Sync 38702 (#38704)

Squashed commit of the following: commit 8ccd8e26127594e859b37ead9fd150f05d36d9f5 Author: barryhughes <3594411+barryhughes@users.noreply.github.com> Date: Mon Jun 5 19:37:57 2023 -0700 Do not output payment gateway nonce to unqualified users. commit 882946bb18dee5eb7ffea48ddfbd4c14a5092c94 Author: barryhughes <3594411+barryhughes@users.noreply.github.com> Date: Wed Jun 7 14:24:58 2023 -0700 Instead of looking for `?wc-ajax`, specifically exempt `admin-ajax.php`. This mimics the existing approach used for `admin-post.php` requests, and is stricter by default. commit 99cffd7cde1aa87176254845c732c91a446232f7 Author: barryhughes <3594411+barryhughes@users.noreply.github.com> Date: Tue Jun 6 12:40:21 2023 -0700 Nonce verification not needed when evaluating ajax properties. commit 99157d2a18ea78c68c265609dfdd1bddadeee7b2 Author: barryhughes <3594411+barryhughes@users.noreply.github.com> Date: Tue Jun 6 12:38:53 2023 -0700 Document `woocommerce_disable_admin_bar` hook. commit badcf8f50099dd38fa855d2aa71c8507d3f2a252 Author: barryhughes <3594411+barryhughes@users.noreply.github.com> Date: Mon Jun 5 18:49:25 2023 -0700 Describe expectations around customer access to the dashboard. commit 127053e1c27e7da5515c6638859fa09384241624 Author: barryhughes <3594411+barryhughes@users.noreply.github.com> Date: Mon Jun 5 13:30:03 2023 -0700 'wc-ajax' requests should be filtered out of admin access logic. commit 2e8182761e050cc4371181eaa197b6d4b2867f89 Author: Vedanshu Jain <vedanshu.jain.2012@gmail.com> Date: Fri May 12 15:15:57 2023 +0530 Clean up individual escape to also do it again when it is used.
2023-06-16 23:04:45 +07:00 · 2023-06-16 23:04:45 +07:00 · 178e731b9d
parent 9a6d9533c9
commit 178e731b9d
5 changed files with 56 additions and 10 deletions
--- a/plugins/woocommerce/includes/admin/class-wc-admin-assets.php
+++ b/plugins/woocommerce/includes/admin/class-wc-admin-assets.php
@ -224,7 +224,7 @@ if ( ! class_exists( 'WC_Admin_Assets', false ) ) :
 						'export_products' => __( 'Export', 'woocommerce' ),
 					),
 					'nonces'                            => array(
-						'gateway_toggle' => wp_create_nonce( 'woocommerce-toggle-payment-gateway-enabled' ),
+						'gateway_toggle' => current_user_can( 'manage_woocommerce' ) ? wp_create_nonce( 'woocommerce-toggle-payment-gateway-enabled' ) : null,
 					),
 					'urls'                              => array(
 						'add_product'     => Features::is_enabled( 'new-product-management-experience' ) || \Automattic\WooCommerce\Utilities\FeaturesUtil::feature_is_enabled( 'product_block_editor' ) ? esc_url_raw( admin_url( 'admin.php?page=wc-admin&path=/add-product' ) ) : null,
--- a/plugins/woocommerce/includes/admin/class-wc-admin.php
+++ b/plugins/woocommerce/includes/admin/class-wc-admin.php
@ -150,7 +150,19 @@ class WC_Admin {
 	public function prevent_admin_access() {
 		$prevent_access = false;

-		if ( apply_filters( 'woocommerce_disable_admin_bar', true ) && ! wp_doing_ajax() && isset( $_SERVER['SCRIPT_FILENAME'] ) && basename( sanitize_text_field( wp_unslash( $_SERVER['SCRIPT_FILENAME'] ) ) ) !== 'admin-post.php' ) {
+		// Do not interfere with admin-post or admin-ajax requests.
+		$exempted_paths = array( 'admin-post.php', 'admin-ajax.php' );
+
+		if (
+			/**
+			 * This filter is documented in ../wc-user-functions.php
+			 *
+			 * @since 3.6.0
+			 */
+			apply_filters( 'woocommerce_disable_admin_bar', true )
+			&& isset( $_SERVER['SCRIPT_FILENAME'] )
+			&& ! in_array( basename( sanitize_text_field( wp_unslash( $_SERVER['SCRIPT_FILENAME'] ) ) ), $exempted_paths, true )
+		) {
 			$has_cap     = false;
 			$access_caps = array( 'edit_posts', 'manage_woocommerce', 'view_admin_dashboard' );

