Syntax error in "order" type fixed. Related tests updated.

kidunot89 · kidunot89 · commit 74d4612b2b77 · 2020-01-13T20:17:47.000-05:00
diff --git a/includes/model/class-order.php b/includes/model/class-order.php
@@ -267,18 +267,4 @@ protected function init() {
 
 		parent::prepare_fields();
 	}
-
-	/**
-	 * Determines if the data object should be considered private
-	 *
-	 * @access public
-	 * @return bool
-	 */
-	protected function is_private() {
-		if ( current_user_can( $this->post_type_object->cap->edit_others_posts ) ) {
-			return true;
-		}
-
-		return $this->owner_matches_current_user();
-	}
 }
diff --git a/includes/type/object/class-order-type.php b/includes/type/object/class-order-type.php
@@ -366,7 +366,26 @@ public static function register() {
 						throw new UserError( sprintf( __( 'No order exists with the %1$s: %2$s' ), $id_type, $product_id ) );
 					}
 
-					$order = Factory::resolve_crud_object( $order_id, $context );
+					// Check if user authorized to view order.
+					$post_type = get_post_type_object( 'shop_order' );
+					$is_authorized = current_user_can( $post_type->cap->edit_others_posts );
+					if ( get_current_user_id() ) {
+						$orders = wc_get_orders(
+							array(
+								'type'          => 'shop_order',
+								'post__in'      => array( $order_id ),
+								'customer_id'   => get_current_user_id(),
+								'no_rows_found' => true,
+								'return'        => 'ids',
+							)
+						);
+
+						if ( in_array( $order_id, $orders, true ) ) {
+							$is_authorized = true;
+						}
+					}
+
+					$order = $is_authorized ? Factory::resolve_crud_object( $order_id, $context ) : null;
 
 					return $order;
 				},
diff --git a/tests/wpunit/MetaDataQueriesTest.php b/tests/wpunit/MetaDataQueriesTest.php
@@ -462,6 +462,9 @@ public function testOrderMetaDataQueries() {
                 }
             }
         ';
+
+        // Must be an "shop_manager" or "admin" to query orders not owned by the user.
+        wp_set_current_user( $this->shop_manager );
         
         /**
          * Assertion One
diff --git a/tests/wpunit/OrderQueriesTest.php b/tests/wpunit/OrderQueriesTest.php
@@ -110,12 +110,12 @@ public function testOrderQuery() {
 		/**
 		 * Assertion One
 		 * 
-		 * tests query as customer
+		 * tests query as customer, should return "null" because the customer isn't authorized.
 		 */
 		wp_set_current_user( $this->customer );
 		$variables = array( 'id' => $id );
 		$actual    = graphql( array( 'query' => $query, 'variables' => $variables ) );
-		$expected  = array( 'data' => array( 'order' => $this->order_helper->print_restricted_query( $this->order ) ) );
+		$expected  = array( 'data' => array( 'order' => null ) );
 
 		// use --debug flag to view.
 		codecept_debug( $actual );
@@ -152,6 +152,9 @@ public function testOrderQueryAndArgs() {
 			}
 		';
 
+		// Must be an "shop_manager" or "admin" to query orders not owned by the user.
+		wp_set_current_user( $this->shop_manager );
+
 		/**
 		 * Assertion One
 		 * 

Original file line number	Diff line number	Diff line change
`@@ -462,6 +462,9 @@ public function testOrderMetaDataQueries() {`
`462`	`462`	`}`
`463`	`463`	`}`
`464`	`464`	`';`
	`465`	`+`
	`466`	`+ // Must be an "shop_manager" or "admin" to query orders not owned by the user.`
	`467`	`+ wp_set_current_user( $this->shop_manager );`
`465`	`468`
`466`	`469`	`/**`
`467`	`470`	`* Assertion One`