	foreach ( $files as $download_id => $file ) {
808	$inserted_id = wc_downloadable_file_permission( $download_id, $product_id, $order );
809	if ( $inserted_id ) {
810	$download = new WC_Customer_Download( $inserted_id );
811	$loop ++;
812	$file_counter ++;
813
814	if ( $file->get_name() ) {
815	$file_count = $file->get_name();
816	} else {
817	/* translators: %d file count */
818	$file_count = sprintf( __( 'File %d', 'woocommerce' ), $file_counter );
819	}
820	include __DIR__ . '/admin/meta-boxes/views/html-order-download-permission.php';
821	}
822	}
823	}
824	}
825	wp_die();
826	}
827
828	/**
829	* Get customer details via ajax.
830	*/
831	public static function get_customer_details() {
832	check_ajax_referer( 'get-customer-details', 'security' );
833
834	if ( ! current_user_can( 'edit_shop_orders' ) \|\| ! isset( $_POST['user_id'] ) ) {
835	wp_die( -1 );
836	}
837
838	$user_id = absint( $_POST['user_id'] );
839	$customer = new WC_Customer( $user_id );
840
841	if ( has_filter( 'woocommerce_found_customer_details' ) ) {
842	wc_deprecated_function( 'The woocommerce_found_customer_details filter', '3.0', 'woocommerce_ajax_get_customer_details' );
843	}
844
845	$data = $customer->get_data();
846	$data['date_created'] = $data['date_created'] ? $data['date_created']->getTimestamp() : null;
847	$data['date_modified'] = $data['date_modified'] ? $data['date_modified']->getTimestamp() : null;
848
849	$customer_data = apply_filters( 'woocommerce_ajax_get_customer_details', $data, $customer, $user_id );
850	wp_send_json( $customer_data );
851	}
852
853	/**
854	* Add order item via ajax. Used on the edit order screen in WP Admin.
855	*
856	* @throws Exception If order is invalid.
857	*/
858	public static function add_order_item() {
859	check_ajax_referer( 'order-item', 'security' );
860
861	if ( ! current_user_can( 'edit_shop_orders' ) ) {
862	wp_die( -1 );
863	}
864
865	if ( ! isset( $_POST['order_id'] ) ) {
866	throw new Exception( __( 'Invalid order', 'woocommerce' ) );
867	}
868	$order_id = absint( wp_unslash( $_POST['order_id'] ) );
869
870	// If we passed through items it means we need to save first before adding a new one.
871	$items = ( ! empty( $_POST['items'] ) ) ? wp_unslash( $_POST['items'] ) : ''; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
872
873	$items_to_add = isset( $_POST['data'] ) ? array_filter( wp_unslash( (array) $_POST['data'] ) ) : array(); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
874
875	try {
876	$response = self::maybe_add_order_item( $order_id, $items, $items_to_add );
877	wp_send_json_success( $response );
878	} catch ( Exception $e ) {
879	wp_send_json_error( array( 'error' => $e->getMessage() ) );
880	}
881	}
882
883	/**
884	* Add order item via AJAX. This is refactored for better unit testing.
885	*
886	* @param int $order_id ID of order to add items to.
887	* @param string\|array $items Existing items in order. Empty string if no items to add.
888	* @param array $items_to_add Array of items to add.
889	*
890	* @return array Fragments to render and notes HTML.
891	* @throws Exception When unable to add item.
892	*/
893	private static function maybe_add_order_item( $order_id, $items, $items_to_add ) {
894	try {
895	$order = wc_get_order( $order_id );
896
897	if ( ! $order ) {
898	throw new Exception( __( 'Invalid order', 'woocommerce' ) );
899	}
900
901	if ( ! empty( $items ) ) {
902	$save_items = array();
903	parse_str( $items, $save_items );
904	wc_save_order_items( $order->get_id(), $save_items );
905	}
906
907	// Add items to order.
908	$order_notes = array();
909
910	foreach ( $items_to_add as $item ) {
911	if ( ! isset( $item['id'], $item['qty'] ) \|\| empty( $item['id'] ) ) {
912	continue;
913	}
914	$product_id = absint( $item['id'] );
915	$qty = wc_stock_amount( $item['qty'] );
916	$product = wc_get_product( $product_id );
917
918	if ( ! $product ) {
919	throw new Exception( __( 'Invalid product ID', 'woocommerce' ) . ' ' . $product_id );
920	}
921	if ( 'variable' === $product->get_type() ) {
922	/* translators: %s product name */
923	throw new Exception( sprintf( __( '%s is a variable product parent and cannot be added.', 'woocommerce' ), $product->get_name() ) );
924	}
925	$validation_error = new WP_Error();
926	$validation_error = apply_filters( 'woocommerce_ajax_add_order_item_validation', $validation_error, $product, $order, $qty );
927
928	if ( $validation_error->get_error_code() ) {
929	/* translators: %s: error message */
930	throw new Exception( sprintf( __( 'Error: %s', 'woocommerce' ), $validation_error->get_error_message() ) );
931	}
932	$item_id = $order->add_product( $product, $qty );
933	$item = apply_filters( 'woocommerce_ajax_order_item', $order->get_item( $item_id ), $item_id, $order, $product );
934	$added_items[ $item_id ] = $item;
935	$order_notes[ $item_id ] = $product->get_formatted_name();
936
937	// We do not perform any stock operations here because they will be handled when order is moved to a status where stock operations are applied (like processing, completed etc).
938
939	do_action( 'woocommerce_ajax_add_order_item_meta', $item_id, $item, $order );
940	}
941
942	/* translators: %s item name. */
943	$order->add_order_note( sprintf( __( 'Added line items: %s', 'woocommerce' ), implode( ', ', $order_notes ) ), false, true );
944
945	do_action( 'woocommerce_ajax_order_items_added', $added_items, $order );
946
947	$data = get_post_meta( $order_id );
948
949	// Get HTML to return.
950	ob_start();
951	include __DIR__ . '/admin/meta-boxes/views/html-order-items.php';
952	$items_html = ob_get_clean();
953
954	ob_start();
955	$notes = wc_get_order_notes( array( 'order_id' => $order_id ) );
956	include __DIR__ . '/admin/meta-boxes/views/html-order-notes.php';
957	$notes_html = ob_get_clean();
958
959	return array(
960	'html' => $items_html,
961	'notes_html' => $notes_html,
962	);
963	} catch ( Exception $e ) {
964	throw $e; // Forward exception to caller.
965	}
966	}
967
968	/**
969	* Add order fee via ajax.
970	*
971	* @throws Exception If order is invalid.
972	*/
973	public static function add_order_fee() {
974	check_ajax_referer( 'order-item', 'security' );
975
976	if ( ! current_user_can( 'edit_shop_orders' ) ) {
977	wp_die( -1 );
978	}
979
980	$response = array();
981
982	try {
983	$order_id = isset( $_POST['order_id'] ) ? absint( $_POST['order_id'] ) : 0;
984	$order = wc_get_order( $order_id );
985
986	if ( ! $order ) {
987	throw new Exception( __( 'Invalid order', 'woocommerce' ) );
988	}
989
990	$amount = isset( $_POST['amount'] ) ? wc_clean( wp_unslash( $_POST['amount'] ) ) : 0;
991
992	$calculate_tax_args = array(
993	'country' => isset( $_POST['country'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['country'] ) ) ) : '',
994	'state' => isset( $_POST['state'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['state'] ) ) ) : '',
995	'postcode' => isset( $_POST['postcode'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['postcode'] ) ) ) : '',
996	'city' => isset( $_POST['city'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['city'] ) ) ) : '',
997	);
998
999	if ( strstr( $amount, '%' ) ) {
1000	$formatted_amount = $amount;
1001	$percent = floatval( trim( $amount, '%' ) );
1002	$amount = $order->get_total() * ( $percent / 100 );
1003	} else {
1004	$amount = floatval( $amount );
1005	$formatted_amount = wc_price( $amount, array( 'currency' => $order->get_currency() ) );
1006	}
1007
1008	$fee = new WC_Order_Item_Fee();
1009	$fee->set_amount( $amount );
1010	$fee->set_total( $amount );
1011	/* translators: %s fee amount */
1012	$fee->set_name( sprintf( __( '%s fee', 'woocommerce' ), wc_clean( $formatted_amount ) ) );
1013
1014	$order->add_item( $fee );
1015	$order->calculate_taxes( $calculate_tax_args );
1016	$order->calculate_totals( false );
1017	$order->save();
1018
1019	ob_start();
1020	include __DIR__ . '/admin/meta-boxes/views/html-order-items.php';
1021	$response['html'] = ob_get_clean();
1022	} catch ( Exception $e ) {
1023	wp_send_json_error( array( 'error' => $e->getMessage() ) );
1024	}
1025
1026	// wp_send_json_success must be outside the try block not to break phpunit tests.
1027	wp_send_json_success( $response );
1028	}
1029
1030	/**
1031	* Add order shipping cost via ajax.
1032	*
1033	* @throws Exception If order is invalid.
1034	*/
1035	public static function add_order_shipping() {
1036	check_ajax_referer( 'order-item', 'security' );
1037
1038	if ( ! current_user_can( 'edit_shop_orders' ) ) {
1039	wp_die( -1 );
1040	}
1041
1042	$response = array();
1043
1044	try {
1045	$order_id = isset( $_POST['order_id'] ) ? absint( $_POST['order_id'] ) : 0;
1046	$order = wc_get_order( $order_id );
1047
1048	if ( ! $order ) {
1049	throw new Exception( __( 'Invalid order', 'woocommerce' ) );
1050	}
1051
1052	$order_taxes = $order->get_taxes();
1053	$shipping_methods = WC()->shipping() ? WC()->shipping()->load_shipping_methods() : array();
1054
1055	// Add new shipping.
1056	$item = new WC_Order_Item_Shipping();
1057	$item->set_shipping_rate( new WC_Shipping_Rate() );
1058	$item->set_order_id( $order_id );
1059	$item_id = $item->save();
1060
1061	ob_start();
1062	include __DIR__ . '/admin/meta-boxes/views/html-order-shipping.php';
1063	$response['html'] = ob_get_clean();
1064	} catch ( Exception $e ) {
1065	wp_send_json_error( array( 'error' => $e->getMessage() ) );
1066	}
1067
1068	// wp_send_json_success must be outside the try block not to break phpunit tests.
1069	wp_send_json_success( $response );
1070	}
1071
1072	/**
1073	* Add order tax column via ajax.
1074	*
1075	* @throws Exception If order or tax rate is invalid.
1076	*/
1077	public static function add_order_tax() {
1078	check_ajax_referer( 'order-item', 'security' );
1079
1080	if ( ! current_user_can( 'edit_shop_orders' ) ) {
1081	wp_die( -1 );
1082	}
1083
1084	$response = array();
1085
1086	try {
1087	$order_id = isset( $_POST['order_id'] ) ? absint( $_POST['order_id'] ) : 0;
1088	$order = wc_get_order( $order_id );
1089
1090	if ( ! $order ) {
1091	throw new Exception( __( 'Invalid order', 'woocommerce' ) );
1092	}
1093
1094	$rate_id = isset( $_POST['rate_id'] ) ? absint( $_POST['rate_id'] ) : '';
1095
1096	if ( ! $rate_id ) {
1097	throw new Exception( __( 'Invalid rate', 'woocommerce' ) );
1098	}
1099
1100	$data = get_post_meta( $order_id );
1101
1102	// Add new tax.
