Create a PayForOrder service class to implement authentication checks
#9401
Conversation
|
@hsingyuc What do I need to do on my store (in terms of blocks, pages etc) in order to test this? Is there a reason why we're using content filters vs adding this login form as part of an existing block or (core) shortcode? Thanks for any background info on this. |
Is this what you are thinking of? |
I think that we need to continue supporting guest checkouts, which means that we will continue to show the checkout block for guests. Noting that this PR is just one piece of the pay-for-order flow and won't show the checkout until the other PRs are merged. Specifically this one. I updated the testing instruction. Let me know if it works for you. Thank you! |
If the order being paid for does not belong to a customer, do we need to require login? I think we could account for that in the authentication check.
Okay I think I understand what you're doing now. Using checkout Block instead of the legacy shortcode when handling payments. In this case, do you think we need to move the login to the block rather than replacing blocks via
I think we should either merge to a feature branch to keep this work separate from trunk, or put it behind a feature flag. |
| $order = wc_get_order( $order_id ); | ||
|
|
||
| // Logged out customer does not have permission to pay for this order. | ||
| if ( ! current_user_can( 'pay_for_order', $order_id ) && ! is_user_logged_in() ) { |
There was a problem hiding this comment.
It looks like the current_user_can logic already handles user ID validation, and allows guests to pay for guest orders.
There was a problem hiding this comment.
This check could also move above the wc_get_order to prevent loading an order if its not needed.
|
|
||
| $order_id = ! empty( $wp->query_vars['order-pay'] ) ? $wp->query_vars['order-pay'] : null; | ||
|
|
||
| if ( isset( $_GET['pay_for_order'], $_GET['key'] ) && $order_id ) { // phpcs:ignore WordPress.Security.NonceVerification |
There was a problem hiding this comment.
This is looking to see if pay_for_order is set, but its not validating it against the actual order key.
There was a problem hiding this comment.
Since we already validate the order key in this PR so we don't need to validate it again, right?
There was a problem hiding this comment.
I would prefer we have the same validation logic everywhere (including that check) just in case a future developer assumes this is safe and either reuses it or inserts something that identifies an order. Could turn it into a reusable utility to avoid repetition?
Cool. I don't think we should require login but maybe I miss understood what you mean by
A login block is a good solution long term. For the scope of this project, I prefer to temporarily use the existing login form. We will render the normal checkout block with the order items when login is not required.
Good idea. Updated. |
I was thinking ahead to when we'll support "my account" pages. We won't want to include order listing functionality for guests, but we can retrieve a specific order if the correct keys etc are provided. I wouldn't be too concerned with order listing for this project.
👍🏻 |
|
This PR has been marked as If deemed still relevant, the pr can be kept active by ensuring it's up to date with the main branch and removing the stale label. |
github-actions
bot
added
the
status: stale
hsingyuc
removed
the
status: stale
|
This PR has been marked as If deemed still relevant, the pr can be kept active by ensuring it's up to date with the main branch and removing the stale label. |
github-actions
bot
added
the
status: stale
hsingyuc
removed
the
status: stale
|
This PR has been marked as If deemed still relevant, the pr can be kept active by ensuring it's up to date with the main branch and removing the stale label. |
github-actions
bot
added
the
status: stale
hsingyuc
removed
the
status: stale
2 participants
Create a
PayForOrderservice class to implement authentication checks for the pay-for-order checkout block.Fixes #9400
Screenshots
Testing
is_wc_endpoint_url( 'order-pay' )( Done in this PR )Customer payment pageand copy the URL to incognitoYour cart is currently empty!( Because we don't allow guest to pay for order )Customerto an existing customerYour cart is currently empty!page and refreshAutomated Tests
Changelog