Merged in feature/MAW-855-import-code-into-aws (pull request #2)
code import from pantheon * code import from pantheon
This commit is contained in:
Tony Volpe
@@ -271,7 +271,7 @@ class WC_Shortcode_Checkout {
|
||||
if ( $order_id > 0 ) {
|
||||
$order = wc_get_order( $order_id );
|
||||
|
||||
if ( ! $order || ! hash_equals( $order->get_order_key(), $order_key ) ) {
|
||||
if ( ( ! $order instanceof WC_Order ) || ! hash_equals( $order->get_order_key(), $order_key ) ) {
|
||||
$order = false;
|
||||
}
|
||||
}
|
||||
@@ -301,6 +301,7 @@ class WC_Shortcode_Checkout {
|
||||
|
||||
// For non-guest orders, require the user to be logged in before showing this page.
|
||||
if ( $order_customer_id && get_current_user_id() !== $order_customer_id ) {
|
||||
wc_get_template( 'checkout/order-received.php', array( 'order' => false ) );
|
||||
wc_print_notice( esc_html__( 'Please log in to your account to view this order.', 'woocommerce' ), 'notice' );
|
||||
woocommerce_login_form( array( 'redirect' => $order->get_checkout_order_received_url() ) );
|
||||
return;
|
||||
@@ -308,6 +309,7 @@ class WC_Shortcode_Checkout {
|
||||
|
||||
// For guest orders, request they verify their email address (unless we can identify them via the active user session).
|
||||
if ( self::guest_should_verify_email( $order, 'order-received' ) ) {
|
||||
wc_get_template( 'checkout/order-received.php', array( 'order' => false ) );
|
||||
wc_get_template(
|
||||
'checkout/form-verify-email.php',
|
||||
array(
|
||||
@@ -385,11 +387,6 @@ class WC_Shortcode_Checkout {
|
||||
return false;
|
||||
}
|
||||
|
||||
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
|
||||
if ( ! empty( $_POST ) && ! wp_verify_nonce( $_POST['check_submission'] ?? '', 'wc_verify_email' ) ) {
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Controls the grace period within which we do not require any sort of email verification step before rendering
|
||||
* the 'order received' or 'order pay' pages.
|
||||
@@ -423,11 +420,12 @@ class WC_Shortcode_Checkout {
|
||||
$session_email = is_array( $customer ) && isset( $customer['email'] ) ? $customer['email'] : '';
|
||||
}
|
||||
|
||||
$session_email_match = $session_email === $order->get_billing_email();
|
||||
$supplied_email_match = isset( $_POST['email'] ) && sanitize_email( wp_unslash( $_POST['email'] ) ?? '' ) === $order->get_billing_email();
|
||||
// Email verification is required if the user cannot be identified, or if they supplied an email address but the nonce check failed.
|
||||
$can_view_orders = current_user_can( 'read_private_shop_orders' );
|
||||
$session_email_match = $session_email === $order->get_billing_email();
|
||||
$supplied_email_match = sanitize_email( wp_unslash( filter_input( INPUT_POST, 'email' ) ) ) === $order->get_billing_email()
|
||||
&& wp_verify_nonce( filter_input( INPUT_POST, 'check_submission' ), 'wc_verify_email' );
|
||||
|
||||
// If we cannot match the order with the current user, the user should verify their email address.
|
||||
$email_verification_required = ! $session_email_match && ! $supplied_email_match && ! $can_view_orders;
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user