1103	$item = new WC_Order_Item_Tax();
1104	$item->set_rate( $rate_id );
1105	$item->set_order_id( $order_id );
1106	$item->save();
1107
1108	ob_start();
1109	include __DIR__ . '/admin/meta-boxes/views/html-order-items.php';
1110	$response['html'] = ob_get_clean();
1111	} catch ( Exception $e ) {
1112	wp_send_json_error( array( 'error' => $e->getMessage() ) );
1113	}
1114
1115	// wp_send_json_success must be outside the try block not to break phpunit tests.
1116	wp_send_json_success( $response );
1117	}
1118
1119	/**
1120	* Add order discount via ajax.
1121	*
1122	* @throws Exception If order or coupon is invalid.
1123	*/
1124	public static function add_coupon_discount() {
1125	check_ajax_referer( 'order-item', 'security' );
1126
1127	if ( ! current_user_can( 'edit_shop_orders' ) ) {
1128	wp_die( -1 );
1129	}
1130
1131	$response = array();
1132
1133	try {
1134	$order_id = isset( $_POST['order_id'] ) ? absint( $_POST['order_id'] ) : 0;
1135	$order = wc_get_order( $order_id );
1136	$calculate_tax_args = array(
1137	'country' => isset( $_POST['country'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['country'] ) ) ) : '',
1138	'state' => isset( $_POST['state'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['state'] ) ) ) : '',
1139	'postcode' => isset( $_POST['postcode'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['postcode'] ) ) ) : '',
1140	'city' => isset( $_POST['city'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['city'] ) ) ) : '',
1141	);
1142
1143	if ( ! $order ) {
1144	throw new Exception( __( 'Invalid order', 'woocommerce' ) );
1145	}
1146
1147	if ( empty( $_POST['coupon'] ) ) {
1148	throw new Exception( __( 'Invalid coupon', 'woocommerce' ) );
1149	}
1150
1151	// Add user ID and/or email so validation for coupon limits works.
1152	$user_id_arg = isset( $_POST['user_id'] ) ? absint( $_POST['user_id'] ) : 0;
1153	$user_email_arg = isset( $_POST['user_email'] ) ? sanitize_email( wp_unslash( $_POST['user_email'] ) ) : '';
1154
1155	if ( $user_id_arg ) {
1156	$order->set_customer_id( $user_id_arg );
1157	}
1158	if ( $user_email_arg ) {
1159	$order->set_billing_email( $user_email_arg );
1160	}
1161
1162	$result = $order->apply_coupon( wc_format_coupon_code( wp_unslash( $_POST['coupon'] ) ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
1163
1164	if ( is_wp_error( $result ) ) {
1165	throw new Exception( html_entity_decode( wp_strip_all_tags( $result->get_error_message() ) ) );
1166	}
1167
1168	$order->calculate_taxes( $calculate_tax_args );
1169	$order->calculate_totals( false );
1170
1171	ob_start();
1172	include __DIR__ . '/admin/meta-boxes/views/html-order-items.php';
1173	$response['html'] = ob_get_clean();
1174	} catch ( Exception $e ) {
1175	wp_send_json_error( array( 'error' => $e->getMessage() ) );
1176	}
1177
1178	// wp_send_json_success must be outside the try block not to break phpunit tests.
1179	wp_send_json_success( $response );
1180	}
1181
1182	/**
1183	* Remove coupon from an order via ajax.
1184	*
1185	* @throws Exception If order or coupon is invalid.
1186	*/
1187	public static function remove_order_coupon() {
1188	check_ajax_referer( 'order-item', 'security' );
1189
1190	if ( ! current_user_can( 'edit_shop_orders' ) ) {
1191	wp_die( -1 );
1192	}
1193
1194	$response = array();
1195
1196	try {
1197	$order_id = isset( $_POST['order_id'] ) ? absint( $_POST['order_id'] ) : 0;
1198	$order = wc_get_order( $order_id );
1199	$calculate_tax_args = array(
1200	'country' => isset( $_POST['country'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['country'] ) ) ) : '',
1201	'state' => isset( $_POST['state'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['state'] ) ) ) : '',
1202	'postcode' => isset( $_POST['postcode'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['postcode'] ) ) ) : '',
1203	'city' => isset( $_POST['city'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['city'] ) ) ) : '',
1204	);
1205
1206	if ( ! $order ) {
1207	throw new Exception( __( 'Invalid order', 'woocommerce' ) );
1208	}
1209
1210	if ( empty( $_POST['coupon'] ) ) {
1211	throw new Exception( __( 'Invalid coupon', 'woocommerce' ) );
1212	}
1213
1214	$order->remove_coupon( wc_format_coupon_code( wp_unslash( $_POST['coupon'] ) ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
1215	$order->calculate_taxes( $calculate_tax_args );
1216	$order->calculate_totals( false );
1217
1218	ob_start();
1219	include __DIR__ . '/admin/meta-boxes/views/html-order-items.php';
1220	$response['html'] = ob_get_clean();
1221	} catch ( Exception $e ) {
1222	wp_send_json_error( array( 'error' => $e->getMessage() ) );
1223	}
1224
1225	// wp_send_json_success must be outside the try block not to break phpunit tests.
1226	wp_send_json_success( $response );
1227	}
1228
1229	/**
1230	* Remove an order item.
1231	*
1232	* @throws Exception If order is invalid.
1233	*/
1234	public static function remove_order_item() {
1235	check_ajax_referer( 'order-item', 'security' );
1236
1237	if ( ! current_user_can( 'edit_shop_orders' ) \|\| ! isset( $_POST['order_id'], $_POST['order_item_ids'] ) ) {
1238	wp_die( -1 );
1239	}
1240
1241	$response = array();
1242
1243	try {
1244	$order_id = absint( $_POST['order_id'] );
1245	$order = wc_get_order( $order_id );
1246
1247	if ( ! $order ) {
1248	throw new Exception( __( 'Invalid order', 'woocommerce' ) );
1249	}
1250
1251	if ( ! isset( $_POST['order_item_ids'] ) ) {
1252	throw new Exception( __( 'Invalid items', 'woocommerce' ) );
1253	}
1254
1255	$order_item_ids = wp_unslash( $_POST['order_item_ids'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
1256	$items = ( ! empty( $_POST['items'] ) ) ? wp_unslash( $_POST['items'] ) : ''; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
1257	$calculate_tax_args = array(
1258	'country' => isset( $_POST['country'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['country'] ) ) ) : '',
1259	'state' => isset( $_POST['state'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['state'] ) ) ) : '',
1260	'postcode' => isset( $_POST['postcode'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['postcode'] ) ) ) : '',
1261	'city' => isset( $_POST['city'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['city'] ) ) ) : '',
1262	);
1263
1264	if ( ! is_array( $order_item_ids ) && is_numeric( $order_item_ids ) ) {
1265	$order_item_ids = array( $order_item_ids );
1266	}
1267
1268	// If we passed through items it means we need to save first before deleting.
1269	if ( ! empty( $items ) ) {
1270	$save_items = array();
1271	parse_str( $items, $save_items );
1272	wc_save_order_items( $order->get_id(), $save_items );
1273	}
1274
1275	if ( ! empty( $order_item_ids ) ) {
1276	$order_notes = array();
1277
1278	foreach ( $order_item_ids as $item_id ) {
1279	$item_id = absint( $item_id );
1280	$item = $order->get_item( $item_id );
1281
1282	// Before deleting the item, adjust any stock values already reduced.
1283	if ( $item->is_type( 'line_item' ) ) {
1284	$changed_stock = wc_maybe_adjust_line_item_product_stock( $item, 0 );
1285
1286	if ( $changed_stock && ! is_wp_error( $changed_stock ) ) {
1287	/* translators: %1$s: item name %2$s: stock change */
1288	$order->add_order_note( sprintf( __( 'Deleted %1$s and adjusted stock (%2$s)', 'woocommerce' ), $item->get_name(), $changed_stock['from'] . '→' . $changed_stock['to'] ), false, true );
1289	} else {
1290	/* translators: %s item name. */
1291	$order->add_order_note( sprintf( __( 'Deleted %s', 'woocommerce' ), $item->get_name() ), false, true );
1292	}
1293	}
1294
1295	wc_delete_order_item( $item_id );
1296	}
1297	}
1298
1299	$order = wc_get_order( $order_id );
1300	$order->calculate_taxes( $calculate_tax_args );
1301	$order->calculate_totals( false );
1302
1303	// Get HTML to return.
1304	ob_start();
1305	include __DIR__ . '/admin/meta-boxes/views/html-order-items.php';
1306	$items_html = ob_get_clean();
1307
1308	ob_start();
1309	$notes = wc_get_order_notes( array( 'order_id' => $order_id ) );
1310	include __DIR__ . '/admin/meta-boxes/views/html-order-notes.php';
1311	$notes_html = ob_get_clean();
1312
1313	wp_send_json_success(
1314	array(
1315	'html' => $items_html,
1316	'notes_html' => $notes_html,
1317	)
1318	);
1319	} catch ( Exception $e ) {
1320	wp_send_json_error( array( 'error' => $e->getMessage() ) );
1321	}
1322
1323	// wp_send_json_success must be outside the try block not to break phpunit tests.
1324	wp_send_json_success( $response );
1325	}
1326
1327	/**
1328	* Remove an order tax.
1329	*
1330	* @throws Exception If there is an error whilst deleting the rate.
1331	*/
1332	public static function remove_order_tax() {
1333	check_ajax_referer( 'order-item', 'security' );
1334
1335	if ( ! current_user_can( 'edit_shop_orders' ) \|\| ! isset( $_POST['order_id'], $_POST['rate_id'] ) ) {
1336	wp_die( -1 );
1337	}
1338
1339	$response = array();
1340
1341	try {
1342	$order_id = absint( $_POST['order_id'] );
1343	$rate_id = absint( $_POST['rate_id'] );
1344
1345	$order = wc_get_order( $order_id );
1346	if ( ! $order->is_editable() ) {
1347	throw new Exception( __( 'Order not editable', 'woocommerce' ) );
1348	}
1349
1350	wc_delete_order_item( $rate_id );
1351
1352	// Need to load order again after deleting to have latest items before calculating.
1353	$order = wc_get_order( $order_id );
1354	$order->calculate_totals( false );
1355
1356	ob_start();
1357	include __DIR__ . '/admin/meta-boxes/views/html-order-items.php';
1358	$response['html'] = ob_get_clean();
1359	} catch ( Exception $e ) {
1360	wp_send_json_error( array( 'error' => $e->getMessage() ) );
1361	}
1362
1363	// wp_send_json_success must be outside the try block not to break phpunit tests.
1364	wp_send_json_success( $response );
1365	}
1366
1367	/**
1368	* Calc line tax.
