diff --git a/src/Hooks/KennitalaField.php b/src/Hooks/KennitalaField.php index 92a2302..cd3f9a0 100644 --- a/src/Hooks/KennitalaField.php +++ b/src/Hooks/KennitalaField.php @@ -124,6 +124,23 @@ public function __construct() { 10, 2 ); + + add_action( + 'edit_form_top', + array( __CLASS__, 'add_nonce_to_order_editor' ), + 10, + 2 + ); + } + + /** + * Add our own nonce field to the post editor + */ + public static function add_nonce_to_order_editor(): void { + wp_nonce_field( + '1984_dk_woo_edit', + '1984_dk_woo_edit_nonce_field' + ); } /** @@ -163,12 +180,25 @@ public static function update_order_meta( int $post_id, WP_Post|WC_Order $wc_order ): void { - // Nonce check is handled by WooCommerce. - // phpcs:ignore WordPress.Security.NonceVerification + if ( ! isset( $_POST['1984_dk_woo_edit_nonce_field'] ) ) { + return; + } + + if ( + ! wp_verify_nonce( + sanitize_text_field( + wp_unslash( + $_POST['1984_dk_woo_edit_nonce_field'] + ) + ), + '1984_dk_woo_edit' + ) + ) { + return; + } + if ( isset( $_POST['_billing_kennitala'] ) ) { $kennitala = sanitize_text_field( - // Nonce check is handled by WooCommerce. - // phpcs:ignore WordPress.Security.NonceVerification wp_unslash( $_POST['_billing_kennitala'] ) ); @@ -402,6 +432,11 @@ public static function render_classic_checkout_field( $kennitala = ''; } + wp_nonce_field( + 'classic_checkout_set_kennitala', + 'classic_checkout_set_kennitala_nonce_field' + ); + woocommerce_form_field( 'billing_kennitala', array( @@ -439,13 +474,27 @@ public static function render_classic_checkout_field( * taken care of that for us at this point. */ public static function check_classic_checkout_field(): void { - // Nonce check is handled by WooCommerce. - // phpcs:ignore WordPress.Security.NonceVerification + if ( ! isset( $_POST['classic_checkout_set_kennitala_nonce_field'] ) ) { + return; + } + + if ( + ! wp_verify_nonce( + sanitize_text_field( + wp_unslash( + $_POST['classic_checkout_set_kennitala_nonce_field'] + ) + ), + 'classic_checkout_set_kennitala' + ) + ) { + wp_die( 'Kennitala nonce not valid!' ); + return; + } + if ( isset( $_POST['kennitala'] ) ) { $kennitala = sanitize_text_field( - // Nonce check is handled by WooCommerce. - // phpcs:ignore WordPress.Security.NonceVerification wp_unslash( $_POST['kennitala'] ) ); @@ -467,7 +516,7 @@ public static function check_classic_checkout_field(): void { } /** - * Save the kennitala from the block-based checkout process + * Save the kennitala from the "classic" checkout process * * This is used by the `woocommerce_checkout_update_order_meta` hook. * @@ -477,14 +526,28 @@ public static function check_classic_checkout_field(): void { * @param int $order_id The order id. */ public static function save_classic_checkout_field( int $order_id ): void { + if ( ! isset( $_POST['classic_checkout_set_kennitala_nonce_field'] ) ) { + return; + } + + if ( + ! wp_verify_nonce( + sanitize_text_field( + wp_unslash( + $_POST['classic_checkout_set_kennitala_nonce_field'] + ) + ), + 'classic_checkout_set_kennitala' + ) + ) { + wp_die( 'Kennitala nonce not valid!' ); + return; + } + $order_object = new WC_Order( $order_id ); - // Nonce check is handled by WooCommerce. - // phpcs:ignore WordPress.Security.NonceVerification if ( isset( $_POST['billing_kennitala'] ) ) { $kennitala = sanitize_text_field( - // Nonce check is handled by WooCommerce. - // phpcs:ignore WordPress.Security.NonceVerification wp_unslash( $_POST['billing_kennitala'] ) ); @@ -496,8 +559,6 @@ public static function save_classic_checkout_field( int $order_id ): void { ); } - // Nonce check is handled by WooCommerce. - // phpcs:ignore WordPress.Security.NonceVerification if ( isset( $_POST['kennitala_invoice_requested'] ) ) { $order_object->update_meta_data( 'kennitala_invoice_requested', 1 ); } else { diff --git a/views/dk_invoice_metabox.php b/views/dk_invoice_metabox.php index 84669eb..55ccf2a 100644 --- a/views/dk_invoice_metabox.php +++ b/views/dk_invoice_metabox.php @@ -10,24 +10,7 @@ global $post; - -if ( $post ) { - $wc_order = wc_get_order( $post->ID ); -} else { - // Nonce check is handled by the WooCommerce, which does not make a global - // "product" object available in this case. - // phpcs:ignore WordPress.Security.NonceVerification - if ( isset( $_GET['id'] ) ) { - $wc_order = wc_get_order( - // Nonce check is handled by the WooCommerce, which does not make a - // global "product" object available in this case. - // phpcs:ignore WordPress.Security.NonceVerification - sanitize_text_field( wp_unslash( $_GET['id'] ) ) - ); - } else { - exit; - } -} +$wc_order = wc_get_order( $post->ID ); $invoice_number = $wc_order->get_meta( '1984_woo_dk_invoice_number', true, 'edit' ); $credit_invoice_number = $wc_order->get_meta( '1984_woo_dk_credit_invoice_number', true, 'edit' ); diff --git a/views/product_options_advanced_partial.php b/views/product_options_advanced_partial.php index 93997ab..4206b76 100644 --- a/views/product_options_advanced_partial.php +++ b/views/product_options_advanced_partial.php @@ -11,7 +11,7 @@ global $post; -$wc_product = new WC_Product( $post ); +$wc_product = wc_get_product( $post ); $product_currency = ProductHelper::get_currency( $wc_product ); ?>