Automattic\WooCommerce\Internal\OrderReviews
Endpoint::is_authorised
Decide whether the request is allowed to render the page.
Method of the class: Endpoint{}
Hooks from the method
Returns
true|false.
Usage
// private - for code of main (parent) class only $result = $this->is_authorised( $order, $order_key ): bool;
- $order(mixed) (required)
- The candidate order. Anything other than a
WC_Orderfails. - $order_key(string) (required)
- The order key supplied via query arg.
Endpoint::is_authorised() Endpoint::is authorised code WC 10.8.1
private function is_authorised( $order, string $order_key ): bool {
if ( ! $order instanceof WC_Order ) {
return false;
}
if ( '' === $order_key || ! hash_equals( $order->get_order_key(), $order_key ) ) {
return false;
}
/**
* Filter the order statuses that are eligible to access the Review Order page.
*
* The scheduler unschedules pending sends on refund/cancel/trash/delete, but
* emails already in the customer's inbox can still be clicked. The route-level
* check blocks those late clicks for orders that have moved out of the
* eligible set.
*
* @since 10.8.0
*
* @param string[] $eligible_statuses Status slugs without the `wc-` prefix.
* @param WC_Order $order The order being reviewed.
*/
$eligible_statuses = (array) apply_filters(
'woocommerce_review_order_eligible_statuses',
array( OrderStatus::COMPLETED ),
$order
);
if ( ! in_array( $order->get_status(), $eligible_statuses, true ) ) {
return false;
}
// Logged-in customer must own the order. Guests with the order key still pass.
if ( $order->get_customer_id() && is_user_logged_in() && get_current_user_id() !== $order->get_customer_id() ) {
return false;
}
return true;
}