class-wc-shortcode-checkout.php — WooCommerce 9.5.2

woocommerce / includes / shortcodes / class-wc-shortcode-checkout.php

woocommerce / includes / shortcodes Last commit date

class-wc-shortcode-cart.php 2 years ago class-wc-shortcode-checkout.php 2 years ago class-wc-shortcode-my-account.php 1 year ago class-wc-shortcode-order-tracking.php 3 years ago class-wc-shortcode-products.php 1 year ago

class-wc-shortcode-checkout.php

399 lines

1	<?php
2	/**
3	* Checkout Shortcode
4	*
5	* Used on the checkout page, the checkout shortcode displays the checkout process.
6	*
7	* @package WooCommerce\Shortcodes\Checkout
8	* @version 2.0.0
9	*/
10
11	defined( 'ABSPATH' ) \|\| exit;
12
13	use Automattic\WooCommerce\Internal\Utilities\Users;
14
15	/**
16	* Shortcode checkout class.
17	*/
18	class WC_Shortcode_Checkout {
19
20	/**
21	* Get the shortcode content.
22	*
23	* @param array $atts Shortcode attributes.
24	* @return string
25	*/
26	public static function get( $atts ) {
27	return WC_Shortcodes::shortcode_wrapper( array( __CLASS__, 'output' ), $atts );
28	}
29
30	/**
31	* Output the shortcode.
32	*
33	* @param array $atts Shortcode attributes.
34	*/
35	public static function output( $atts ) {
36	global $wp;
37
38	// Check cart class is loaded or abort.
39	if ( is_null( WC()->cart ) ) {
40	return;
41	}
42
43	// Backwards compatibility with old pay and thanks link arguments.
44	if ( isset( $_GET['order'] ) && isset( $_GET['key'] ) ) { // WPCS: input var ok, CSRF ok.
45	wc_deprecated_argument( __CLASS__ . '->' . __FUNCTION__, '2.1', '"order" is no longer used to pass an order ID. Use the order-pay or order-received endpoint instead.' );
46
47	// Get the order to work out what we are showing.
48	$order_id = absint( $_GET['order'] ); // WPCS: input var ok.
49	$order = wc_get_order( $order_id );
50
51	if ( $order && $order->has_status( 'pending' ) ) {
52	$wp->query_vars['order-pay'] = absint( $_GET['order'] ); // WPCS: input var ok.
53	} else {
54	$wp->query_vars['order-received'] = absint( $_GET['order'] ); // WPCS: input var ok.
55	}
56	}
57
58	// Handle checkout actions.
59	if ( ! empty( $wp->query_vars['order-pay'] ) ) {
60
61	self::order_pay( $wp->query_vars['order-pay'] );
62
63	} elseif ( isset( $wp->query_vars['order-received'] ) ) {
64
65	self::order_received( $wp->query_vars['order-received'] );
66
67	} else {
68
69	self::checkout();
70
71	}
72	}
73
74	/**
75	* Show the pay page.
76	*
77	* @throws Exception When validate fails.
78	* @param int $order_id Order ID.
79	*/
80	private static function order_pay( $order_id ) {
81
82	do_action( 'before_woocommerce_pay' );
83
84	$order_id = absint( $order_id );
85
86	// Pay for existing order.
87	if ( isset( $_GET['pay_for_order'], $_GET['key'] ) && $order_id ) { // WPCS: input var ok, CSRF ok.
88	try {
89	$order_key = isset( $_GET['key'] ) ? wc_clean( wp_unslash( $_GET['key'] ) ) : ''; // WPCS: input var ok, CSRF ok.
90	$order = wc_get_order( $order_id );
91
92	// Order or payment link is invalid.
93	if ( ! $order \|\| $order->get_id() !== $order_id \|\| ! hash_equals( $order->get_order_key(), $order_key ) ) {
94	throw new Exception( __( 'Sorry, this order is invalid and cannot be paid for.', 'woocommerce' ) );
95	}
96
97	// Logged out customer does not have permission to pay for this order.
98	if ( ! current_user_can( 'pay_for_order', $order_id ) && ! is_user_logged_in() ) {
99	wc_print_notice( esc_html__( 'Please log in to your account below to continue to the payment form.', 'woocommerce' ), 'notice' );
100	woocommerce_login_form(
101	array(
102	'redirect' => $order->get_checkout_payment_url(),
103	)
104	);
105	return;
106	}
107
108	// Add notice if logged in customer is trying to pay for guest order.
