Merge pull request #3741 from ragulka/security-improvements

Frontend security improvements
This commit is contained in:
Mike Jolley 2013-09-13 03:33:09 -07:00
commit 9e30ebbaa9
7 changed files with 83 additions and 8 deletions

View File

@ -72,7 +72,7 @@ class WC_Download_Handler {
if ( ! is_user_logged_in() ) if ( ! is_user_logged_in() )
wp_die( __( 'You must be logged in to download files.', 'woocommerce' ) . ' <a href="' . wp_login_url( get_permalink( woocommerce_get_page_id( 'myaccount' ) ) ) . '">' . __( 'Login &rarr;', 'woocommerce' ) . '</a>', __( 'Log in to Download Files', 'woocommerce' ) ); wp_die( __( 'You must be logged in to download files.', 'woocommerce' ) . ' <a href="' . wp_login_url( get_permalink( woocommerce_get_page_id( 'myaccount' ) ) ) . '">' . __( 'Login &rarr;', 'woocommerce' ) . '</a>', __( 'Log in to Download Files', 'woocommerce' ) );
elseif ( $user_id != get_current_user_id() ) elseif ( !current_user_can( 'download_file', $download_result ) )
wp_die( __( 'This is not your download link.', 'woocommerce' ) ); wp_die( __( 'This is not your download link.', 'woocommerce' ) );
} }

View File

@ -352,8 +352,9 @@ class WC_Form_Handler {
if ( $order->status != 'completed' ) if ( $order->status != 'completed' )
return; return;
// Make sure the previous order belongs to the current customer // Make sure the user is allowed to order again. By default it check if the
if ( $order->user_id != get_current_user_id() ) // previous order belonged to the current user.
if ( !current_user_can( 'order_again', $order->id ) )
return; return;
// Copy products from the order to the cart // Copy products from the order to the cart
@ -400,7 +401,9 @@ class WC_Form_Handler {
$order = new WC_Order( $order_id ); $order = new WC_Order( $order_id );
if ( $order->id == $order_id && $order->order_key == $order_key && in_array( $order->status, array( 'pending', 'failed' ) ) && wp_verify_nonce( $_GET['_wpnonce'], 'woocommerce-cancel_order' ) ) : $can_cancel = current_user_can( 'cancel_order', $order_id );
if ( $can_cancel && $order->id == $order_id && $order->order_key == $order_key && in_array( $order->status, array( 'pending', 'failed' ) ) && wp_verify_nonce( $_GET['_wpnonce'], 'woocommerce-cancel_order' ) ) :
// Cancel the order + restore stock // Cancel the order + restore stock
$order->cancel_order( __('Order cancelled by customer.', 'woocommerce' ) ); $order->cancel_order( __('Order cancelled by customer.', 'woocommerce' ) );
@ -410,7 +413,7 @@ class WC_Form_Handler {
do_action( 'woocommerce_cancelled_order', $order->id ); do_action( 'woocommerce_cancelled_order', $order->id );
elseif ( $order->status != 'pending' ) : elseif ( $can_cancel && $order->status != 'pending' ) :
wc_add_error( __( 'Your order is no longer pending and could not be cancelled. Please contact us if you need assistance.', 'woocommerce' ) ); wc_add_error( __( 'Your order is no longer pending and could not be cancelled. Please contact us if you need assistance.', 'woocommerce' ) );

View File

@ -83,6 +83,11 @@ class WC_Shortcode_Checkout {
$order = new WC_Order( $order_id ); $order = new WC_Order( $order_id );
$valid_order_statuses = apply_filters( 'woocommerce_valid_order_statuses_for_payment', array( 'pending', 'failed' ), $order ); $valid_order_statuses = apply_filters( 'woocommerce_valid_order_statuses_for_payment', array( 'pending', 'failed' ), $order );
if ( !current_user_can( 'pay_for_order', $order_id ) ) {
echo '<div class="woocommerce-error">' . __( 'Invalid order.', 'woocommerce' ) . ' <a href="' . get_permalink( woocommerce_get_page_id( 'myaccount' ) ).'">'. __( 'My Account &rarr;', 'woocommerce' ) .'</a>' . '</div>';
return;
}
if ( $order->id == $order_id && $order->order_key == $order_key ) { if ( $order->id == $order_id && $order->order_key == $order_key ) {
if ( in_array( $order->status, $valid_order_statuses ) ) { if ( in_array( $order->status, $valid_order_statuses ) ) {

