Sync 38702 (#38704)

Squashed commit of the following:

commit 8ccd8e26127594e859b37ead9fd150f05d36d9f5
Author: barryhughes <3594411+barryhughes@users.noreply.github.com>
Date:   Mon Jun 5 19:37:57 2023 -0700

    Do not output payment gateway nonce to unqualified users.

commit 882946bb18dee5eb7ffea48ddfbd4c14a5092c94
Author: barryhughes <3594411+barryhughes@users.noreply.github.com>
Date:   Wed Jun 7 14:24:58 2023 -0700

    Instead of looking for `?wc-ajax`, specifically exempt `admin-ajax.php`.

    This mimics the existing approach used for `admin-post.php` requests, and is stricter by default.

commit 99cffd7cde1aa87176254845c732c91a446232f7
Author: barryhughes <3594411+barryhughes@users.noreply.github.com>
Date:   Tue Jun 6 12:40:21 2023 -0700

    Nonce verification not needed when evaluating ajax properties.

commit 99157d2a18ea78c68c265609dfdd1bddadeee7b2
Author: barryhughes <3594411+barryhughes@users.noreply.github.com>
Date:   Tue Jun 6 12:38:53 2023 -0700

    Document `woocommerce_disable_admin_bar` hook.

commit badcf8f50099dd38fa855d2aa71c8507d3f2a252
Author: barryhughes <3594411+barryhughes@users.noreply.github.com>
Date:   Mon Jun 5 18:49:25 2023 -0700

    Describe expectations around customer access to the dashboard.

commit 127053e1c27e7da5515c6638859fa09384241624
Author: barryhughes <3594411+barryhughes@users.noreply.github.com>
Date:   Mon Jun 5 13:30:03 2023 -0700

    'wc-ajax' requests should be filtered out of admin access logic.

commit 2e8182761e050cc4371181eaa197b6d4b2867f89
Author: Vedanshu Jain <vedanshu.jain.2012@gmail.com>
Date:   Fri May 12 15:15:57 2023 +0530

    Clean up individual escape to also do it again when it is used.
This commit is contained in:
jonathansadowski 2023-06-16 23:04:45 +07:00 committed by GitHub
parent 9a6d9533c9
commit 178e731b9d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 56 additions and 10 deletions

View File

@ -224,7 +224,7 @@ if ( ! class_exists( 'WC_Admin_Assets', false ) ) :
'export_products' => __( 'Export', 'woocommerce' ),
),
'nonces' => array(
'gateway_toggle' => wp_create_nonce( 'woocommerce-toggle-payment-gateway-enabled' ),
'gateway_toggle' => current_user_can( 'manage_woocommerce' ) ? wp_create_nonce( 'woocommerce-toggle-payment-gateway-enabled' ) : null,
),
'urls' => array(
'add_product' => Features::is_enabled( 'new-product-management-experience' ) || \Automattic\WooCommerce\Utilities\FeaturesUtil::feature_is_enabled( 'product_block_editor' ) ? esc_url_raw( admin_url( 'admin.php?page=wc-admin&path=/add-product' ) ) : null,

View File

@ -150,7 +150,19 @@ class WC_Admin {
public function prevent_admin_access() {
$prevent_access = false;
if ( apply_filters( 'woocommerce_disable_admin_bar', true ) && ! wp_doing_ajax() && isset( $_SERVER['SCRIPT_FILENAME'] ) && basename( sanitize_text_field( wp_unslash( $_SERVER['SCRIPT_FILENAME'] ) ) ) !== 'admin-post.php' ) {
// Do not interfere with admin-post or admin-ajax requests.
$exempted_paths = array( 'admin-post.php', 'admin-ajax.php' );
if (
/**
* This filter is documented in ../wc-user-functions.php
*
* @since 3.6.0
*/
apply_filters( 'woocommerce_disable_admin_bar', true )
&& isset( $_SERVER['SCRIPT_FILENAME'] )
&& ! in_array( basename( sanitize_text_field( wp_unslash( $_SERVER['SCRIPT_FILENAME'] ) ) ), $exempted_paths, true )
) {
$has_cap = false;
$access_caps = array( 'edit_posts', 'manage_woocommerce', 'view_admin_dashboard' );

View File

@ -22,6 +22,13 @@ defined( 'ABSPATH' ) || exit;
* @return bool
*/
function wc_disable_admin_bar( $show_admin_bar ) {
/**
* Controls whether the WooCommerce admin bar should be disabled.
*
* @since 3.0.0
*
* @param bool $enabled
*/
if ( apply_filters( 'woocommerce_disable_admin_bar', true ) && ! ( current_user_can( 'edit_posts' ) || current_user_can( 'manage_woocommerce' ) ) ) {
$show_admin_bar = false;
}

View File

@ -32,8 +32,9 @@ class OrdersTableSearchQuery {
* @param OrdersTableQuery $query The order query object.
*/
public function __construct( OrdersTableQuery $query ) {
$this->query = $query;
$this->search_term = "'" . esc_sql( '%' . urldecode( $query->get( 's' ) ) . '%' ) . "'";
global $wpdb;
$this->query = $query;
$this->search_term = esc_sql( '%' . $wpdb->esc_like( urldecode( $query->get( 's' ) ) ) . '%' );
}
/**
@ -78,6 +79,7 @@ class OrdersTableSearchQuery {
* @return string
*/
private function generate_where(): string {
global $wpdb;
$where = '';
$possible_order_id = (string) absint( $this->query->get( 's' ) );
$order_table = $this->query->get_table_name( 'orders' );
@ -89,10 +91,13 @@ class OrdersTableSearchQuery {
$meta_sub_query = $this->generate_where_for_meta_table();
$where .= "
search_query_items.order_item_name LIKE $this->search_term
$where .= $wpdb->prepare(
"
search_query_items.order_item_name LIKE %s
OR `$order_table`.id IN ( $meta_sub_query )
";
",
$this->search_term
);
return " ( $where ) ";
}
@ -107,15 +112,19 @@ class OrdersTableSearchQuery {
* @return string The where clause for meta table.
*/
private function generate_where_for_meta_table(): string {
global $wpdb;
$meta_table = $this->query->get_table_name( 'meta' );
$meta_fields = $this->get_meta_fields_to_be_searched();
return "
return $wpdb->prepare(
"
SELECT search_query_meta.order_id
FROM $meta_table as search_query_meta
WHERE search_query_meta.meta_key IN ( $meta_fields )
AND search_query_meta.meta_value LIKE $this->search_term
AND search_query_meta.meta_value LIKE %s
GROUP BY search_query_meta.order_id
";
",
$this->search_term
);
}
/**

View File

@ -0,0 +1,18 @@
const { test, expect } = require( '@playwright/test' );
test.describe( 'Customer-role users are blocked from accessing the WP Dashboard.', () => {
test.use( { storageState: process.env.CUSTOMERSTATE } );
const dashboardScreens = {
'WP Admin home': 'wp-admin',
'WP Admin profile page': 'wp-admin/profile.php',
'WP Admin using ajax query param': 'wp-admin?wc-ajax=1',
};
for ( const [ description, path ] of Object.entries( dashboardScreens ) ) {
test( `Customer is redirected from ${description} back to the My Account page.`, async ( { page } ) => {
await page.goto( path );
expect( page.url() ).toContain( '/my-account/' );
} );
}
} );