109	if ( ! $order->get_user_id() && is_user_logged_in() ) {
110	// If order has does not have same billing email then current logged in user then show warning.
111	if ( $order->get_billing_email() !== wp_get_current_user()->user_email ) {
112	wc_print_notice( __( 'You are paying for a guest order. Please continue with payment only if you recognize this order.', 'woocommerce' ), 'error' );
113	}
114	}
115
116	// Logged in customer trying to pay for someone else's order.
117	if ( ! current_user_can( 'pay_for_order', $order_id ) ) {
118	throw new Exception( __( 'This order cannot be paid for. Please contact us if you need assistance.', 'woocommerce' ) );
119	}
120
121	// Does not need payment.
122	if ( ! $order->needs_payment() ) {
123	/* translators: %s: order status */
124	throw new Exception( sprintf( __( 'This order’s status is “%s”—it cannot be paid for. Please contact us if you need assistance.', 'woocommerce' ), wc_get_order_status_name( $order->get_status() ) ) );
125	}
126
127	// Ensure order items are still stocked if paying for a failed order. Pending orders do not need this check because stock is held.
128	if ( ! $order->has_status( wc_get_is_pending_statuses() ) ) {
129	$quantities = array();
130
131	foreach ( $order->get_items() as $item_key => $item ) {
132	if ( $item && is_callable( array( $item, 'get_product' ) ) ) {
133	$product = $item->get_product();
134
135	if ( ! $product ) {
136	continue;
137	}
138
139	$quantities[ $product->get_stock_managed_by_id() ] = isset( $quantities[ $product->get_stock_managed_by_id() ] ) ? $quantities[ $product->get_stock_managed_by_id() ] + $item->get_quantity() : $item->get_quantity();
140	}
141	}
142
143	// Stock levels may already have been adjusted for this order (in which case we don't need to worry about checking for low stock).
144	if ( ! $order->get_data_store()->get_stock_reduced( $order->get_id() ) ) {
145	foreach ( $order->get_items() as $item_key => $item ) {
146	if ( $item && is_callable( array( $item, 'get_product' ) ) ) {
147	$product = $item->get_product();
148
149	if ( ! $product ) {
150	continue;
151	}
152
153	if ( ! apply_filters( 'woocommerce_pay_order_product_in_stock', $product->is_in_stock(), $product, $order ) ) {
154	/* translators: %s: product name */
155	throw new Exception( sprintf( __( 'Sorry, "%s" is no longer in stock so this order cannot be paid for. We apologize for any inconvenience caused.', 'woocommerce' ), $product->get_name() ) );
156	}
157
158	// We only need to check products managing stock, with a limited stock qty.
159	if ( ! $product->managing_stock() \|\| $product->backorders_allowed() ) {
160	continue;
161	}
162
163	// Check stock based on all items in the cart and consider any held stock within pending orders.
164	$held_stock = wc_get_held_stock_quantity( $product, $order->get_id() );
165	$required_stock = $quantities[ $product->get_stock_managed_by_id() ];
166
167	if ( ! apply_filters( 'woocommerce_pay_order_product_has_enough_stock', ( $product->get_stock_quantity() >= ( $held_stock + $required_stock ) ), $product, $order ) ) {
168	/* translators: 1: product name 2: quantity in stock */
169	throw new Exception( sprintf( __( 'Sorry, we do not have enough "%1$s" in stock to fulfill your order (%2$s available). We apologize for any inconvenience caused.', 'woocommerce' ), $product->get_name(), wc_format_stock_quantity_for_display( $product->get_stock_quantity() - $held_stock, $product ) ) );
170	}
171	}
172	}
173	}
174	}
175
176	// If we cannot match the order with the current user, ask that they verify their email address.