1369	*/
1370	public static function calc_line_taxes() {
1371	check_ajax_referer( 'calc-totals', 'security' );
1372
1373	if ( ! current_user_can( 'edit_shop_orders' ) \|\| ! isset( $_POST['order_id'], $_POST['items'] ) ) {
1374	wp_die( -1 );
1375	}
1376
1377	$order_id = absint( $_POST['order_id'] );
1378	$calculate_tax_args = array(
1379	'country' => isset( $_POST['country'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['country'] ) ) ) : '',
1380	'state' => isset( $_POST['state'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['state'] ) ) ) : '',
1381	'postcode' => isset( $_POST['postcode'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['postcode'] ) ) ) : '',
1382	'city' => isset( $_POST['city'] ) ? wc_strtoupper( wc_clean( wp_unslash( $_POST['city'] ) ) ) : '',
1383	);
1384
1385	// Parse the jQuery serialized items.
1386	$items = array();
1387	parse_str( wp_unslash( $_POST['items'] ), $items ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
1388
1389	// Save order items first.
1390	wc_save_order_items( $order_id, $items );
1391
1392	// Grab the order and recalculate taxes.
1393	$order = wc_get_order( $order_id );
1394	$order->calculate_taxes( $calculate_tax_args );
1395	$order->calculate_totals( false );
1396	include __DIR__ . '/admin/meta-boxes/views/html-order-items.php';
1397	wp_die();
1398	}
1399
1400	/**
1401	* Save order items via ajax.
1402	*/
1403	public static function save_order_items() {
1404	check_ajax_referer( 'order-item', 'security' );
1405
1406	if ( ! current_user_can( 'edit_shop_orders' ) \|\| ! isset( $_POST['order_id'], $_POST['items'] ) ) {
1407	wp_die( -1 );
1408	}
1409
1410	if ( isset( $_POST['order_id'], $_POST['items'] ) ) {
1411	$order_id = absint( $_POST['order_id'] );
1412
1413	// Parse the jQuery serialized items.
1414	$items = array();
1415	parse_str( wp_unslash( $_POST['items'] ), $items ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
1416
1417	// Save order items.
1418	wc_save_order_items( $order_id, $items );
1419
1420	// Return HTML items.
1421	$order = wc_get_order( $order_id );
1422
1423	// Get HTML to return.
1424	ob_start();
1425	include __DIR__ . '/admin/meta-boxes/views/html-order-items.php';
1426	$items_html = ob_get_clean();
1427
1428	ob_start();
1429	$notes = wc_get_order_notes( array( 'order_id' => $order_id ) );
1430	include __DIR__ . '/admin/meta-boxes/views/html-order-notes.php';
1431	$notes_html = ob_get_clean();
1432
1433	wp_send_json_success(
1434	array(
1435	'html' => $items_html,
1436	'notes_html' => $notes_html,
1437	)
1438	);
1439	}
1440	wp_die();
1441	}
1442
1443	/**
1444	* Load order items via ajax.
1445	*/
1446	public static function load_order_items() {
1447	check_ajax_referer( 'order-item', 'security' );
1448
1449	if ( ! current_user_can( 'edit_shop_orders' ) \|\| ! isset( $_POST['order_id'] ) ) {
1450	wp_die( -1 );
1451	}
1452
1453	// Return HTML items.
1454	$order_id = absint( $_POST['order_id'] );
1455	$order = wc_get_order( $order_id );
1456	include __DIR__ . '/admin/meta-boxes/views/html-order-items.php';
1457	wp_die();
1458	}
1459
1460	/**
1461	* Add order note via ajax.
1462	*/
1463	public static function add_order_note() {
1464	check_ajax_referer( 'add-order-note', 'security' );
1465
1466	if ( ! current_user_can( 'edit_shop_orders' ) \|\| ! isset( $_POST['post_id'], $_POST['note'], $_POST['note_type'] ) ) {
1467	wp_die( -1 );
1468	}
1469
1470	$post_id = absint( $_POST['post_id'] );
1471	$note = wp_kses_post( trim( wp_unslash( $_POST['note'] ) ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
1472	$note_type = wc_clean( wp_unslash( $_POST['note_type'] ) );
1473
1474	$is_customer_note = ( 'customer' === $note_type ) ? 1 : 0;
1475
1476	if ( $post_id > 0 ) {
1477	$order = wc_get_order( $post_id );
1478	$comment_id = $order->add_order_note( $note, $is_customer_note, true );
1479	$note = wc_get_order_note( $comment_id );
1480
1481	$note_classes = array( 'note' );
1482	$note_classes[] = $is_customer_note ? 'customer-note' : '';
1483	$note_classes = apply_filters( 'woocommerce_order_note_class', array_filter( $note_classes ), $note );
1484	?>
1485	<li rel="<?php echo absint( $note->id ); ?>" class="<?php echo esc_attr( implode( ' ', $note_classes ) ); ?>">
1486	<div class="note_content">
1487	<?php echo wp_kses_post( wpautop( wptexturize( make_clickable( $note->content ) ) ) ); ?>
1488	</div>
1489	<p class="meta">
1490	<abbr class="exact-date" title="<?php echo esc_attr( $note->date_created->date( 'y-m-d h:i:s' ) ); ?>">
1491	<?php
1492	/* translators: $1: Date created, $2 Time created */
1493	printf( esc_html__( 'added on %1$s at %2$s', 'woocommerce' ), esc_html( $note->date_created->date_i18n( wc_date_format() ) ), esc_html( $note->date_created->date_i18n( wc_time_format() ) ) );
1494	?>
1495	</abbr>
1496	<?php
1497	if ( 'system' !== $note->added_by ) :
1498	/* translators: %s: note author */
1499	printf( ' ' . esc_html__( 'by %s', 'woocommerce' ), esc_html( $note->added_by ) );
1500	endif;
1501	?>
1502	<a href="#" class="delete_note" role="button"><?php esc_html_e( 'Delete note', 'woocommerce' ); ?></a>
1503	</p>
1504	</li>
1505	<?php
1506	}
1507	wp_die();
1508	}
1509
1510	/**
1511	* Delete order note via ajax.
1512	*/
1513	public static function delete_order_note() {
1514	check_ajax_referer( 'delete-order-note', 'security' );
1515
1516	if ( ! current_user_can( 'edit_shop_orders' ) \|\| ! isset( $_POST['note_id'] ) ) {
1517	wp_die( -1 );
1518	}
1519
1520	$note_id = (int) $_POST['note_id'];
1521
1522	if ( $note_id > 0 ) {
1523	wc_delete_order_note( $note_id );
1524	}
1525	wp_die();
1526	}
1527
1528	/**
1529	* Search for products and echo json.
1530	*
1531	* @param string $term (default: '') Term to search for.
1532	* @param bool $include_variations in search or not.
1533	*/
1534	public static function json_search_products( $term = '', $include_variations = false ) {
1535	check_ajax_referer( 'search-products', 'security' );
1536
1537	if ( empty( $term ) && isset( $_GET['term'] ) ) {
1538	$term = (string) wc_clean( wp_unslash( $_GET['term'] ) );
1539	}
1540
1541	if ( empty( $term ) ) {
1542	wp_die();
1543	}
1544
1545	if ( ! empty( $_GET['limit'] ) ) {
1546	$limit = absint( $_GET['limit'] );
1547	} else {
1548	$limit = absint( apply_filters( 'woocommerce_json_search_limit', 30 ) );
1549	}
1550
1551	$include_ids = ! empty( $_GET['include'] ) ? array_map( 'absint', (array) wp_unslash( $_GET['include'] ) ) : array();
1552	$exclude_ids = ! empty( $_GET['exclude'] ) ? array_map( 'absint', (array) wp_unslash( $_GET['exclude'] ) ) : array();
1553
1554	$exclude_types = array();
1555	if ( ! empty( $_GET['exclude_type'] ) ) {
1556	// Support both comma-delimited and array format inputs.
1557	$exclude_types = wp_unslash( $_GET['exclude_type'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
1558	if ( ! is_array( $exclude_types ) ) {
1559	$exclude_types = explode( ',', $exclude_types );
1560	}
1561
1562	// Sanitize the excluded types against valid product types.
1563	foreach ( $exclude_types as &$exclude_type ) {
1564	$exclude_type = strtolower( trim( $exclude_type ) );
1565	}
1566	$exclude_types = array_intersect(
1567	array_merge( array( 'variation' ), array_keys( wc_get_product_types() ) ),
1568	$exclude_types
1569	);
1570	}
1571
1572	$data_store = WC_Data_Store::load( 'product' );
1573	$ids = $data_store->search_products( $term, '', (bool) $include_variations, false, $limit, $include_ids, $exclude_ids );
1574
1575	$products = array();
1576
1577	foreach ( $ids as $id ) {
1578	$product_object = wc_get_product( $id );
1579
1580	if ( ! wc_products_array_filter_readable( $product_object ) ) {
1581	continue;
1582	}
1583
1584	$formatted_name = $product_object->get_formatted_name();
1585	$managing_stock = $product_object->managing_stock();
1586
1587	if ( in_array( $product_object->get_type(), $exclude_types, true ) ) {
1588	continue;
1589	}
1590
1591	if ( $managing_stock && ! empty( $_GET['display_stock'] ) ) {
1592	$stock_amount = $product_object->get_stock_quantity();
1593	/* Translators: %d stock amount */
1594	$formatted_name .= ' – ' . sprintf( __( 'Stock: %d', 'woocommerce' ), wc_format_stock_quantity_for_display( $stock_amount, $product_object ) );
1595	}
1596
1597	$products[ $product_object->get_id() ] = rawurldecode( wp_strip_all_tags( $formatted_name ) );
1598	}
1599
1600	wp_send_json( apply_filters( 'woocommerce_json_search_found_products', $products ) );
1601	}
1602
1603	/**
1604	* Search for product variations and return json.
1605	*
1606	* @see WC_AJAX::json_search_products()
1607	*/
1608	public static function json_search_products_and_variations() {
1609	self::json_search_products( '', true );
1610	}
1611
1612	/**
1613	* Search for downloadable product variations and return json.
1614	*
1615	* @see WC_AJAX::json_search_products()
1616	*/
1617	public static function json_search_downloadable_products_and_variations() {
1618	check_ajax_referer( 'search-products', 'security' );
1619
1620	if ( ! empty( $_GET['limit'] ) ) {
1621	$limit = absint( $_GET['limit'] );
1622	} else {
1623	$limit = absint( apply_filters( 'woocommerce_json_search_limit', 30 ) );
1624	}
1625
1626	$include_ids = ! empty( $_GET['include'] ) ? array_map( 'absint', (array) wp_unslash( $_GET['include'] ) ) : array();
1627	$exclude_ids = ! empty( $_GET['exclude'] ) ? array_map( 'absint', (array) wp_unslash( $_GET['exclude'] ) ) : array();
1628
1629	$term = isset( $_GET['term'] ) ? (string) wc_clean( wp_unslash( $_GET['term'] ) ) : '';
1630	$data_store = WC_Data_Store::load( 'product' );
1631	$ids = $data_store->search_products( $term, 'downloadable', true, false, $limit );
1632
1633	$product_objects = array_filter( array_map( 'wc_get_product', $ids ), 'wc_products_array_filter_readable' );
1634	$products = array();
1635
1636	foreach ( $product_objects as $product_object ) {
1637	$products[ $product_object->get_id() ] = rawurldecode( $product_object->get_formatted_name() );
1638	}
1639
1640	wp_send_json( $products );
1641	}
1642
1643	/**
1644	* Search for customers and return json.
