4b6459861f
Added logging to check_admin_permission to see: 1. Does user have manage_woocommerce capability? 2. Does user have manage_options capability? 3. Is permission ALLOWED or DENIED? If permission is DENIED, WordPress won't call our handler. This would explain why route registers SUCCESS but handler not called.
48 lines
1.6 KiB
PHP
48 lines
1.6 KiB
PHP
<?php
|
|
namespace WooNooW\Api;
|
|
|
|
class Permissions {
|
|
/**
|
|
* Allow anonymous (frontend checkout), but if a nonce is present,
|
|
* validate it for extra protection in admin/privileged contexts.
|
|
*
|
|
* Usage: 'permission_callback' => [Permissions::class, 'anon_or_wp_nonce']
|
|
*/
|
|
public static function anon_or_wp_nonce(): bool {
|
|
// If user is logged in with proper caps, allow.
|
|
if (is_user_logged_in()) {
|
|
return true;
|
|
}
|
|
// If nonce header provided, verify (optional hardening).
|
|
$nonce = $_SERVER['HTTP_X_WP_NONCE'] ?? '';
|
|
if ($nonce && wp_verify_nonce($nonce, 'wp_rest')) {
|
|
return true;
|
|
}
|
|
// For public checkout, still allow anonymous.
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Require a valid REST nonce (for admin-only endpoints).
|
|
*/
|
|
public static function require_wp_nonce(): bool {
|
|
$nonce = $_SERVER['HTTP_X_WP_NONCE'] ?? '';
|
|
return (bool) wp_verify_nonce($nonce, 'wp_rest');
|
|
}
|
|
|
|
/**
|
|
* Check if user has admin/manage_woocommerce permission
|
|
* Used for analytics and admin-only endpoints
|
|
*/
|
|
public static function check_admin_permission(): bool {
|
|
$has_wc = current_user_can('manage_woocommerce');
|
|
$has_opts = current_user_can('manage_options');
|
|
$result = $has_wc || $has_opts;
|
|
error_log(sprintf('WooNooW Permissions: check_admin_permission() - WC:%s Options:%s Result:%s',
|
|
$has_wc ? 'YES' : 'NO',
|
|
$has_opts ? 'YES' : 'NO',
|
|
$result ? 'ALLOWED' : 'DENIED'
|
|
));
|
|
return $result;
|
|
}
|
|
} |