Automattic\WooCommerce\Api\Queries\Products
GetProduct::authorize
Authorize access to a specific product.
Admins can read any product. Non-admin users can only read products they authored themselves.
Every inaccessible case throws UnauthorizedException('Product not found.') — whether the ID doesn't exist, points at a non-product post type, or points at a product the caller doesn't own. This prevents callers from enumerating product IDs vs non-product post IDs via the response they get back (which would otherwise be "not found" vs "no permission").
Method of the class: GetProduct{}
No Hooks.
Returns
true|false. Whether the current user can read this product.
Usage
$GetProduct = new GetProduct(); $GetProduct->authorize( $id, $_preauthorized ): bool;
- $id(int) (required)
- The product ID.
- $_preauthorized(true|false) (required)
- Whether the declared capability check passed.
GetProduct::authorize() GetProduct::authorize code WC 10.9.1
public function authorize( int $id, bool $_preauthorized ): bool {
// Reject non-positive IDs up front. `get_post( 0 )` inside a
// WordPress loop returns `$GLOBALS['post']` (not null), so a bare
// `get_post( $id )` below would accidentally operate on whatever
// global post was set upstream of this request.
if ( $id <= 0 ) {
throw new UnauthorizedException( 'Product not found.' );
}
$post = get_post( $id );
if ( ! $post || 'product' !== $post->post_type ) {
throw new UnauthorizedException( 'Product not found.' );
}
// Honor the declared #[RequiredCapability] (read_product).
if ( $_preauthorized ) {
return true;
}
// `manage_woocommerce` is the canonical "admin sees everything"
// capability in WooCommerce. The declared #[RequiredCapability]
// pre-authorizes on `read_product` (the read-level post-type cap,
// which is what the schema advertises), but an admin whose cap set
// grants `manage_woocommerce` without `read_product` would
// otherwise fall through to the ownership check and get "Product
// not found" for any product they don't own — contrary to the
// documented admin-can-see-everything contract.
if ( current_user_can( 'manage_woocommerce' ) ) {
return true;
}
// Non-admin users can only read their own products. Throw the same
// "not found" exception rather than returning false — a distinct
// "you don't have permission" error here would tell the caller
// that the ID is a product (just not theirs), leaking the
// product-ID space vs the rest of the post-ID space.
//
// Reject guest users explicitly: get_current_user_id() returns 0
// for unauthenticated callers, and products created via WP-CLI,
// imports, or programmatic inserts without an author can have
// post_author = 0 — a bare `!==` check would mis-grant access to
// anonymous callers for those products.
$current_user_id = get_current_user_id();
if ( 0 === $current_user_id || $current_user_id !== (int) $post->post_author ) {
throw new UnauthorizedException( 'Product not found.' );
}
return true;
}