diff --git a/plugins/woocommerce/includes/admin/class-wc-admin-assets.php b/plugins/woocommerce/includes/admin/class-wc-admin-assets.php index 98896edfacd..d8e3661112a 100644 --- a/plugins/woocommerce/includes/admin/class-wc-admin-assets.php +++ b/plugins/woocommerce/includes/admin/class-wc-admin-assets.php @@ -224,7 +224,7 @@ if ( ! class_exists( 'WC_Admin_Assets', false ) ) : 'export_products' => __( 'Export', 'woocommerce' ), ), 'nonces' => array( - 'gateway_toggle' => wp_create_nonce( 'woocommerce-toggle-payment-gateway-enabled' ), + 'gateway_toggle' => current_user_can( 'manage_woocommerce' ) ? wp_create_nonce( 'woocommerce-toggle-payment-gateway-enabled' ) : null, ), 'urls' => array( 'add_product' => Features::is_enabled( 'new-product-management-experience' ) || \Automattic\WooCommerce\Utilities\FeaturesUtil::feature_is_enabled( 'product_block_editor' ) ? esc_url_raw( admin_url( 'admin.php?page=wc-admin&path=/add-product' ) ) : null, diff --git a/plugins/woocommerce/includes/admin/class-wc-admin.php b/plugins/woocommerce/includes/admin/class-wc-admin.php index cec22effdef..d70da06898d 100644 --- a/plugins/woocommerce/includes/admin/class-wc-admin.php +++ b/plugins/woocommerce/includes/admin/class-wc-admin.php @@ -150,7 +150,19 @@ class WC_Admin { public function prevent_admin_access() { $prevent_access = false; - if ( apply_filters( 'woocommerce_disable_admin_bar', true ) && ! wp_doing_ajax() && isset( $_SERVER['SCRIPT_FILENAME'] ) && basename( sanitize_text_field( wp_unslash( $_SERVER['SCRIPT_FILENAME'] ) ) ) !== 'admin-post.php' ) { + // Do not interfere with admin-post or admin-ajax requests. + $exempted_paths = array( 'admin-post.php', 'admin-ajax.php' ); + + if ( + /** + * This filter is documented in ../wc-user-functions.php + * + * @since 3.6.0 + */ + apply_filters( 'woocommerce_disable_admin_bar', true ) + && isset( $_SERVER['SCRIPT_FILENAME'] ) + && ! in_array( basename( sanitize_text_field( wp_unslash( $_SERVER['SCRIPT_FILENAME'] ) ) ), $exempted_paths, true ) + ) { $has_cap = false; $access_caps = array( 'edit_posts', 'manage_woocommerce', 'view_admin_dashboard' ); diff --git a/plugins/woocommerce/includes/wc-user-functions.php b/plugins/woocommerce/includes/wc-user-functions.php index 7b53871b454..3e55a72ecef 100644 --- a/plugins/woocommerce/includes/wc-user-functions.php +++ b/plugins/woocommerce/includes/wc-user-functions.php @@ -22,6 +22,13 @@ defined( 'ABSPATH' ) || exit; * @return bool */ function wc_disable_admin_bar( $show_admin_bar ) { + /** + * Controls whether the WooCommerce admin bar should be disabled. + * + * @since 3.0.0 + * + * @param bool $enabled + */ if ( apply_filters( 'woocommerce_disable_admin_bar', true ) && ! ( current_user_can( 'edit_posts' ) || current_user_can( 'manage_woocommerce' ) ) ) { $show_admin_bar = false; } diff --git a/plugins/woocommerce/src/Internal/DataStores/Orders/OrdersTableSearchQuery.php b/plugins/woocommerce/src/Internal/DataStores/Orders/OrdersTableSearchQuery.php index a64cbc7fdaf..1381979108e 100644 --- a/plugins/woocommerce/src/Internal/DataStores/Orders/OrdersTableSearchQuery.php +++ b/plugins/woocommerce/src/Internal/DataStores/Orders/OrdersTableSearchQuery.php @@ -32,8 +32,9 @@ class OrdersTableSearchQuery { * @param OrdersTableQuery $query The order query object. */ public function __construct( OrdersTableQuery $query ) { - $this->query = $query; - $this->search_term = "'" . esc_sql( '%' . urldecode( $query->get( 's' ) ) . '%' ) . "'"; + global $wpdb; + $this->query = $query; + $this->search_term = esc_sql( '%' . $wpdb->esc_like( urldecode( $query->get( 's' ) ) ) . '%' ); } /** @@ -78,6 +79,7 @@ class OrdersTableSearchQuery { * @return string */ private function generate_where(): string { + global $wpdb; $where = ''; $possible_order_id = (string) absint( $this->query->get( 's' ) ); $order_table = $this->query->get_table_name( 'orders' ); @@ -89,10 +91,13 @@ class OrdersTableSearchQuery { $meta_sub_query = $this->generate_where_for_meta_table(); - $where .= " - search_query_items.order_item_name LIKE $this->search_term + $where .= $wpdb->prepare( + " + search_query_items.order_item_name LIKE %s OR `$order_table`.id IN ( $meta_sub_query ) - "; + ", + $this->search_term + ); return " ( $where ) "; } @@ -107,15 +112,19 @@ class OrdersTableSearchQuery { * @return string The where clause for meta table. */ private function generate_where_for_meta_table(): string { + global $wpdb; $meta_table = $this->query->get_table_name( 'meta' ); $meta_fields = $this->get_meta_fields_to_be_searched(); - return " + return $wpdb->prepare( + " SELECT search_query_meta.order_id FROM $meta_table as search_query_meta WHERE search_query_meta.meta_key IN ( $meta_fields ) -AND search_query_meta.meta_value LIKE $this->search_term +AND search_query_meta.meta_value LIKE %s GROUP BY search_query_meta.order_id -"; +", + $this->search_term + ); } /** diff --git a/plugins/woocommerce/tests/e2e-pw/tests/shopper/dashboard-access.spec.js b/plugins/woocommerce/tests/e2e-pw/tests/shopper/dashboard-access.spec.js new file mode 100644 index 00000000000..a699e137e35 --- /dev/null +++ b/plugins/woocommerce/tests/e2e-pw/tests/shopper/dashboard-access.spec.js @@ -0,0 +1,18 @@ +const { test, expect } = require( '@playwright/test' ); + +test.describe( 'Customer-role users are blocked from accessing the WP Dashboard.', () => { + test.use( { storageState: process.env.CUSTOMERSTATE } ); + + const dashboardScreens = { + 'WP Admin home': 'wp-admin', + 'WP Admin profile page': 'wp-admin/profile.php', + 'WP Admin using ajax query param': 'wp-admin?wc-ajax=1', + }; + + for ( const [ description, path ] of Object.entries( dashboardScreens ) ) { + test( `Customer is redirected from ${description} back to the My Account page.`, async ( { page } ) => { + await page.goto( path ); + expect( page.url() ).toContain( '/my-account/' ); + } ); + } +} );