Merge pull request woocommerce#18413 from woocommerce/fix/18377

Rest API - Orders should be created for users who exist on the site only.
alexminza · Jan 10, 2018 · 76f66fd · 76f66fd
2 parents 6630fca + ee6794f
commit 76f66fd
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 3 deletions.
diff --git a/includes/api/class-wc-rest-orders-controller.php b/includes/api/class-wc-rest-orders-controller.php
@@ -488,12 +488,19 @@ protected function save_object( $request, $creating = false ) {
 				return $object;
 			}
 
-			if ( $creating ) {
+			if ( ! is_null( $request['customer_id'] ) && 0 !== $request['customer_id'] ) {
 				// Make sure customer exists.
-				if ( ! is_null( $request['customer_id'] ) && 0 !== $request['customer_id'] && false === get_user_by( 'id', $request['customer_id'] ) ) {
+				if ( false === get_user_by( 'id', $request['customer_id'] ) ) {
 					throw new WC_REST_Exception( 'woocommerce_rest_invalid_customer_id',__( 'Customer ID is invalid.', 'woocommerce' ), 400 );
 				}
 
+				// Make sure customer is part of blog.
+				if ( is_multisite() && ! is_user_member_of_blog( $request['customer_id'] ) ) {
+					throw new WC_REST_Exception( 'woocommerce_rest_invalid_customer_id_network',__( 'Customer ID does not belong to this site.', 'woocommerce' ), 400 );
+				}
+			}
+
+			if ( $creating ) {
 				$object->set_created_via( 'rest-api' );
 				$object->set_prices_include_tax( 'yes' === get_option( 'woocommerce_prices_include_tax' ) );
 				$object->calculate_totals();

diff --git a/includes/api/legacy/class-wc-rest-legacy-orders-controller.php b/includes/api/legacy/class-wc-rest-legacy-orders-controller.php
@@ -249,6 +249,11 @@ protected function create_order( $request ) {
 				throw new WC_REST_Exception( 'woocommerce_rest_invalid_customer_id',__( 'Customer ID is invalid.', 'woocommerce' ), 400 );
 			}
 
+			// Make sure customer is part of blog.
+			if ( is_multisite() && ! is_user_member_of_blog( $request['customer_id'] ) ) {
+				throw new WC_REST_Exception( 'woocommerce_rest_invalid_customer_id_network',__( 'Customer ID does not belong to this site.', 'woocommerce' ), 400 );
+			}
+
 			$order = $this->prepare_item_for_database( $request );
 			$order->set_created_via( 'rest-api' );
 			$order->set_prices_include_tax( 'yes' === get_option( 'woocommerce_prices_include_tax' ) );

diff --git a/includes/api/v1/class-wc-rest-orders-controller.php b/includes/api/v1/class-wc-rest-orders-controller.php
@@ -534,6 +534,11 @@ protected function create_order( $request ) {
 				throw new WC_REST_Exception( 'woocommerce_rest_invalid_customer_id',__( 'Customer ID is invalid.', 'woocommerce' ), 400 );
 			}
 
+			// Make sure customer is part of blog.
+			if ( is_multisite() && ! is_user_member_of_blog( $request['customer_id'] ) ) {
+				throw new WC_REST_Exception( 'woocommerce_rest_invalid_customer_id_network',__( 'Customer ID does not belong to this site.', 'woocommerce' ), 400 );
+			}
+
 			$order = $this->prepare_item_for_database( $request );
 			$order->set_created_via( 'rest-api' );
 			$order->set_prices_include_tax( 'yes' === get_option( 'woocommerce_prices_include_tax' ) );

diff --git a/includes/class-wc-order.php b/includes/class-wc-order.php
@@ -1339,7 +1339,7 @@ public function has_downloadable_item() {
 			if ( $item->is_type( 'line_item' ) ) {
 				$product = $item->get_product();
 
-				if ( $product->has_file() ) {
+				if ( $product && $product->has_file() ) {
 					return true;
 				}
 			}