177	if ( self::guest_should_verify_email( $order, 'order-pay' ) ) {
178	wc_get_template(
179	'checkout/form-verify-email.php',
180	array(
181	'failed_submission' => ! empty( $_POST['email'] ), // phpcs:ignore WordPress.Security.NonceVerification.Missing
182	'verify_url' => $order->get_checkout_payment_url(),
183	)
184	);
185	return;
186	}
187
188	WC()->customer->set_props(
189	array(
190	'billing_country' => $order->get_billing_country() ? $order->get_billing_country() : null,
191	'billing_state' => $order->get_billing_state() ? $order->get_billing_state() : null,
192	'billing_postcode' => $order->get_billing_postcode() ? $order->get_billing_postcode() : null,
193	)
194	);
195	WC()->customer->save();
196
197	$available_gateways = WC()->payment_gateways->get_available_payment_gateways();
198
199	if ( count( $available_gateways ) ) {
200	current( $available_gateways )->set_current();
201	}
202
203	/**
204	* Allows the text of the submit button on the Pay for Order page to be changed.
205	*
206	* @param string $text The text of the button.
207	*
208	* @since 3.0.2
209	*/
210	$order_button_text = apply_filters( 'woocommerce_pay_order_button_text', __( 'Pay for order', 'woocommerce' ) );
211
212	/**
213	* Triggered right before the Pay for Order form, after validation of the order and customer.
214	*
215	* @param WC_Order $order The order that is being paid for.
216	* @param string $order_button_text The text for the submit button.
217	* @param array $available_gateways All available gateways.
218	*
219	* @since 6.6
220	*/
221	do_action( 'before_woocommerce_pay_form', $order, $order_button_text, $available_gateways );
222
223	wc_get_template(
224	'checkout/form-pay.php',
225	array(
226	'order' => $order,
227	'available_gateways' => $available_gateways,
228	'order_button_text' => $order_button_text,
229	)
230	);
231
232	} catch ( Exception $e ) {
233	wc_print_notice( $e->getMessage(), 'error' );
234	}
235	} elseif ( $order_id ) {
236
237	// Pay for order after checkout step.
238	$order_key = isset( $_GET['key'] ) ? wc_clean( wp_unslash( $_GET['key'] ) ) : ''; // WPCS: input var ok, CSRF ok.
239	$order = wc_get_order( $order_id );
240
241	if ( $order && $order->get_id() === $order_id && hash_equals( $order->get_order_key(), $order_key ) ) {
242
243	if ( $order->needs_payment() ) {
244
245	wc_get_template( 'checkout/order-receipt.php', array( 'order' => $order ) );
246
247	} else {
248	/* translators: %s: order status */
249	wc_print_notice( sprintf( __( 'This order’s status is “%s”—it cannot be paid for. Please contact us if you need assistance.', 'woocommerce' ), wc_get_order_status_name( $order->get_status() ) ), 'error' );
250	}
251	} else {
252	wc_print_notice( __( 'Sorry, this order is invalid and cannot be paid for.', 'woocommerce' ), 'error' );
253	}
254	} else {
255	wc_print_notice( __( 'Invalid order.', 'woocommerce' ), 'error' );
256	}
257
258	do_action( 'after_woocommerce_pay' );
259	}
260
261	/**
262	* Show the thanks page.
263	*
264	* @param int $order_id Order ID.
265	*/
266	private static function order_received( $order_id = 0 ) {
267	$order = false;
268
269	// Get the order.
270	$order_id = apply_filters( 'woocommerce_thankyou_order_id', absint( $order_id ) );
271	$order_key = apply_filters( 'woocommerce_thankyou_order_key', empty( $_GET['key'] ) ? '' : wc_clean( wp_unslash( $_GET['key'] ) ) ); // WPCS: input var ok, CSRF ok.
272
273	if ( $order_id > 0 ) {
274	$order = wc_get_order( $order_id );
275
276	if ( ( ! $order instanceof WC_Order ) \|\| ! hash_equals( $order->get_order_key(), $order_key ) ) {
277	$order = false;
278	}
279	}
280
281	// Empty awaiting payment session.
282	unset( WC()->session->order_awaiting_payment );
283
284	// In case order is created from admin, but paid by the actual customer, store the ip address of the payer
285	// when they visit the payment confirmation page.
286	if ( $order && $order->is_created_via( 'admin' ) ) {
287	$order->set_customer_ip_address( WC_Geolocation::get_ip_address() );
288	$order->save();
289	}
290
291	// Empty current cart.
292	wc_empty_cart();
293
294	// If the specified order ID was invalid, we still render the default order received page (which will simply
295	// state that the order was received, but will not output any other details: this makes it harder to probe for
296	// valid order IDs than if we state that the order ID was not recognized).
