Automattic\WooCommerce\Internal\OrderReviews
Endpoint::gate_request
Run the gating checks before the page template renders.
Auth failures fall through to a 404 here rather than inside the shortcode so the response status is set before any output begins. On success the request continues into normal page rendering and the shortcode echoes the body inside the_content.
Method of the class: Endpoint{}
No Hooks.
Returns
null. Nothing (null).
Usage
$Endpoint = new Endpoint(); $Endpoint->gate_request(): void;
Endpoint::gate_request() Endpoint::gate request code WC 10.8.1
public function gate_request(): void {
global $wp;
// Only act when the request resolves to the WC-managed Review Order
// page. A leftover review-order query var on some other page (manual
// URL tampering, third-party plugin) shouldn't trigger our auth
// path or 404 an unrelated page.
$page_id = (int) wc_get_page_id( self::PAGE_KEY );
if ( $page_id <= 0 || ! is_page( $page_id ) ) {
return;
}
// Use isset() rather than empty() so the literal "0" doesn't slip
// through to normal WP routing; the auth check 404s on order_id 0.
if ( ! isset( $wp->query_vars[ self::QUERY_VAR ] ) ) {
// Visiting the host page directly (no order id in the URL) is a
// dead end — the shortcode renders nothing and the customer
// sees a chrome-only page. Send them to the home page instead.
wp_safe_redirect( home_url( '/' ) );
exit;
}
$order_id = absint( $wp->query_vars[ self::QUERY_VAR ] );
$order_key = $this->read_order_key();
$order = $order_id ? wc_get_order( $order_id ) : false;
if ( ! $this->is_authorised( $order, $order_key ) ) {
$this->render_404();
exit;
}
// Register the page-title suppression filters now that the request
// is fully authorised. Doing this here instead of `init()` keeps the
// filters out of every unrelated page render and removes the need
// for a per-instance "is this an authorised render" boolean.
add_filter( 'the_title', array( $this, 'maybe_hide_page_title' ), 10, 2 );
// Block-specific filter so only `core/post-title` is touched —
// `render_block` would fire for every block on the page. The third
// arg is the `WP_Block` instance carrying `context['postId']`, used
// to scope to the host page.
add_filter( 'render_block_core/post-title', array( $this, 'maybe_hide_post_title_block' ), 10, 3 );
if ( $order instanceof WC_Order ) {
$this->maybe_mark_no_actionable_rows( $order );
}
// template_redirect fires after wp_enqueue_scripts but before
// wp_head, so styles registered here are still output in <head>.
$this->enqueue_assets();
}