Is there any way to protect WooCommerce Returns & Warranty Requests plugin's request/status page (the slug of the page I created is "returns") from users that the order number or warranty request number doesn't belong too?
In default mode the page is open to public, hence, even if a visitor visits this url .../my-account/returns/?order=35 can see the all warranty request details that the original user requested, is there any way to protect this page? I want to use a code that checks if user is not logged in and if the order number or warranty request number doesn't belong to the logged in user then don't show the /returns/ page.
I was able to use this code in my functions.php to prevent not logged in users to see the /returns/ page:
function template_redirect_returns()
{
if( is_page(returns) && !is_user_logged_in() )
{
$loginUrl = home_url('/my-account/orders/');
wp_redirect($loginUrl);
exit();
}
}
add_action( 'template_redirect', 'template_redirect_returns' );
But how can I also prevent the users from seeing the page if the ?order=35 doesn't belong to them?
I asked the plugin developers and also reported many bugs but they don't care to fix the issues.
I will appreciate your help! With gratitude.
In your code is_page(returns) should be replaced by is_page('returns') as it throws an error.
Try the following (untested):
add_action( 'template_redirect', 'template_redirect_returns' );
function template_redirect_returns()
{
if( is_page('returns') ) {
if( ! is_user_logged_in() ) {
wp_redirect( home_url('/my-account/') ); // instead of '/my-account/orders/'
exit();
}
// For logged in users
else {
// Testing if current user ID match with order customer ID
if( isset($_GET['order']) && get_post_meta( $_GET['order'], '_customer_user', true ) != get_current_user_id() ){
wp_redirect( home_url('/my-account/orders/') );
exit();
}
}
}
}
This is a real security bug in this plugin, and should be notified to authors.