Merge pull request #3741 from ragulka/security-improvements

Frontend security improvements

includes/class-wc-download-handler.php

@@ -72,7 +72,7 @@ class WC_Download_Handler {
 				if ( ! is_user_logged_in() )
 					wp_die( __( 'You must be logged in to download files.', 'woocommerce' ) . ' <a href="' . wp_login_url( get_permalink( woocommerce_get_page_id( 'myaccount' ) ) ) . '">' . __( 'Login &rarr;', 'woocommerce' ) . '</a>', __( 'Log in to Download Files', 'woocommerce' ) );
 
-				elseif ( $user_id != get_current_user_id() )
+				elseif ( !current_user_can( 'download_file', $download_result ) )
 					wp_die( __( 'This is not your download link.', 'woocommerce' ) );
 
 			}

includes/class-wc-form-handler.php

@@ -352,8 +352,9 @@ class WC_Form_Handler {
 		if ( $order->status != 'completed' )
 			return;
 
-		// Make sure the previous order belongs to the current customer
+		// Make sure the user is allowed to order again. By default it check if the 
-		if ( $order->user_id != get_current_user_id() )
+		// previous order belonged to the current user.
+		if ( !current_user_can( 'order_again', $order->id ) )
 			return;
 
 		// Copy products from the order to the cart
@@ -400,7 +401,9 @@ class WC_Form_Handler {
 
 			$order = new WC_Order( $order_id );
 
-			if ( $order->id == $order_id && $order->order_key == $order_key && in_array( $order->status, array( 'pending', 'failed' ) ) && wp_verify_nonce( $_GET['_wpnonce'], 'woocommerce-cancel_order' ) ) :
+			$can_cancel = current_user_can( 'cancel_order', $order_id );
+
+			if ( $can_cancel && $order->id == $order_id && $order->order_key == $order_key && in_array( $order->status, array( 'pending', 'failed' ) ) && wp_verify_nonce( $_GET['_wpnonce'], 'woocommerce-cancel_order' ) ) :
 
 				// Cancel the order + restore stock
 				$order->cancel_order( __('Order cancelled by customer.', 'woocommerce' ) );
@@ -410,7 +413,7 @@ class WC_Form_Handler {
 
 				do_action( 'woocommerce_cancelled_order', $order->id );
 
-			elseif ( $order->status != 'pending' ) :
+			elseif ( $can_cancel && $order->status != 'pending' ) :
 
 				wc_add_error( __( 'Your order is no longer pending and could not be cancelled. Please contact us if you need assistance.', 'woocommerce' ) );
 

includes/shortcodes/class-wc-shortcode-checkout.php

@@ -83,6 +83,11 @@ class WC_Shortcode_Checkout {
 			$order                = new WC_Order( $order_id );
 			$valid_order_statuses = apply_filters( 'woocommerce_valid_order_statuses_for_payment', array( 'pending', 'failed' ), $order );
 
+			if ( !current_user_can( 'pay_for_order', $order_id ) ) {
+				echo '<div class="woocommerce-error">' . __( 'Invalid order.', 'woocommerce' ) . ' <a href="' . get_permalink( woocommerce_get_page_id( 'myaccount' ) ).'">'. __( 'My Account &rarr;', 'woocommerce' ) .'</a>' . '</div>';
+				return;
+			}
+
 			if ( $order->id == $order_id && $order->order_key == $order_key ) {
 
 				if ( in_array( $order->status, $valid_order_statuses ) ) {

includes/shortcodes/class-wc-shortcode-my-account.php

@@ -98,7 +98,7 @@ class WC_Shortcode_My_Account {
 		$user_id      	= get_current_user_id();
 		$order 			= new WC_Order( $order_id );
 
-		if ( $order->user_id != $user_id ) {
+		if ( !current_user_can( 'view_order', $order_id ) ) {
 			echo '<div class="woocommerce-error">' . __( 'Invalid order.', 'woocommerce' ) . ' <a href="' . get_permalink( woocommerce_get_page_id( 'myaccount' ) ).'">'. __( 'My Account &rarr;', 'woocommerce' ) .'</a>' . '</div>';
 			return;
 		}

includes/shortcodes/class-wc-shortcode-view-order.php

@@ -46,7 +46,7 @@ class WC_Shortcode_View_Order {
 			return;
 		}
 
-		if ( $order->user_id != $user_id ) {
+		if ( !current_user_can( 'view_order', $order_id ) ) {
 			echo '<div class="woocommerce-error">' . __( 'Invalid order.', 'woocommerce' ) . ' <a href="'.get_permalink( woocommerce_get_page_id('myaccount') ).'">'. __( 'My Account &rarr;', 'woocommerce' ) .'</a>' . '</div>';
 			return;
 		}

includes/wc-customer-functions.php

@@ -258,3 +258,68 @@ function woocommerce_customer_bought_product( $customer_email, $user_id, $produc
 		)
 	);
 }
+
+/**
+ * woocommerce_customer_has_capability
+ *
+ * Checks if a user has a certain capability 
+ *
+ * @access public
+ * @param array $allcaps
+ * @param array $caps
+ * @param array $args
+ * @return bool
+ */
+function woocommerce_customer_has_capability( $allcaps, $caps, $args ) {
+  if ( isset( $caps[0] ) ) {
+    switch ( $caps[0] ) {
+
+      case 'view_order':
+        $user_id = $args[1];
+        $order = new WC_Order( $args[2] );
+
+        if ( $user_id == $order->user_id )
+          $allcaps['view_order'] = true;
+
+        break;
+
+      case 'pay_for_order':
+        $user_id = $args[1];
+        $order = new WC_Order( $args[2] );
+
+        if ( $user_id == $order->user_id )
+          $allcaps['pay_for_order'] = true;
+
+        break;
+
+      case 'order_again':
+        $user_id = $args[1];
+        $order = new WC_Order( $args[2] );
+
+        if ( $user_id == $order->user_id )
+          $allcaps['order_again'] = true;
+
+        break;
+
+      case 'cancel_order':
+        $user_id = $args[1];
+        $order = new WC_Order( $args[2] );
+
+        if ( $user_id == $order->user_id )
+          $allcaps['cancel_order'] = true;
+
+        break;
+
+      case 'download_file':
+        $user_id = $args[1];
+        $download = $args[2];
+
+        if ( $user_id == $download->user_id )
+          $allcaps['download_file'] = true;
+
+        break;
+    }
+  }
+  return $allcaps;
+}
+add_filter( 'user_has_cap', 'woocommerce_customer_has_capability', 10, 3);

templates/cart/cart-empty.php

@@ -9,6 +9,8 @@
 
 if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
 
+wc_print_messages();
+
 ?>
 
 <p class="cart-empty"><?php _e( 'Your cart is currently empty.', 'woocommerce' ) ?></p>