1645	*/
1646	public static function json_search_customers() {
1647	ob_start();
1648
1649	check_ajax_referer( 'search-customers', 'security' );
1650
1651	if ( ! current_user_can( 'edit_shop_orders' ) ) {
1652	wp_die( -1 );
1653	}
1654
1655	$term = isset( $_GET['term'] ) ? (string) wc_clean( wp_unslash( $_GET['term'] ) ) : '';
1656	$limit = 0;
1657
1658	if ( empty( $term ) ) {
1659	wp_die();
1660	}
1661
1662	$ids = array();
1663	// Search by ID.
1664	if ( is_numeric( $term ) ) {
1665	$customer = new WC_Customer( intval( $term ) );
1666
1667	// Customer does not exists.
1668	if ( 0 !== $customer->get_id() ) {
1669	$ids = array( $customer->get_id() );
1670	}
1671	}
1672
1673	// Usernames can be numeric so we first check that no users was found by ID before searching for numeric username, this prevents performance issues with ID lookups.
1674	if ( empty( $ids ) ) {
1675	$data_store = WC_Data_Store::load( 'customer' );
1676
1677	// If search is smaller than 3 characters, limit result set to avoid
1678	// too many rows being returned.
1679	if ( 3 > strlen( $term ) ) {
1680	$limit = 20;
1681	}
1682	$ids = $data_store->search_customers( $term, $limit );
1683	}
1684
1685	$found_customers = array();
1686
1687	if ( ! empty( $_GET['exclude'] ) ) {
1688	$ids = array_diff( $ids, array_map( 'absint', (array) wp_unslash( $_GET['exclude'] ) ) );
1689	}
1690
1691	foreach ( $ids as $id ) {
1692	$customer = new WC_Customer( $id );
1693	/* translators: 1: user display name 2: user ID 3: user email */
1694	$found_customers[ $id ] = sprintf(
1695	/* translators: $1: customer name, $2 customer id, $3: customer email */
1696	esc_html__( '%1$s (#%2$s – %3$s)', 'woocommerce' ),
1697	$customer->get_first_name() . ' ' . $customer->get_last_name(),
1698	$customer->get_id(),
1699	$customer->get_email()
1700	);
1701	}
1702
1703	wp_send_json( apply_filters( 'woocommerce_json_search_found_customers', $found_customers ) );
1704	}
1705
1706	/**
1707	* Search for categories and return json.
1708	*/
1709	public static function json_search_categories() {
1710	ob_start();
1711
1712	check_ajax_referer( 'search-categories', 'security' );
1713
1714	if ( ! current_user_can( 'edit_products' ) ) {
1715	wp_die( -1 );
1716	}
1717
1718	$search_text = isset( $_GET['term'] ) ? wc_clean( wp_unslash( $_GET['term'] ) ) : '';
1719
1720	if ( ! $search_text ) {
1721	wp_die();
1722	}
1723
1724	$found_categories = array();
1725	$args = array(
1726	'taxonomy' => array( 'product_cat' ),
1727	'orderby' => 'id',
1728	'order' => 'ASC',
1729	'hide_empty' => true,
1730	'fields' => 'all',
1731	'name__like' => $search_text,
1732	);
1733
1734	$terms = get_terms( $args );
1735
1736	if ( $terms ) {
1737	foreach ( $terms as $term ) {
1738	$term->formatted_name = '';
1739
1740	if ( $term->parent ) {
1741	$ancestors = array_reverse( get_ancestors( $term->term_id, 'product_cat' ) );
1742	foreach ( $ancestors as $ancestor ) {
1743	$ancestor_term = get_term( $ancestor, 'product_cat' );
1744	if ( $ancestor_term ) {
1745	$term->formatted_name .= $ancestor_term->name . ' > ';
1746	}
1747	}
1748	}
1749
1750	$term->formatted_name .= $term->name . ' (' . $term->count . ')';
1751	$found_categories[ $term->term_id ] = $term;
1752	}
1753	}
1754
1755	wp_send_json( apply_filters( 'woocommerce_json_search_found_categories', $found_categories ) );
1756	}
1757
1758	/**
1759	* Ajax request handling for categories ordering.
1760	*/
1761	public static function term_ordering() {
1762	// phpcs:disable WordPress.Security.NonceVerification.Missing
1763	if ( ! current_user_can( 'edit_products' ) \|\| empty( $_POST['id'] ) ) {
1764	wp_die( -1 );
1765	}
1766
1767	$id = (int) $_POST['id'];
1768	$next_id = isset( $_POST['nextid'] ) && (int) $_POST['nextid'] ? (int) $_POST['nextid'] : null;
1769	$taxonomy = isset( $_POST['thetaxonomy'] ) ? esc_attr( wp_unslash( $_POST['thetaxonomy'] ) ) : null; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
1770	$term = get_term_by( 'id', $id, $taxonomy );
1771
1772	if ( ! $id \|\| ! $term \|\| ! $taxonomy ) {
1773	wp_die( 0 );
1774	}
1775
1776	wc_reorder_terms( $term, $next_id, $taxonomy );
1777
1778	$children = get_terms( $taxonomy, "child_of=$id&menu_order=ASC&hide_empty=0" );
1779
1780	if ( $term && count( $children ) ) {
1781	echo 'children';
1782	wp_die();
1783	}
1784	// phpcs:enable
1785	}
1786
1787	/**
1788	* Ajax request handling for product ordering.
1789	*
1790	* Based on Simple Page Ordering by 10up (https://wordpress.org/plugins/simple-page-ordering/).
1791	*/
1792	public static function product_ordering() {
1793	global $wpdb;
1794
1795	// phpcs:disable WordPress.Security.NonceVerification.Missing
1796	if ( ! current_user_can( 'edit_products' ) \|\| empty( $_POST['id'] ) ) {
1797	wp_die( -1 );
1798	}
1799
1800	$sorting_id = absint( $_POST['id'] );
1801	$previd = absint( isset( $_POST['previd'] ) ? $_POST['previd'] : 0 );
1802	$nextid = absint( isset( $_POST['nextid'] ) ? $_POST['nextid'] : 0 );
1803	$menu_orders = wp_list_pluck( $wpdb->get_results( "SELECT ID, menu_order FROM {$wpdb->posts} WHERE post_type = 'product' ORDER BY menu_order ASC, post_title ASC" ), 'menu_order', 'ID' );
1804	$index = 0;
1805
1806	foreach ( $menu_orders as $id => $menu_order ) {
1807	$id = absint( $id );
1808
1809	if ( $sorting_id === $id ) {
1810	continue;
1811	}
1812	if ( $nextid === $id ) {
1813	$index ++;
1814	}
1815	$index ++;
1816	$menu_orders[ $id ] = $index;
1817	$wpdb->update( $wpdb->posts, array( 'menu_order' => $index ), array( 'ID' => $id ) );
1818
1819	/**
1820	* When a single product has gotten it's ordering updated.
1821	* $id The product ID
1822	* $index The new menu order
1823	*/
1824	do_action( 'woocommerce_after_single_product_ordering', $id, $index );
1825	}
1826
1827	if ( isset( $menu_orders[ $previd ] ) ) {
1828	$menu_orders[ $sorting_id ] = $menu_orders[ $previd ] + 1;
1829	} elseif ( isset( $menu_orders[ $nextid ] ) ) {
1830	$menu_orders[ $sorting_id ] = $menu_orders[ $nextid ] - 1;
1831	} else {
1832	$menu_orders[ $sorting_id ] = 0;
1833	}
1834
1835	$wpdb->update( $wpdb->posts, array( 'menu_order' => $menu_orders[ $sorting_id ] ), array( 'ID' => $sorting_id ) );
1836
1837	WC_Post_Data::delete_product_query_transients();
1838
1839	do_action( 'woocommerce_after_product_ordering', $sorting_id, $menu_orders );
1840	wp_send_json( $menu_orders );
1841	// phpcs:enable
1842	}
1843
1844	/**
1845	* Handle a refund via the edit order screen.
1846	*
1847	* @throws Exception To return errors.
1848	*/
1849	public static function refund_line_items() {
1850	ob_start();
1851
1852	check_ajax_referer( 'order-item', 'security' );
1853
1854	if ( ! current_user_can( 'edit_shop_orders' ) ) {
1855	wp_die( -1 );
1856	}
1857
1858	$order_id = isset( $_POST['order_id'] ) ? absint( $_POST['order_id'] ) : 0;
1859	$refund_amount = isset( $_POST['refund_amount'] ) ? wc_format_decimal( sanitize_text_field( wp_unslash( $_POST['refund_amount'] ) ), wc_get_price_decimals() ) : 0;
1860	$refunded_amount = isset( $_POST['refunded_amount'] ) ? wc_format_decimal( sanitize_text_field( wp_unslash( $_POST['refunded_amount'] ) ), wc_get_price_decimals() ) : 0;
1861	$refund_reason = isset( $_POST['refund_reason'] ) ? sanitize_text_field( wp_unslash( $_POST['refund_reason'] ) ) : '';
1862	$line_item_qtys = isset( $_POST['line_item_qtys'] ) ? json_decode( sanitize_text_field( wp_unslash( $_POST['line_item_qtys'] ) ), true ) : array();
1863	$line_item_totals = isset( $_POST['line_item_totals'] ) ? json_decode( sanitize_text_field( wp_unslash( $_POST['line_item_totals'] ) ), true ) : array();
1864	$line_item_tax_totals = isset( $_POST['line_item_tax_totals'] ) ? json_decode( sanitize_text_field( wp_unslash( $_POST['line_item_tax_totals'] ) ), true ) : array();
1865	$api_refund = isset( $_POST['api_refund'] ) && 'true' === $_POST['api_refund'];
1866	$restock_refunded_items = isset( $_POST['restock_refunded_items'] ) && 'true' === $_POST['restock_refunded_items'];
1867	$refund = false;
1868	$response = array();
1869
1870	try {
1871	$order = wc_get_order( $order_id );
1872	$max_refund = wc_format_decimal( $order->get_total() - $order->get_total_refunded(), wc_get_price_decimals() );
1873
1874	if ( ! $refund_amount \|\| $max_refund < $refund_amount \|\| 0 > $refund_amount ) {
1875	throw new Exception( __( 'Invalid refund amount', 'woocommerce' ) );
1876	}
1877
1878	if ( wc_format_decimal( $order->get_total_refunded(), wc_get_price_decimals() ) !== $refunded_amount ) {
1879	throw new Exception( __( 'Error processing refund. Please try again.', 'woocommerce' ) );
1880	}
1881
1882	// Prepare line items which we are refunding.