View File

@ -98,7 +98,7 @@ class WC_Shortcode_My_Account {
$user_id = get_current_user_id(); $user_id = get_current_user_id();
$order = new WC_Order( $order_id ); $order = new WC_Order( $order_id );
if ( $order->user_id != $user_id ) { if ( !current_user_can( 'view_order', $order_id ) ) {
echo '<div class="woocommerce-error">' . __( 'Invalid order.', 'woocommerce' ) . ' <a href="' . get_permalink( woocommerce_get_page_id( 'myaccount' ) ).'">'. __( 'My Account &rarr;', 'woocommerce' ) .'</a>' . '</div>'; echo '<div class="woocommerce-error">' . __( 'Invalid order.', 'woocommerce' ) . ' <a href="' . get_permalink( woocommerce_get_page_id( 'myaccount' ) ).'">'. __( 'My Account &rarr;', 'woocommerce' ) .'</a>' . '</div>';
return; return;
} }

View File

@ -46,7 +46,7 @@ class WC_Shortcode_View_Order {
return; return;
} }
if ( $order->user_id != $user_id ) { if ( !current_user_can( 'view_order', $order_id ) ) {
echo '<div class="woocommerce-error">' . __( 'Invalid order.', 'woocommerce' ) . ' <a href="'.get_permalink( woocommerce_get_page_id('myaccount') ).'">'. __( 'My Account &rarr;', 'woocommerce' ) .'</a>' . '</div>'; echo '<div class="woocommerce-error">' . __( 'Invalid order.', 'woocommerce' ) . ' <a href="'.get_permalink( woocommerce_get_page_id('myaccount') ).'">'. __( 'My Account &rarr;', 'woocommerce' ) .'</a>' . '</div>';
return; return;
} }

View File

@ -258,3 +258,68 @@ function woocommerce_customer_bought_product( $customer_email, $user_id, $produc
) )
); );
} }
/**
* woocommerce_customer_has_capability
*
* Checks if a user has a certain capability
*
* @access public
* @param array $allcaps
* @param array $caps
* @param array $args
* @return bool
*/
function woocommerce_customer_has_capability( $allcaps, $caps, $args ) {
if ( isset( $caps[0] ) ) {
switch ( $caps[0] ) {
case 'view_order':
$user_id = $args[1];
$order = new WC_Order( $args[2] );
if ( $user_id == $order->user_id )
$allcaps['view_order'] = true;
break;
case 'pay_for_order':
$user_id = $args[1];
$order = new WC_Order( $args[2] );
if ( $user_id == $order->user_id )
$allcaps['pay_for_order'] = true;
break;
case 'order_again':
$user_id = $args[1];
$order = new WC_Order( $args[2] );
if ( $user_id == $order->user_id )
$allcaps['order_again'] = true;
break;
case 'cancel_order':
$user_id = $args[1];
$order = new WC_Order( $args[2] );
if ( $user_id == $order->user_id )
$allcaps['cancel_order'] = true;
break;
case 'download_file':
$user_id = $args[1];
$download = $args[2];
if ( $user_id == $download->user_id )
$allcaps['download_file'] = true;
break;
}
}
return $allcaps;
}
add_filter( 'user_has_cap', 'woocommerce_customer_has_capability', 10, 3);

View File

@ -9,6 +9,8 @@
if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
wc_print_messages();
?> ?>
<p class="cart-empty"><?php _e( 'Your cart is currently empty.', 'woocommerce' ) ?></p> <p class="cart-empty"><?php _e( 'Your cart is currently empty.', 'woocommerce' ) ?></p>