--- a/plugins/woocommerce/includes/wc-user-functions.php
+++ b/plugins/woocommerce/includes/wc-user-functions.php
@ -22,6 +22,13 @@ defined( 'ABSPATH' ) || exit;
 * @return bool
 */
 function wc_disable_admin_bar( $show_admin_bar ) {
+	/**
+	 * Controls whether the WooCommerce admin bar should be disabled.
+	 *
+	 * @since 3.0.0
+	 *
+	 * @param bool $enabled
+	 */
 	if ( apply_filters( 'woocommerce_disable_admin_bar', true ) && ! ( current_user_can( 'edit_posts' ) || current_user_can( 'manage_woocommerce' ) ) ) {
 		$show_admin_bar = false;
 	}
--- a/plugins/woocommerce/src/Internal/DataStores/Orders/OrdersTableSearchQuery.php
+++ b/plugins/woocommerce/src/Internal/DataStores/Orders/OrdersTableSearchQuery.php
@ -32,8 +32,9 @@ class OrdersTableSearchQuery {
 	 * @param OrdersTableQuery $query The order query object.
 	 */
 	public function __construct( OrdersTableQuery $query ) {
-		$this->query       = $query;
-		$this->search_term = "'" . esc_sql( '%' . urldecode( $query->get( 's' ) ) . '%' ) . "'";
+		global $wpdb;
+		$this->query         = $query;
+		$this->search_term   = esc_sql( '%' . $wpdb->esc_like( urldecode( $query->get( 's' ) ) ) . '%' );
 	}

 	/**
@ -78,6 +79,7 @@ class OrdersTableSearchQuery {
 	 * @return string
 	 */
 	private function generate_where(): string {
+		global $wpdb;
 		$where             = '';
 		$possible_order_id = (string) absint( $this->query->get( 's' ) );
 		$order_table       = $this->query->get_table_name( 'orders' );
@ -89,10 +91,13 @@ class OrdersTableSearchQuery {

 		$meta_sub_query = $this->generate_where_for_meta_table();

-		$where .= "
-			search_query_items.order_item_name LIKE $this->search_term
+		$where .= $wpdb->prepare(
+			"
+			search_query_items.order_item_name LIKE %s
 			OR `$order_table`.id IN ( $meta_sub_query )
-		";
+			",
+			$this->search_term
+		);

 		return " ( $where ) ";
 	}
@ -107,15 +112,19 @@ class OrdersTableSearchQuery {
 	 * @return string The where clause for meta table.
 	 */
 	private function generate_where_for_meta_table(): string {
+		global $wpdb;
 		$meta_table  = $this->query->get_table_name( 'meta' );
 		$meta_fields = $this->get_meta_fields_to_be_searched();
-		return "
+		return $wpdb->prepare(
+			"
 SELECT search_query_meta.order_id
 FROM $meta_table as search_query_meta
 WHERE search_query_meta.meta_key IN ( $meta_fields )
-AND search_query_meta.meta_value LIKE $this->search_term
+AND search_query_meta.meta_value LIKE %s
 GROUP BY search_query_meta.order_id
-";
+",
+			$this->search_term
+		);
 	}

 	/**
--- a/plugins/woocommerce/tests/e2e-pw/tests/shopper/dashboard-access.spec.js
+++ b/plugins/woocommerce/tests/e2e-pw/tests/shopper/dashboard-access.spec.js
@ -0,0 +1,18 @@
+const { test, expect } = require( '@playwright/test' );
+
+test.describe( 'Customer-role users are blocked from accessing the WP Dashboard.', () => {
+	test.use( { storageState: process.env.CUSTOMERSTATE } );
+
+	const dashboardScreens = {
+		'WP Admin home': 'wp-admin',
+		'WP Admin profile page': 'wp-admin/profile.php',
+		'WP Admin using ajax query param': 'wp-admin?wc-ajax=1',
+	};
+
+	for ( const [ description, path ] of Object.entries( dashboardScreens ) ) {
+		test( `Customer is redirected from ${description} back to the My Account page.`, async ( { page } ) => {
+			await page.goto( path );
+			expect( page.url() ).toContain( '/my-account/' );
+		} );
+	}
+} );