1883	$line_items = array();
1884	$item_ids = array_unique( array_merge( array_keys( $line_item_qtys ), array_keys( $line_item_totals ) ) );
1885
1886	foreach ( $item_ids as $item_id ) {
1887	$line_items[ $item_id ] = array(
1888	'qty' => 0,
1889	'refund_total' => 0,
1890	'refund_tax' => array(),
1891	);
1892	}
1893	foreach ( $line_item_qtys as $item_id => $qty ) {
1894	$line_items[ $item_id ]['qty'] = max( $qty, 0 );
1895	}
1896	foreach ( $line_item_totals as $item_id => $total ) {
1897	$line_items[ $item_id ]['refund_total'] = wc_format_decimal( $total );
1898	}
1899	foreach ( $line_item_tax_totals as $item_id => $tax_totals ) {
1900	$line_items[ $item_id ]['refund_tax'] = array_filter( array_map( 'wc_format_decimal', $tax_totals ) );
1901	}
1902
1903	// Create the refund object.
1904	$refund = wc_create_refund(
1905	array(
1906	'amount' => $refund_amount,
1907	'reason' => $refund_reason,
1908	'order_id' => $order_id,
1909	'line_items' => $line_items,
1910	'refund_payment' => $api_refund,
1911	'restock_items' => $restock_refunded_items,
1912	)
1913	);
1914
1915	if ( is_wp_error( $refund ) ) {
1916	throw new Exception( $refund->get_error_message() );
1917	}
1918
1919	if ( did_action( 'woocommerce_order_fully_refunded' ) ) {
1920	$response['status'] = 'fully_refunded';
1921	}
1922	} catch ( Exception $e ) {
1923	wp_send_json_error( array( 'error' => $e->getMessage() ) );
1924	}
1925
1926	// wp_send_json_success must be outside the try block not to break phpunit tests.
1927	wp_send_json_success( $response );
1928	}
1929
1930	/**
1931	* Delete a refund.
1932	*/
1933	public static function delete_refund() {
1934	check_ajax_referer( 'order-item', 'security' );
1935
1936	if ( ! current_user_can( 'edit_shop_orders' ) \|\| ! isset( $_POST['refund_id'] ) ) {
1937	wp_die( -1 );
1938	}
1939
1940	$refund_ids = array_map( 'absint', is_array( $_POST['refund_id'] ) ? wp_unslash( $_POST['refund_id'] ) : array( wp_unslash( $_POST['refund_id'] ) ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
1941	foreach ( $refund_ids as $refund_id ) {
1942	if ( $refund_id && 'shop_order_refund' === get_post_type( $refund_id ) ) {
1943	$refund = wc_get_order( $refund_id );
1944	$order_id = $refund->get_parent_id();
1945	$refund->delete( true );
1946	do_action( 'woocommerce_refund_deleted', $refund_id, $order_id );
1947	}
1948	}
1949	wp_die();
1950	}
1951
1952	/**
1953	* Triggered when clicking the rating footer.
1954	*/
1955	public static function rated() {
1956	if ( ! current_user_can( 'manage_woocommerce' ) ) {
1957	wp_die( -1 );
1958	}
1959	update_option( 'woocommerce_admin_footer_text_rated', 1 );
1960	wp_die();
1961	}
1962
1963	/**
1964	* Create/Update API key.
1965	*
1966	* @throws Exception On invalid or empty description, user, or permissions.
1967	*/
1968	public static function update_api_key() {
1969	ob_start();
1970
1971	global $wpdb;
1972
1973	check_ajax_referer( 'update-api-key', 'security' );
1974
1975	if ( ! current_user_can( 'manage_woocommerce' ) ) {
1976	wp_die( -1 );
1977	}
1978
1979	$response = array();
1980
1981	try {
1982	if ( empty( $_POST['description'] ) ) {
1983	throw new Exception( __( 'Description is missing.', 'woocommerce' ) );
1984	}
1985	if ( empty( $_POST['user'] ) ) {
1986	throw new Exception( __( 'User is missing.', 'woocommerce' ) );
1987	}
1988	if ( empty( $_POST['permissions'] ) ) {
1989	throw new Exception( __( 'Permissions is missing.', 'woocommerce' ) );
1990	}
1991
1992	$key_id = isset( $_POST['key_id'] ) ? absint( $_POST['key_id'] ) : 0;
1993	$description = sanitize_text_field( wp_unslash( $_POST['description'] ) );
1994	$permissions = ( in_array( wp_unslash( $_POST['permissions'] ), array( 'read', 'write', 'read_write' ), true ) ) ? sanitize_text_field( wp_unslash( $_POST['permissions'] ) ) : 'read';
1995	$user_id = absint( $_POST['user'] );
1996
1997	// Check if current user can edit other users.
1998	if ( $user_id && ! current_user_can( 'edit_user', $user_id ) ) {
1999	if ( get_current_user_id() !== $user_id ) {
2000	throw new Exception( __( 'You do not have permission to assign API Keys to the selected user.', 'woocommerce' ) );
2001	}
2002	}
2003
2004	if ( 0 < $key_id ) {
2005	$data = array(
2006	'user_id' => $user_id,
2007	'description' => $description,
2008	'permissions' => $permissions,
2009	);
2010
2011	$wpdb->update(
2012	$wpdb->prefix . 'woocommerce_api_keys',
2013	$data,
2014	array( 'key_id' => $key_id ),
2015	array(
2016	'%d',
2017	'%s',
2018	'%s',
2019	),
2020	array( '%d' )
2021	);
2022
2023	$response = $data;
2024	$response['consumer_key'] = '';
2025	$response['consumer_secret'] = '';
2026	$response['message'] = __( 'API Key updated successfully.', 'woocommerce' );
2027	} else {
2028	$consumer_key = 'ck_' . wc_rand_hash();
2029	$consumer_secret = 'cs_' . wc_rand_hash();
2030
2031	$data = array(
2032	'user_id' => $user_id,
2033	'description' => $description,
2034	'permissions' => $permissions,
2035	'consumer_key' => wc_api_hash( $consumer_key ),
2036	'consumer_secret' => $consumer_secret,
2037	'truncated_key' => substr( $consumer_key, -7 ),
2038	);
2039
2040	$wpdb->insert(
2041	$wpdb->prefix . 'woocommerce_api_keys',
2042	$data,
2043	array(
2044	'%d',
2045	'%s',
2046	'%s',
2047	'%s',
2048	'%s',
2049	'%s',
2050	)
2051	);
2052
2053	$key_id = $wpdb->insert_id;
2054	$response = $data;
2055	$response['consumer_key'] = $consumer_key;
2056	$response['consumer_secret'] = $consumer_secret;
2057	$response['message'] = __( 'API Key generated successfully. Make sure to copy your new keys now as the secret key will be hidden once you leave this page.', 'woocommerce' );
2058	$response['revoke_url'] = '<a style="color: #a00; text-decoration: none;" href="' . esc_url( wp_nonce_url( add_query_arg( array( 'revoke-key' => $key_id ), admin_url( 'admin.php?page=wc-settings&tab=advanced&section=keys' ) ), 'revoke' ) ) . '">' . __( 'Revoke key', 'woocommerce' ) . '</a>';
2059	}
2060	} catch ( Exception $e ) {
2061	wp_send_json_error( array( 'message' => $e->getMessage() ) );
2062	}
2063
2064	// wp_send_json_success must be outside the try block not to break phpunit tests.
2065	wp_send_json_success( $response );
2066	}
2067
2068	/**
2069	* Load variations via AJAX.
2070	*/
2071	public static function load_variations() {
2072	ob_start();
2073
2074	check_ajax_referer( 'load-variations', 'security' );
2075
2076	if ( ! current_user_can( 'edit_products' ) \|\| empty( $_POST['product_id'] ) ) {
2077	wp_die( -1 );
2078	}
2079
2080	// Set $post global so its available, like within the admin screens.
2081	global $post;
2082
2083	$loop = 0;
2084	$product_id = absint( $_POST['product_id'] );
2085	$post = get_post( $product_id ); // phpcs:ignore
2086	$product_object = wc_get_product( $product_id );
2087	$per_page = ! empty( $_POST['per_page'] ) ? absint( $_POST['per_page'] ) : 10;
2088	$page = ! empty( $_POST['page'] ) ? absint( $_POST['page'] ) : 1;
2089	$variations = wc_get_products(
2090	array(
2091	'status' => array( 'private', 'publish' ),
2092	'type' => 'variation',
2093	'parent' => $product_id,
2094	'limit' => $per_page,
2095	'page' => $page,
2096	'orderby' => array(
2097	'menu_order' => 'ASC',
2098	'ID' => 'DESC',
2099	),
2100	'return' => 'objects',
2101	)
2102	);
2103
2104	if ( $variations ) {
2105	wc_render_invalid_variation_notice( $product_object );
2106
2107	foreach ( $variations as $variation_object ) {
2108	$variation_id = $variation_object->get_id();
2109	$variation = get_post( $variation_id );
2110	$variation_data = array_merge( get_post_custom( $variation_id ), wc_get_product_variation_attributes( $variation_id ) ); // kept for BW compatibility.
2111	include __DIR__ . '/admin/meta-boxes/views/html-variation-admin.php';
2112	$loop++;
2113	}
2114	}
2115	wp_die();
2116	}
2117
2118	/**
2119	* Save variations via AJAX.
2120	*/
2121	public static function save_variations() {
2122	ob_start();
2123
2124	check_ajax_referer( 'save-variations', 'security' );
2125
2126	// Check permissions again and make sure we have what we need.
2127	if ( ! current_user_can( 'edit_products' ) \|\| empty( $_POST ) \|\| empty( $_POST['product_id'] ) ) {
2128	wp_die( -1 );
2129	}
2130
2131	$product_id = absint( $_POST['product_id'] );
2132	WC_Admin_Meta_Boxes::$meta_box_errors = array();
2133	WC_Meta_Box_Product_Data::save_variations( $product_id, get_post( $product_id ) );
2134
2135	do_action( 'woocommerce_ajax_save_product_variations', $product_id );
2136
2137	$errors = WC_Admin_Meta_Boxes::$meta_box_errors;
2138
2139	if ( $errors ) {
2140	echo '<div class="error notice is-dismissible">';
2141
2142	foreach ( $errors as $error ) {
2143	echo '<p>' . wp_kses_post( $error ) . '</p>';
2144	}
2145
2146	echo '<button type="button" class="notice-dismiss"><span class="screen-reader-text">' . esc_html__( 'Dismiss this notice.', 'woocommerce' ) . '</span></button>';
2147	echo '</div>';
2148
2149	delete_option( 'woocommerce_meta_box_errors' );
2150	}
2151
2152	wp_die();
2153	}
2154
2155	/**
2156	* Bulk action - Toggle Enabled.
2157	*
2158	* @param array $variations List of variations.
2159	* @param array $data Data to set.
2160	*
2161	* @used-by bulk_edit_variations
2162	*/
2163	private static function variation_bulk_action_toggle_enabled( $variations, $data ) {
2164	foreach ( $variations as $variation_id ) {
2165	$variation = wc_get_product( $variation_id );
2166	$variation->set_status( 'private' === $variation->get_status( 'edit' ) ? 'publish' : 'private' );
2167	$variation->save();
2168	}
2169	}
2170
2171	/**
2172	* Bulk action - Toggle Downloadable Checkbox.
