Updated Release Testing Instructions WooCommerce 6.4 (markdown)
Barry Hughes
parent
dc567523c6
commit
86914ae9ce
|
|
@ -1 +1,62 @@
|
|||
TBD
|
||||
TBD
|
||||
|
||||
---
|
||||
|
||||
## Approved Product Download Directories [A8C/Woo#281](211-gh-Automattic/woocommerce)
|
||||
|
||||
> 🔒 This is aimed at addressing a security issue, but also involves introducing a new feature. Testing instructions below are lifted from the [final PR](211-gh-Automattic/woocommerce).
|
||||
|
||||
### Background information
|
||||
|
||||
- The concept underpinning this feature is that it should not be possible to add downloadable files to a product unless they are stored in a trusted location (an *'approved download directory').*
|
||||
- By default, the only default trusted location is the `wp-content/uploads/woocommerce_uploads` directory.
|
||||
- This is chiefly aimed at improving security in cases where there are multiple shop managers (or product vendors and product vendor admins):
|
||||
- In those cases, a site admin must take care of adding and approving additional approved directories.
|
||||
- In the case of a multisite network, the responsibility rests with super admins.
|
||||
- Whereas, in very simple situations where the site is operated by a single admin-level user, the feature should, in essence, get out of the way and not be an active concern.
|
||||
|
||||
### What's new
|
||||
|
||||
- This feature adds a new database table `wp_wc_product_download_directories`. This stores URLs indicating approved (or trusted) locations for downloadable files.
|
||||
- It also adds a new settings page found at **WooCommerce ▸ Settings ▸ Products ▸ Approved Download Directories** (which is only accessible to admins and is deliberately inaccessible to others, *including shop managers)* allowing:
|
||||
- The entire feature to be turned on or off *("Start|Stop Enforcing Rules"* toggle button).
|
||||
- Adding, deleting and editing rules.
|
||||
- Enabling or disabling individual rules.
|
||||
- Further, it adds controls to the **WooCommerce ▸ Status ▸ Tools** page:
|
||||
- Synchronize approved download directories.
|
||||
- Empty the approved download directories list.
|
||||
- Cancel synchronization of approved directories *(only visible if a sync is in progress, in which case the first two are not visible).*
|
||||
|
||||
### Test scenario <span>#</span>1
|
||||
|
||||
- Start with a brand new WordPress installation. Install and activate WooCommerce.
|
||||
- Give a bit of time for any related scheduled actions to run (wait until there are no more pending `woocommerce_download_dir_sync` actions listed in **Tools ▸ Scheduled Actions**, or manually trigger a few times until there are no pending actions remaining).
|
||||
- Then, visit **WooCommerce ▸ Settings ▸ Products ▸ Approved Download Directories**:
|
||||
- You should see two entries, both describing the `wp-content/uploads/woocommerce_uploads` directory.
|
||||
- One will be an `http://` or `https://` URL.
|
||||
- The other will be a `file://` URL (describing the same location, but as a filepath).
|
||||
- Since this was a brand new installation, the feature should already be enabled. You can tell it is enabled if the toggle button near the top of the screen reads `Stop Enforcing Rules`.
|
||||
- Still operating as an admin user:
|
||||
- Create a downloadable product and add a downloadable file with the URL `https://remote.location/test/file.pdf`.
|
||||
- Save the product, it should save successfully.
|
||||
- Return to **WooCommerce ▸ Settings ▸ Products ▸ Approved Download Directories** and you should see an enabled rule for `https://remote.location/test/` has been added.
|
||||
- Now create a shop manager-level user and login as that user.
|
||||
- Edit the same downloadable product, or create a new one.
|
||||
- Add a new downloadable file with the URL `https://new.test/ebook.pdf`.
|
||||
- Save the product, you should see an error warning the file was in an unapproved location.
|
||||
- Log back in as site administrator and return to **WooCommerce ▸ Settings ▸ Products ▸ Approved Download Directories**, you should see a new rule for `https://new.test/` has been added *but it should not be enabled.* Enable it.
|
||||
- Log back in as shop manager and try adding `https://new.test/ebook.pdf` a second time. Save the product: this time it should work.
|
||||
|
||||
### Test Scenario <span>#</span>2
|
||||
|
||||
- Building on the previous steps, visit the storefront as a logged in customer.
|
||||
- Purchase the downloadable product.
|
||||
- As an admin user or shop manager, complete the order.
|
||||
- As the logged in customer, visit **My Account ▸ Downloads**
|
||||
- Confirm you see the correct downloads (they don't exist, so trying to download them will not work, but they should still be listed).
|
||||
- As an admin user, disable the corresponding rules via the **WooCommerce ▸ Settings ▸ Products ▸ Approved Download Directories** screen.
|
||||
- As the customer, confirm those disabled downloads are no longer listed (it will say, _"No downloads available yet.")_
|
||||
- As the admin user, disable the entire feature from **WooCommerce ▸ Settings ▸ Products ▸ Approved Download Directories** by clicking the `Stop Enforcing Rules` button.
|
||||
- As the customer, confirm all the expected downloads are once again listed within the **My Account ▸ Downloads** page.
|
||||
|
||||
---
|
||||
Loading…
Reference in New Issue