297	if ( ! $order ) {
298	wc_get_template( 'checkout/thankyou.php', array( 'order' => false ) );
299	return;
300	}
301
302	/**
303	* Indicates if known (non-guest) shoppers need to be logged in before we let
304	* them access the order received page.
305	*
306	* @param bool $verify_known_shoppers If verification is required.
307	*
308	* @since 8.4.0
309	*/
310	$verify_known_shoppers = apply_filters( 'woocommerce_order_received_verify_known_shoppers', true );
311	$order_customer_id = $order->get_customer_id();
312
313	// For non-guest orders, require the user to be logged in before showing this page.
314	if ( $verify_known_shoppers && $order_customer_id && get_current_user_id() !== $order_customer_id ) {
315	wc_get_template( 'checkout/order-received.php', array( 'order' => false ) );
316	wc_print_notice( esc_html__( 'Please log in to your account to view this order.', 'woocommerce' ), 'notice' );
317	woocommerce_login_form( array( 'redirect' => $order->get_checkout_order_received_url() ) );
318	return;
319	}
320
321	// For guest orders, request they verify their email address (unless we can identify them via the active user session).
322	if ( self::guest_should_verify_email( $order, 'order-received' ) ) {
323	wc_get_template( 'checkout/order-received.php', array( 'order' => false ) );
324	wc_get_template(
325	'checkout/form-verify-email.php',
326	array(
327	'failed_submission' => ! empty( $_POST['email'] ), // phpcs:ignore WordPress.Security.NonceVerification.Missing
328	'verify_url' => $order->get_checkout_order_received_url(),
329	)
330	);
331	return;
332	}
333
334	// Otherwise, display the thank you (order received) page.
335	wc_get_template( 'checkout/thankyou.php', array( 'order' => $order ) );
336	}
337
338	/**
339	* Show the checkout.
340	*/
341	private static function checkout() {
342	// Show non-cart errors.
343	do_action( 'woocommerce_before_checkout_form_cart_notices' );
344
345	// Check cart has contents.
346	if ( WC()->cart->is_empty() && ! is_customize_preview() && apply_filters( 'woocommerce_checkout_redirect_empty_cart', true ) ) {
347	return;
348	}
349
350	// Check cart contents for errors.
351	do_action( 'woocommerce_check_cart_items' );
352
353	// Calc totals.
354	WC()->cart->calculate_totals();
355
356	// Get checkout object.
357	$checkout = WC()->checkout();
358
359	if ( empty( $_POST ) && wc_notice_count( 'error' ) > 0 ) { // WPCS: input var ok, CSRF ok.
360
361	wc_get_template( 'checkout/cart-errors.php', array( 'checkout' => $checkout ) );
362	wc_clear_notices();
363
364	} else {
365
366	$non_js_checkout = ! empty( $_POST['woocommerce_checkout_update_totals'] ); // WPCS: input var ok, CSRF ok.
367
368	if ( wc_notice_count( 'error' ) === 0 && $non_js_checkout ) {
369	wc_add_notice( __( 'The order totals have been updated. Please confirm your order by pressing the "Place order" button at the bottom of the page.', 'woocommerce' ) );
370	}
371
372	wc_get_template( 'checkout/form-checkout.php', array( 'checkout' => $checkout ) );
373
374	}
375	}
376
377	/**
378	* Tries to determine if the user's email address should be verified before rendering either the 'order received' or
379	* 'order pay' pages. This should only be applied to guest orders.
380	*
381	* @param WC_Order $order The order for which a need for email verification is being determined.
382	* @param string $context The context in which email verification is being tested.
383	*
384	* @return bool
385	*/
386	private static function guest_should_verify_email( WC_Order $order, string $context ): bool {
387	// If we cannot match the order with the current user, ask that they verify their email address.
388	$nonce_is_valid = wp_verify_nonce( filter_input( INPUT_POST, 'check_submission' ), 'wc_verify_email' );
389	$supplied_email = null;
390	$order_id = $order->get_id();
391
392	if ( $nonce_is_valid ) {
393	$supplied_email = sanitize_email( wp_unslash( filter_input( INPUT_POST, 'email' ) ) );
394	}
395
396	return Users::should_user_verify_order_email( $order_id, $supplied_email, $context );
397	}
398	}
399