2173	*
2174	* @param array $variations List of variations.
2175	* @param array $data Data to set.
2176	*
2177	* @used-by bulk_edit_variations
2178	*/
2179	private static function variation_bulk_action_toggle_downloadable( $variations, $data ) {
2180	self::variation_bulk_toggle( $variations, 'downloadable' );
2181	}
2182
2183	/**
2184	* Bulk action - Toggle Virtual Checkbox.
2185	*
2186	* @param array $variations List of variations.
2187	* @param array $data Data to set.
2188	*
2189	* @used-by bulk_edit_variations
2190	*/
2191	private static function variation_bulk_action_toggle_virtual( $variations, $data ) {
2192	self::variation_bulk_toggle( $variations, 'virtual' );
2193	}
2194
2195	/**
2196	* Bulk action - Toggle Manage Stock Checkbox.
2197	*
2198	* @param array $variations List of variations.
2199	* @param array $data Data to set.
2200	*
2201	* @used-by bulk_edit_variations
2202	*/
2203	private static function variation_bulk_action_toggle_manage_stock( $variations, $data ) {
2204	self::variation_bulk_toggle( $variations, 'manage_stock' );
2205	}
2206
2207	/**
2208	* Bulk action - Set Regular Prices.
2209	*
2210	* @param array $variations List of variations.
2211	* @param array $data Data to set.
2212	*
2213	* @used-by bulk_edit_variations
2214	*/
2215	private static function variation_bulk_action_variable_regular_price( $variations, $data ) {
2216	self::variation_bulk_set( $variations, 'regular_price', $data['value'] );
2217	}
2218
2219	/**
2220	* Bulk action - Set Sale Prices.
2221	*
2222	* @param array $variations List of variations.
2223	* @param array $data Data to set.
2224	*
2225	* @used-by bulk_edit_variations
2226	*/
2227	private static function variation_bulk_action_variable_sale_price( $variations, $data ) {
2228	self::variation_bulk_set( $variations, 'sale_price', $data['value'] );
2229	}
2230
2231	/**
2232	* Bulk action - Set Stock Status as In Stock.
2233	*
2234	* @param array $variations List of variations.
2235	* @param array $data Data to set.
2236	*
2237	* @used-by bulk_edit_variations
2238	*/
2239	private static function variation_bulk_action_variable_stock_status_instock( $variations, $data ) {
2240	self::variation_bulk_set( $variations, 'stock_status', 'instock' );
2241	}
2242
2243	/**
2244	* Bulk action - Set Stock Status as Out of Stock.
2245	*
2246	* @param array $variations List of variations.
2247	* @param array $data Data to set.
2248	*
2249	* @used-by bulk_edit_variations
2250	*/
2251	private static function variation_bulk_action_variable_stock_status_outofstock( $variations, $data ) {
2252	self::variation_bulk_set( $variations, 'stock_status', 'outofstock' );
2253	}
2254
2255	/**
2256	* Bulk action - Set Stock Status as On Backorder.
2257	*
2258	* @param array $variations List of variations.
2259	* @param array $data Data to set.
2260	*
2261	* @used-by bulk_edit_variations
2262	*/
2263	private static function variation_bulk_action_variable_stock_status_onbackorder( $variations, $data ) {
2264	self::variation_bulk_set( $variations, 'stock_status', 'onbackorder' );
2265	}
2266
2267	/**
2268	* Bulk action - Set Stock.
2269	*
2270	* @param array $variations List of variations.
2271	* @param array $data Data to set.
2272	*
2273	* @used-by bulk_edit_variations
2274	*/
2275	private static function variation_bulk_action_variable_stock( $variations, $data ) {
2276	if ( ! isset( $data['value'] ) ) {
2277	return;
2278	}
2279
2280	$quantity = wc_stock_amount( wc_clean( $data['value'] ) );
2281
2282	foreach ( $variations as $variation_id ) {
2283	$variation = wc_get_product( $variation_id );
2284	if ( $variation->managing_stock() ) {
2285	$variation->set_stock_quantity( $quantity );
2286	} else {
2287	$variation->set_stock_quantity( null );
2288	}
2289	$variation->save();
2290	}
2291	}
2292
2293	/**
2294	* Bulk action - Set Weight.
2295	*
2296	* @param array $variations List of variations.
2297	* @param array $data Data to set.
2298	*
2299	* @used-by bulk_edit_variations
2300	*/
2301	private static function variation_bulk_action_variable_weight( $variations, $data ) {
2302	self::variation_bulk_set( $variations, 'weight', $data['value'] );
2303	}
2304
2305	/**
2306	* Bulk action - Set Length.
2307	*
2308	* @param array $variations List of variations.
2309	* @param array $data Data to set.
2310	*
2311	* @used-by bulk_edit_variations
2312	*/
2313	private static function variation_bulk_action_variable_length( $variations, $data ) {
2314	self::variation_bulk_set( $variations, 'length', $data['value'] );
2315	}
2316
2317	/**
2318	* Bulk action - Set Width.
2319	*
2320	* @param array $variations List of variations.
2321	* @param array $data Data to set.
2322	*
2323	* @used-by bulk_edit_variations
2324	*/
2325	private static function variation_bulk_action_variable_width( $variations, $data ) {
2326	self::variation_bulk_set( $variations, 'width', $data['value'] );
2327	}
2328
2329	/**
2330	* Bulk action - Set Height.
2331	*
2332	* @param array $variations List of variations.
2333	* @param array $data Data to set.
2334	*
2335	* @used-by bulk_edit_variations
2336	*/
2337	private static function variation_bulk_action_variable_height( $variations, $data ) {
2338	self::variation_bulk_set( $variations, 'height', $data['value'] );
2339	}
2340
2341	/**
2342	* Bulk action - Set Download Limit.
2343	*
2344	* @param array $variations List of variations.
2345	* @param array $data Data to set.
2346	*
2347	* @used-by bulk_edit_variations
2348	*/
2349	private static function variation_bulk_action_variable_download_limit( $variations, $data ) {
2350	self::variation_bulk_set( $variations, 'download_limit', $data['value'] );
2351	}
2352
2353	/**
2354	* Bulk action - Set Download Expiry.
2355	*
2356	* @param array $variations List of variations.
2357	* @param array $data Data to set.
2358	*
2359	* @used-by bulk_edit_variations
2360	*/
2361	private static function variation_bulk_action_variable_download_expiry( $variations, $data ) {
2362	self::variation_bulk_set( $variations, 'download_expiry', $data['value'] );
2363	}
2364
2365	/**
2366	* Bulk action - Delete all.
2367	*
2368	* @param array $variations List of variations.
2369	* @param array $data Data to set.
2370	*
2371	* @used-by bulk_edit_variations
2372	*/
2373	private static function variation_bulk_action_delete_all( $variations, $data ) {
2374	if ( isset( $data['allowed'] ) && 'true' === $data['allowed'] ) {
2375	foreach ( $variations as $variation_id ) {
2376	$variation = wc_get_product( $variation_id );
2377	$variation->delete( true );
2378	}
2379	}
2380	}
2381
2382	/**
2383	* Bulk action - Sale Schedule.
2384	*
2385	* @param array $variations List of variations.
2386	* @param array $data Data to set.
2387	*
2388	* @used-by bulk_edit_variations
2389	*/
2390	private static function variation_bulk_action_variable_sale_schedule( $variations, $data ) {
2391	if ( ! isset( $data['date_from'] ) && ! isset( $data['date_to'] ) ) {
2392	return;
2393	}
2394
2395	foreach ( $variations as $variation_id ) {
2396	$variation = wc_get_product( $variation_id );
2397
2398	if ( 'false' !== $data['date_from'] ) {
2399	$variation->set_date_on_sale_from( wc_clean( $data['date_from'] ) );
2400	}
2401
2402	if ( 'false' !== $data['date_to'] ) {
2403	$variation->set_date_on_sale_to( wc_clean( $data['date_to'] ) );
2404	}
2405
2406	$variation->save();
2407	}
2408	}
2409
2410	/**
2411	* Bulk action - Increase Regular Prices.
2412	*
2413	* @param array $variations List of variations.
2414	* @param array $data Data to set.
2415	*
2416	* @used-by bulk_edit_variations
2417	*/
2418	private static function variation_bulk_action_variable_regular_price_increase( $variations, $data ) {
2419	self::variation_bulk_adjust_price( $variations, 'regular_price', '+', wc_clean( $data['value'] ) );
2420	}
2421
2422	/**
2423	* Bulk action - Decrease Regular Prices.
2424	*
2425	* @param array $variations List of variations.
2426	* @param array $data Data to set.
2427	*
2428	* @used-by bulk_edit_variations
2429	*/
2430	private static function variation_bulk_action_variable_regular_price_decrease( $variations, $data ) {
2431	self::variation_bulk_adjust_price( $variations, 'regular_price', '-', wc_clean( $data['value'] ) );
2432	}
2433
2434	/**
2435	* Bulk action - Increase Sale Prices.
2436	*
2437	* @param array $variations List of variations.
2438	* @param array $data Data to set.
2439	*
2440	* @used-by bulk_edit_variations
2441	*/
2442	private static function variation_bulk_action_variable_sale_price_increase( $variations, $data ) {
2443	self::variation_bulk_adjust_price( $variations, 'sale_price', '+', wc_clean( $data['value'] ) );
2444	}
2445
2446	/**
2447	* Bulk action - Decrease Sale Prices.
2448	*
2449	* @param array $variations List of variations.
2450	* @param array $data Data to set.
2451	*
2452	* @used-by bulk_edit_variations
2453	*/
2454	private static function variation_bulk_action_variable_sale_price_decrease( $variations, $data ) {
2455	self::variation_bulk_adjust_price( $variations, 'sale_price', '-', wc_clean( $data['value'] ) );
2456	}
2457
2458	/**
2459	* Bulk action - Set Price.
2460	*
2461	* @param array $variations List of variations.
2462	* @param string $field price being adjusted _regular_price or _sale_price.
2463	* @param string $operator + or -.
2464	* @param string $value Price or Percent.
2465	*
2466	* @used-by bulk_edit_variations
2467	*/
2468	private static function variation_bulk_adjust_price( $variations, $field, $operator, $value ) {
2469	foreach ( $variations as $variation_id ) {
2470	$variation = wc_get_product( $variation_id );
2471	$field_value = $variation->{"get_$field"}( 'edit' );
2472
2473	if ( '%' === substr( $value, -1 ) ) {
2474	$percent = wc_format_decimal( substr( $value, 0, -1 ) );
2475	$field_value += NumberUtil::round( ( $field_value / 100 ) * $percent, wc_get_price_decimals() ) * "{$operator}1";
2476	} else {
2477	$field_value += $value * "{$operator}1";
2478	}
2479
2480	$variation->{"set_$field"}( $field_value );
2481	$variation->save();
2482	}
2483	}
2484
2485	/**
2486	* Bulk set convenience function.
