Enforce strict user capability checks when deleting test orders (#11122)

Author: vladolaru

changelog/update-verify-user-access-when-deleting-test-orders

@@ -0,0 +1,5 @@
+Significance: patch
+Type: update
+Comment: Enforce strict capability checks when deleting test orders.
+
+

includes/class-wc-payments-status.php

@@ -106,6 +106,11 @@ public function debug_tools( $tools ) {
 	 * @return string Success or error message.
 	 */
 	public function delete_test_orders() {
+		// Add explicit capability check.
+		if ( ! current_user_can( 'manage_woocommerce' ) ) {
+			return __( 'You do not have permission to delete orders.', 'woocommerce-payments' );
+		}
+
 		try {
 			// Get all orders with test mode meta.
 			$test_orders = wc_get_orders(
@@ -126,7 +131,7 @@ public function delete_test_orders() {
 			$deleted_count = 0;
 			foreach ( $test_orders as $order ) {
 				// Permanently delete the order (skip trash).
-				if ( $order->delete() ) {
+				if ( $order->delete( true ) ) {
 					++$deleted_count;
 				}
 			}

tests/unit/test-class-wc-payments-status.php

@@ -43,6 +43,9 @@ class WC_Payments_Status_Test extends WCPAY_UnitTestCase {
 	public function set_up() {
 		parent::set_up();
 
+		// Set up an admin user with proper capabilities.
+		wp_set_current_user( 1 );
+
 		$this->mock_gateway = $this->createMock( WC_Payment_Gateway_WCPay::class );
 		$this->mock_http    = $this->createMock( WC_Payments_Http_Interface::class );
 		$this->mock_account = $this->createMock( WC_Payments_Account::class );
@@ -108,21 +111,20 @@ public function test_delete_test_orders_tool_structure() {
 	 */
 	public function test_delete_test_orders_with_no_orders() {
 		// Mock wc_get_orders to return empty array.
-		add_filter(
-			'woocommerce_order_data_store_cpt_get_orders_query',
-			function ( $query, $query_vars ) {
-				if ( isset( $query_vars['meta_key'] ) && '_wcpay_mode' === $query_vars['meta_key'] ) {
-					$query['post__in'] = [ 0 ]; // Force no results.
-				}
-				return $query;
-			},
-			10,
-			2
-		);
+		$filter_callback = function ( $query, $query_vars ) {
+			if ( isset( $query_vars['meta_key'] ) && '_wcpay_mode' === $query_vars['meta_key'] ) {
+				$query['post__in'] = [ 0 ]; // Force no results.
+			}
+			return $query;
+		};
+		add_filter( 'woocommerce_order_data_store_cpt_get_orders_query', $filter_callback, 10, 2 );
 
 		$result = $this->status->delete_test_orders();
 
 		$this->assertEquals( 'No test orders found.', $result );
+
+		// Clean up filter.
+		remove_filter( 'woocommerce_order_data_store_cpt_get_orders_query', $filter_callback, 10 );
 	}
 
 	/**
@@ -148,14 +150,12 @@ public function test_delete_test_orders_deletes_orders() {
 		// Verify result message.
 		$this->assertStringContainsString( '2 test orders have been permanently deleted.', $result );
 
-		// Verify test orders were moved to trash.
-		$trashed_order1 = wc_get_order( $order1->get_id() );
-		$this->assertInstanceOf( WC_Order::class, $trashed_order1 );
-		$this->assertEquals( 'trash', $trashed_order1->get_status() );
+		// Verify test orders were permanently deleted (no longer exist).
+		$deleted_order1 = wc_get_order( $order1->get_id() );
+		$this->assertFalse( $deleted_order1, 'Test order 1 should be permanently deleted' );
 
-		$trashed_order2 = wc_get_order( $order2->get_id() );
-		$this->assertInstanceOf( WC_Order::class, $trashed_order2 );
-		$this->assertEquals( 'trash', $trashed_order2->get_status() );
+		$deleted_order2 = wc_get_order( $order2->get_id() );
+		$this->assertFalse( $deleted_order2, 'Test order 2 should be permanently deleted' );
 
 		// Verify non-test order was not deleted.
 		$order3_check = wc_get_order( $order3->get_id() );
@@ -176,29 +176,64 @@ public function test_delete_test_orders_singular_message() {
 
 		$this->assertStringContainsString( '1 test order has been permanently deleted.', $result );
 
-		// Verify order was moved to trash.
-		$trashed_order = wc_get_order( $order->get_id() );
-		$this->assertInstanceOf( WC_Order::class, $trashed_order );
-		$this->assertEquals( 'trash', $trashed_order->get_status() );
+		// Verify order was permanently deleted (no longer exists).
+		$deleted_order = wc_get_order( $order->get_id() );
+		$this->assertFalse( $deleted_order, 'Test order should be permanently deleted' );
 	}
 
 	/**
 	 * Test delete_test_orders handles exceptions.
 	 */
 	public function test_delete_test_orders_handles_exception() {
 		// Mock wc_get_orders to throw an exception.
-		add_filter(
-			'woocommerce_order_data_store_cpt_get_orders_query',
-			function ( $query, $query_vars ) {
-				throw new Exception( 'Database error' );
-			},
-			10,
-			2
-		);
+		$filter_callback = function () {
+			throw new Exception( 'Database error' );
+		};
+		add_filter( 'woocommerce_order_data_store_cpt_get_orders_query', $filter_callback, 10, 2 );
 
 		$result = $this->status->delete_test_orders();
 
 		$this->assertStringContainsString( 'Error deleting test orders:', $result );
 		$this->assertStringContainsString( 'Database error', $result );
+
+		// Clean up filter.
+		remove_filter( 'woocommerce_order_data_store_cpt_get_orders_query', $filter_callback, 10 );
+	}
+
+	/**
+	 * Test delete_test_orders denies access for users without manage_woocommerce capability.
+	 */
+	public function test_delete_test_orders_requires_manage_woocommerce_capability() {
+		// Create test orders with _wcpay_mode meta.
+		$order1 = wc_create_order();
+		$order1->update_meta_data( '_wcpay_mode', 'test' );
+		$order1->save();
+
+		$order2 = wc_create_order();
+		$order2->update_meta_data( '_wcpay_mode', 'test' );
+		$order2->save();
+
+		// Mock that the current user is missing the manage_woocommerce capability.
+		$filter_callback = function ( $allcaps ) {
+			$allcaps['manage_woocommerce'] = false;
+
+			return $allcaps;
+		};
+		add_filter( 'user_has_cap', $filter_callback );
+
+		$result = $this->status->delete_test_orders();
+
+		// Verify permission denied message.
+		$this->assertEquals( 'You do not have permission to delete orders.', $result );
+
+		// Verify orders were NOT deleted.
+		$order1_check = wc_get_order( $order1->get_id() );
+		$this->assertInstanceOf( WC_Order::class, $order1_check );
+
+		$order2_check = wc_get_order( $order2->get_id() );
+		$this->assertInstanceOf( WC_Order::class, $order2_check );
+
+		// Clean up filter.
+		remove_filter( 'user_has_cap', $filter_callback );
 	}
 }