2487	*
2488	* @param array $variations List of variations.
2489	* @param string $field Field to set.
2490	* @param string $value to set.
2491	*/
2492	private static function variation_bulk_set( $variations, $field, $value ) {
2493	foreach ( $variations as $variation_id ) {
2494	$variation = wc_get_product( $variation_id );
2495	$variation->{ "set_$field" }( wc_clean( $value ) );
2496	$variation->save();
2497	}
2498	}
2499
2500	/**
2501	* Bulk toggle convenience function.
2502	*
2503	* @param array $variations List of variations.
2504	* @param string $field Field to toggle.
2505	*/
2506	private static function variation_bulk_toggle( $variations, $field ) {
2507	foreach ( $variations as $variation_id ) {
2508	$variation = wc_get_product( $variation_id );
2509	$prev_value = $variation->{ "get_$field" }( 'edit' );
2510	$variation->{ "set_$field" }( ! $prev_value );
2511	$variation->save();
2512	}
2513	}
2514
2515	/**
2516	* Bulk edit variations via AJAX.
2517	*
2518	* @uses WC_AJAX::variation_bulk_set()
2519	* @uses WC_AJAX::variation_bulk_adjust_price()
2520	* @uses WC_AJAX::variation_bulk_action_variable_sale_price_decrease()
2521	* @uses WC_AJAX::variation_bulk_action_variable_sale_price_increase()
2522	* @uses WC_AJAX::variation_bulk_action_variable_regular_price_decrease()
2523	* @uses WC_AJAX::variation_bulk_action_variable_regular_price_increase()
2524	* @uses WC_AJAX::variation_bulk_action_variable_sale_schedule()
2525	* @uses WC_AJAX::variation_bulk_action_delete_all()
2526	* @uses WC_AJAX::variation_bulk_action_variable_download_expiry()
2527	* @uses WC_AJAX::variation_bulk_action_variable_download_limit()
2528	* @uses WC_AJAX::variation_bulk_action_variable_height()
2529	* @uses WC_AJAX::variation_bulk_action_variable_width()
2530	* @uses WC_AJAX::variation_bulk_action_variable_length()
2531	* @uses WC_AJAX::variation_bulk_action_variable_weight()
2532	* @uses WC_AJAX::variation_bulk_action_variable_stock()
2533	* @uses WC_AJAX::variation_bulk_action_variable_sale_price()
2534	* @uses WC_AJAX::variation_bulk_action_variable_regular_price()
2535	* @uses WC_AJAX::variation_bulk_action_toggle_manage_stock()
2536	* @uses WC_AJAX::variation_bulk_action_toggle_virtual()
2537	* @uses WC_AJAX::variation_bulk_action_toggle_downloadable()
2538	* @uses WC_AJAX::variation_bulk_action_toggle_enabled
2539	*/
2540	public static function bulk_edit_variations() {
2541	ob_start();
2542
2543	check_ajax_referer( 'bulk-edit-variations', 'security' );
2544
2545	// Check permissions again and make sure we have what we need.
2546	if ( ! current_user_can( 'edit_products' ) \|\| empty( $_POST['product_id'] ) \|\| empty( $_POST['bulk_action'] ) ) {
2547	wp_die( -1 );
2548	}
2549
2550	$product_id = absint( $_POST['product_id'] );
2551	$bulk_action = wc_clean( wp_unslash( $_POST['bulk_action'] ) );
2552	$data = ! empty( $_POST['data'] ) ? wc_clean( wp_unslash( $_POST['data'] ) ) : array();
2553	$variations = array();
2554
2555	if ( apply_filters( 'woocommerce_bulk_edit_variations_need_children', true ) ) {
2556	$variations = get_posts(
2557	array(
2558	'post_parent' => $product_id,
2559	'posts_per_page' => -1,
2560	'post_type' => 'product_variation',
2561	'fields' => 'ids',
2562	'post_status' => array( 'publish', 'private' ),
2563	)
2564	);
2565	}
2566
2567	if ( method_exists( __CLASS__, "variation_bulk_action_$bulk_action" ) ) {
2568	call_user_func( array( __CLASS__, "variation_bulk_action_$bulk_action" ), $variations, $data );
2569	} else {
2570	do_action( 'woocommerce_bulk_edit_variations_default', $bulk_action, $data, $product_id, $variations );
2571	}
2572
2573	do_action( 'woocommerce_bulk_edit_variations', $bulk_action, $data, $product_id, $variations );
2574	WC_Product_Variable::sync( $product_id );
2575	wc_delete_product_transients( $product_id );
2576	wp_die();
2577	}
2578
2579	/**
2580	* Handle submissions from assets/js/settings-views-html-settings-tax.js Backbone model.
2581	*/
2582	public static function tax_rates_save_changes() {
2583	// phpcs:disable WordPress.Security.NonceVerification.Missing
2584	if ( ! isset( $_POST['wc_tax_nonce'], $_POST['changes'] ) ) {
2585	wp_send_json_error( 'missing_fields' );
2586	wp_die();
2587	}
2588
2589	$current_class = ! empty( $_POST['current_class'] ) ? wp_unslash( $_POST['current_class'] ) : ''; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
2590
2591	if ( ! wp_verify_nonce( wp_unslash( $_POST['wc_tax_nonce'] ), 'wc_tax_nonce-class:' . $current_class ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
2592	wp_send_json_error( 'bad_nonce' );
2593	wp_die();
2594	}
2595
2596	$current_class = WC_Tax::format_tax_rate_class( $current_class );
2597
2598	// Check User Caps.
2599	if ( ! current_user_can( 'manage_woocommerce' ) ) {
2600	wp_send_json_error( 'missing_capabilities' );
2601	wp_die();
2602	}
2603
2604	$changes = wp_unslash( $_POST['changes'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
2605	foreach ( $changes as $tax_rate_id => $data ) {
2606	if ( isset( $data['deleted'] ) ) {
2607	if ( isset( $data['newRow'] ) ) {
2608	// So the user added and deleted a new row.
2609	// That's fine, it's not in the database anyways. NEXT!
2610	continue;
2611	}
2612	WC_Tax::_delete_tax_rate( $tax_rate_id );
2613	}
2614
2615	$tax_rate = array_intersect_key(
2616	$data,
2617	array(
2618	'tax_rate_country' => 1,
2619	'tax_rate_state' => 1,
2620	'tax_rate' => 1,
2621	'tax_rate_name' => 1,
2622	'tax_rate_priority' => 1,
2623	'tax_rate_compound' => 1,
2624	'tax_rate_shipping' => 1,
2625	'tax_rate_order' => 1,
2626	)
2627	);
2628
2629	if ( isset( $tax_rate['tax_rate'] ) ) {
2630	$tax_rate['tax_rate'] = wc_format_decimal( $tax_rate['tax_rate'] );
2631	}
2632
2633	if ( isset( $data['newRow'] ) ) {
2634	$tax_rate['tax_rate_class'] = $current_class;
2635	$tax_rate_id = WC_Tax::_insert_tax_rate( $tax_rate );
2636	} elseif ( ! empty( $tax_rate ) ) {
2637	WC_Tax::_update_tax_rate( $tax_rate_id, $tax_rate );
2638	}
2639
2640	if ( isset( $data['postcode'] ) ) {
2641	$postcode = array_map( 'wc_clean', $data['postcode'] );
2642	$postcode = array_map( 'wc_normalize_postcode', $postcode );
2643	WC_Tax::_update_tax_rate_postcodes( $tax_rate_id, $postcode );
2644	}
2645	if ( isset( $data['city'] ) ) {
2646	WC_Tax::_update_tax_rate_cities( $tax_rate_id, array_map( 'wc_clean', array_map( 'wp_unslash', $data['city'] ) ) );
2647	}
2648	}
2649
2650	WC_Cache_Helper::invalidate_cache_group( 'taxes' );
2651	WC_Cache_Helper::get_transient_version( 'shipping', true );
2652
2653	wp_send_json_success(
2654	array(
2655	'rates' => WC_Tax::get_rates_for_tax_class( $current_class ),
2656	)
2657	);
2658	// phpcs:enable
2659	}
2660
2661	/**
2662	* Handle submissions from assets/js/wc-shipping-zones.js Backbone model.
2663	*/
2664	public static function shipping_zones_save_changes() {
2665	if ( ! isset( $_POST['wc_shipping_zones_nonce'], $_POST['changes'] ) ) {
2666	wp_send_json_error( 'missing_fields' );
2667	wp_die();
2668	}
2669
2670	if ( ! wp_verify_nonce( wp_unslash( $_POST['wc_shipping_zones_nonce'] ), 'wc_shipping_zones_nonce' ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
2671	wp_send_json_error( 'bad_nonce' );
2672	wp_die();
2673	}
2674
2675	// Check User Caps.
2676	if ( ! current_user_can( 'manage_woocommerce' ) ) {
2677	wp_send_json_error( 'missing_capabilities' );
2678	wp_die();
2679	}
2680
2681	$changes = wp_unslash( $_POST['changes'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
2682	foreach ( $changes as $zone_id => $data ) {
2683	if ( isset( $data['deleted'] ) ) {
2684	if ( isset( $data['newRow'] ) ) {
2685	// So the user added and deleted a new row.
2686	// That's fine, it's not in the database anyways. NEXT!
2687	continue;
2688	}
2689	WC_Shipping_Zones::delete_zone( $zone_id );
2690	continue;
2691	}
2692
2693	$zone_data = array_intersect_key(
2694	$data,
2695	array(
2696	'zone_id' => 1,
2697	'zone_order' => 1,
2698	)
2699	);
2700
2701	if ( isset( $zone_data['zone_id'] ) ) {
2702	$zone = new WC_Shipping_Zone( $zone_data['zone_id'] );
2703
2704	if ( isset( $zone_data['zone_order'] ) ) {
2705	$zone->set_zone_order( $zone_data['zone_order'] );
2706	}
2707
2708	$zone->save();
2709	}
2710	}
2711
2712	wp_send_json_success(
2713	array(
2714	'zones' => WC_Shipping_Zones::get_zones( 'json' ),
2715	)
2716	);
2717	}
2718
2719	/**
2720	* Handle submissions from assets/js/wc-shipping-zone-methods.js Backbone model.
2721	*/
2722	public static function shipping_zone_add_method() {
2723	if ( ! isset( $_POST['wc_shipping_zones_nonce'], $_POST['zone_id'], $_POST['method_id'] ) ) {
2724	wp_send_json_error( 'missing_fields' );
2725	wp_die();
2726	}
2727
2728	if ( ! wp_verify_nonce( wp_unslash( $_POST['wc_shipping_zones_nonce'] ), 'wc_shipping_zones_nonce' ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
2729	wp_send_json_error( 'bad_nonce' );
2730	wp_die();
2731	}
2732
2733	// Check User Caps.
2734	if ( ! current_user_can( 'manage_woocommerce' ) ) {
2735	wp_send_json_error( 'missing_capabilities' );
2736	wp_die();
2737	}
2738
2739	$zone_id = wc_clean( wp_unslash( $_POST['zone_id'] ) );
2740	$zone = new WC_Shipping_Zone( $zone_id );
2741	$instance_id = $zone->add_shipping_method( wc_clean( wp_unslash( $_POST['method_id'] ) ) );
2742
2743	wp_send_json_success(
2744	array(
2745	'instance_id' => $instance_id,
2746	'zone_id' => $zone->get_id(),
2747	'zone_name' => $zone->get_zone_name(),
2748	'methods' => $zone->get_shipping_methods( false, 'json' ),
2749	)
2750	);
2751	}
2752
2753	/**
2754	* Handle submissions from assets/js/wc-shipping-zone-methods.js Backbone model.
2755	*/
2756	public static function shipping_zone_methods_save_changes() {
2757	if ( ! isset( $_POST['wc_shipping_zones_nonce'], $_POST['zone_id'], $_POST['changes'] ) ) {
2758	wp_send_json_error( 'missing_fields' );
2759	wp_die();
2760	}
2761
2762	if ( ! wp_verify_nonce( wp_unslash( $_POST['wc_shipping_zones_nonce'] ), 'wc_shipping_zones_nonce' ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
2763	wp_send_json_error( 'bad_nonce' );
2764	wp_die();
2765	}
2766
2767	if ( ! current_user_can( 'manage_woocommerce' ) ) {
2768	wp_send_json_error( 'missing_capabilities' );
2769	wp_die();
2770	}
2771
2772	global $wpdb;
2773
2774	$zone_id = wc_clean( wp_unslash( $_POST['zone_id'] ) );
2775	$zone = new WC_Shipping_Zone( $zone_id );
2776	$changes = wp_unslash( $_POST['changes'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
2777
2778	if ( isset( $changes['zone_name'] ) ) {
2779	$zone->set_zone_name( wc_clean( $changes['zone_name'] ) );
2780	}
2781
2782	if ( isset( $changes['zone_locations'] ) ) {
2783	$zone->clear_locations( array( 'state', 'country', 'continent' ) );
2784	$locations = array_filter( array_map( 'wc_clean', (array) $changes['zone_locations'] ) );
2785	foreach ( $locations as $location ) {
2786	// Each posted location will be in the format type:code.
2787	$location_parts = explode( ':', $location );
2788	switch ( $location_parts[0] ) {
2789	case 'state':
2790	$zone->add_location( $location_parts[1] . ':' . $location_parts[2], 'state' );
2791	break;
2792	case 'country':
2793	$zone->add_location( $location_parts[1], 'country' );
2794	break;
2795	case 'continent':
2796	$zone->add_location( $location_parts[1], 'continent' );
2797	break;
2798	}
2799	}
2800	}
2801
2802	if ( isset( $changes['zone_postcodes'] ) ) {
2803	$zone->clear_locations( 'postcode' );
2804	$postcodes = array_filter( array_map( 'strtoupper', array_map( 'wc_clean', explode( "\n", $changes['zone_postcodes'] ) ) ) );
2805	foreach ( $postcodes as $postcode ) {
2806	$zone->add_location( $postcode, 'postcode' );
2807	}
2808	}
2809
2810	if ( isset( $changes['methods'] ) ) {
2811	foreach ( $changes['methods'] as $instance_id => $data ) {
2812	$method_id = $wpdb->get_var( $wpdb->prepare( "SELECT method_id FROM {$wpdb->prefix}woocommerce_shipping_zone_methods WHERE instance_id = %d", $instance_id ) );
2813
2814	if ( isset( $data['deleted'] ) ) {
2815	$shipping_method = WC_Shipping_Zones::get_shipping_method( $instance_id );
2816	$option_key = $shipping_method->get_instance_option_key();
2817	if ( $wpdb->delete( "{$wpdb->prefix}woocommerce_shipping_zone_methods", array( 'instance_id' => $instance_id ) ) ) {
2818	delete_option( $option_key );
2819	do_action( 'woocommerce_shipping_zone_method_deleted', $instance_id, $method_id, $zone_id );
2820	}
2821	continue;
2822	}
2823
2824	$method_data = array_intersect_key(
2825	$data,
2826	array(
2827	'method_order' => 1,
2828	'enabled' => 1,
2829	)
2830	);
2831
2832	if ( isset( $method_data['method_order'] ) ) {
2833	$wpdb->update( "{$wpdb->prefix}woocommerce_shipping_zone_methods", array( 'method_order' => absint( $method_data['method_order'] ) ), array( 'instance_id' => absint( $instance_id ) ) );
2834	}
2835
2836	if ( isset( $method_data['enabled'] ) ) {
2837	$is_enabled = absint( 'yes' === $method_data['enabled'] );
2838	if ( $wpdb->update( "{$wpdb->prefix}woocommerce_shipping_zone_methods", array( 'is_enabled' => $is_enabled ), array( 'instance_id' => absint( $instance_id ) ) ) ) {
2839	do_action( 'woocommerce_shipping_zone_method_status_toggled', $instance_id, $method_id, $zone_id, $is_enabled );
2840	}
2841	}
2842	}
2843	}
2844
2845	$zone->save();
2846
2847	wp_send_json_success(
2848	array(
2849	'zone_id' => $zone->get_id(),
2850	'zone_name' => $zone->get_zone_name(),
2851	'methods' => $zone->get_shipping_methods( false, 'json' ),
2852	)
2853	);
2854	}
2855
2856	/**
2857	* Save method settings
2858	*/
2859	public static function shipping_zone_methods_save_settings() {
2860	if ( ! isset( $_POST['wc_shipping_zones_nonce'], $_POST['instance_id'], $_POST['data'] ) ) {
2861	wp_send_json_error( 'missing_fields' );
2862	wp_die();
2863	}
2864
2865	if ( ! wp_verify_nonce( wp_unslash( $_POST['wc_shipping_zones_nonce'] ), 'wc_shipping_zones_nonce' ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
2866	wp_send_json_error( 'bad_nonce' );
2867	wp_die();
2868	}
2869
2870	if ( ! current_user_can( 'manage_woocommerce' ) ) {
2871	wp_send_json_error( 'missing_capabilities' );
2872	wp_die();
2873	}
2874
2875	$instance_id = absint( $_POST['instance_id'] );
2876	$zone = WC_Shipping_Zones::get_zone_by( 'instance_id', $instance_id );
2877	$shipping_method = WC_Shipping_Zones::get_shipping_method( $instance_id );
2878	$shipping_method->set_post_data( wp_unslash( $_POST['data'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
2879	$shipping_method->process_admin_options();
2880
2881	WC_Cache_Helper::get_transient_version( 'shipping', true );
2882
2883	wp_send_json_success(
2884	array(
2885	'zone_id' => $zone->get_id(),
2886	'zone_name' => $zone->get_zone_name(),
2887	'methods' => $zone->get_shipping_methods( false, 'json' ),
2888	'errors' => $shipping_method->get_errors(),
2889	)
2890	);
2891	}
2892
2893	/**
2894	* Handle submissions from assets/js/wc-shipping-classes.js Backbone model.
2895	*/
2896	public static function shipping_classes_save_changes() {
2897	if ( ! isset( $_POST['wc_shipping_classes_nonce'], $_POST['changes'] ) ) {
2898	wp_send_json_error( 'missing_fields' );
2899	wp_die();
2900	}
2901
2902	if ( ! wp_verify_nonce( wp_unslash( $_POST['wc_shipping_classes_nonce'] ), 'wc_shipping_classes_nonce' ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
2903	wp_send_json_error( 'bad_nonce' );
2904	wp_die();
2905	}
2906
2907	if ( ! current_user_can( 'manage_woocommerce' ) ) {
2908	wp_send_json_error( 'missing_capabilities' );
2909	wp_die();
2910	}
2911
2912	$changes = wp_unslash( $_POST['changes'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
2913
2914	foreach ( $changes as $term_id => $data ) {
2915	$term_id = absint( $term_id );
2916
2917	if ( isset( $data['deleted'] ) ) {
2918	if ( isset( $data['newRow'] ) ) {
2919	// So the user added and deleted a new row.
2920	// That's fine, it's not in the database anyways. NEXT!
2921	continue;
2922	}
2923	wp_delete_term( $term_id, 'product_shipping_class' );
2924	continue;
2925	}
2926
2927	$update_args = array();
2928
2929	if ( isset( $data['name'] ) ) {
2930	$update_args['name'] = wc_clean( $data['name'] );
2931	}
2932
2933	if ( isset( $data['slug'] ) ) {
2934	$update_args['slug'] = wc_clean( $data['slug'] );
2935	}
2936
2937	if ( isset( $data['description'] ) ) {
2938	$update_args['description'] = wc_clean( $data['description'] );
2939	}
2940
2941	if ( isset( $data['newRow'] ) ) {
2942	$update_args = array_filter( $update_args );
2943	if ( empty( $update_args['name'] ) ) {
2944	continue;
2945	}
2946	$inserted_term = wp_insert_term( $update_args['name'], 'product_shipping_class', $update_args );
2947	$term_id = is_wp_error( $inserted_term ) ? 0 : $inserted_term['term_id'];
2948	} else {
2949	wp_update_term( $term_id, 'product_shipping_class', $update_args );
2950	}
2951
2952	do_action( 'woocommerce_shipping_classes_save_class', $term_id, $data );
2953	}
2954
2955	$wc_shipping = WC_Shipping::instance();
2956
2957	wp_send_json_success(
2958	array(
2959	'shipping_classes' => $wc_shipping->get_shipping_classes(),
2960	)
2961	);
2962	}
2963
2964	/**
2965	* Toggle payment gateway on or off via AJAX.
2966	*
2967	* @since 3.4.0
2968	*/
2969	public static function toggle_gateway_enabled() {
2970	if ( current_user_can( 'manage_woocommerce' ) && check_ajax_referer( 'woocommerce-toggle-payment-gateway-enabled', 'security' ) && isset( $_POST['gateway_id'] ) ) {
2971	// Load gateways.
2972	$payment_gateways = WC()->payment_gateways->payment_gateways();
2973
2974	// Get posted gateway.
2975	$gateway_id = wc_clean( wp_unslash( $_POST['gateway_id'] ) );
2976
2977	foreach ( $payment_gateways as $gateway ) {
2978	if ( ! in_array( $gateway_id, array( $gateway->id, sanitize_title( get_class( $gateway ) ) ), true ) ) {
2979	continue;
2980	}
2981	$enabled = $gateway->get_option( 'enabled', 'no' );
2982
2983	if ( ! wc_string_to_bool( $enabled ) ) {
2984	if ( $gateway->needs_setup() ) {
2985	wp_send_json_error( 'needs_setup' );
2986	wp_die();
2987	} else {
2988	$gateway->update_option( 'enabled', 'yes' );
2989	}
2990	} else {
2991	// Disable the gateway.
2992	$gateway->update_option( 'enabled', 'no' );
2993	}
2994
2995	wp_send_json_success( ! wc_string_to_bool( $enabled ) );
2996	wp_die();
2997	}
2998	}
2999
3000	wp_send_json_error( 'invalid_gateway_id' );
3001	wp_die();
3002	}
3003	}
3004
3005	WC_AJAX::init();
3006