Merge branch 'master' into fix/productid-parentid-issue

razorpay · Nov 29, 2023 · 8c63c2a · 8c63c2a
2 parents 1fd6b9c + d3c692a
commit 8c63c2a
Show file tree

Hide file tree

Showing 4 changed files with 79 additions and 40 deletions.
diff --git a/includes/razorpay-route-actions.php b/includes/razorpay-route-actions.php
@@ -23,10 +23,35 @@ public function redirect($pageUrl)
         wp_redirect($pageUrl);
     }
 
+    public function authorizeAndAuthenticate($nonce, $action)
+    {
+        if(current_user_can('manage_woocommerce') === false)
+        {
+            rzpLogError("Authorization Failed");
+            wp_die('<div class="error notice">
+                <p>RAZORPAY ERROR: User is not Authorized to perform Operation</p>
+             </div>');
+        }
+
+        $verifyReq = wp_verify_nonce($nonce, $action);
+
+        if ($verifyReq === false)
+        {
+            rzpLogError("nonce Authentication failed");
+            wp_die('<div class="error notice">
+                <p>RAZORPAY ERROR: Authentication Failed</p>
+             </div>');
+        }
+    }
+
     function directTransfer()
     {
         $trfAccount = sanitize_text_field($_POST['drct_trf_account']);
         $trfAmount = sanitize_text_field($_POST['drct_trf_amount']);
+        $nonce = sanitize_text_field($_POST['nonce']);
+
+        $this->authorizeAndAuthenticate($nonce, 'rzp_direct_transfer');
+
         $pageUrl = admin_url('admin.php?page=razorpayRouteWoocommerce');
         try {
             $transferData = array(
@@ -51,9 +76,12 @@ function directTransfer()
 
     function reverseTransfer()
     {
-
         $transferId = sanitize_text_field($_POST['transfer_id']);
         $reversalAmount = sanitize_text_field($_POST['reversal_amount']);
+        $nonce = sanitize_text_field($_POST['nonce']);
+
+        $this->authorizeAndAuthenticate($nonce, 'rzp_reverse_transfer');
+
         $pageUrl = admin_url('admin.php?page=razorpayTransfers&id=' . $transferId);
         try {
             $reversalData = array(
@@ -75,9 +103,12 @@ function reverseTransfer()
 
     function updateTransferSettlement()
     {
-
         $transferId = sanitize_text_field($_POST['transfer_id']);
         $trfHoldStatus = sanitize_text_field($_POST['on_hold']);
+        $nonce = sanitize_text_field($_POST['nonce']);
+
+        $this->authorizeAndAuthenticate($nonce, 'rzp_settlement_change');
+
         if ($trfHoldStatus == "on_hold_until") {
             $trfHoldUntil = sanitize_text_field($_POST['hold_until']);
             $unixTime = strtotime($trfHoldUntil);
@@ -110,10 +141,13 @@ function updateTransferSettlement()
 
     function createPaymentTransfer()
     {
-
         $paymentId = sanitize_text_field($_POST['payment_id']);
         $trfAccount = sanitize_text_field($_POST['pay_trf_account']);
         $trfAmount = sanitize_text_field($_POST['pay_trf_amount']);
+        $nonce = sanitize_text_field($_POST['nonce']);
+
+        $this->authorizeAndAuthenticate($nonce, 'rzp_payment_transfer');
+
         $pageUrl = admin_url('admin.php?page=razorpayPaymentsView&id=' . $paymentId);
 
         $trfHoldStatus = sanitize_text_field($_POST['on_hold']);

diff --git a/includes/razorpay-route.php b/includes/razorpay-route.php
@@ -9,14 +9,33 @@
 use Automattic\WooCommerce\Internal\DataStores\Orders\CustomOrdersTableController;
 
 add_action('setup_extra_setting_fields', 'addRouteModuleSettingFields');
-add_action('admin_post_rzp_direct_transfer', 'razorpayDirectTransfer');
-add_action('admin_post_rzp_reverse_transfer', 'razorpayReverseTransfer');
-add_action('admin_post_rzp_settlement_change', 'razorpaySettlementUpdate');
-add_action('admin_post_rzp_payment_transfer', 'razorpayPaymentTransfer');
-
 add_action( 'check_route_enable_status', 'razorpayRouteModule',0 );
 do_action('check_route_enable_status');
 
+add_action('admin_post_rzp_direct_transfer', function(){
+    $routeAction = new RZP_Route_Action();
+
+    $routeAction->directTransfer();
+});
+
+add_action('admin_post_rzp_reverse_transfer', function(){
+    $routeAction = new RZP_Route_Action();
+
+    $routeAction->reverseTransfer();
+});
+
+add_action('admin_post_rzp_settlement_change', function(){
+    $routeAction = new RZP_Route_Action();
+
+    $routeAction->updateTransferSettlement();
+});
+
+add_action('admin_post_rzp_payment_transfer', function(){
+    $routeAction = new RZP_Route_Action();
+
+    $routeAction->createPaymentTransfer();
+});
+
 function addRouteModuleSettingFields(&$defaultFormFields){
     if( get_woocommerce_currency() == "INR") {
 
@@ -166,6 +185,7 @@ function rzpTransfers()
                             <div>
                             <button type="submit" onclick="' . $hide . '" name="trf_create" class="btn btn-primary">Create</button>
                             <input type="hidden" name="action" value="rzp_direct_transfer">
+                            <input type="hidden" name="nonce" value="' . wp_create_nonce('rzp_direct_transfer') . '">
                             </div>
                             </form>
                         </div>
@@ -439,7 +459,7 @@ function rzpTransferDetails()
                                 <input type="hidden" name="action" value="rzp_reverse_transfer">
                                 <input type="hidden" name="transfer_id" value="' . $transferDetail['id'] . '">
                                 <input type="hidden" name="transfer_amount" value="' . $transferDetail['amount'] . '">
-
+                                <input type="hidden" name="nonce" value="' . wp_create_nonce('rzp_reverse_transfer') . '">
                                 </div>
                                 </form>
                             </div>
@@ -507,6 +527,7 @@ function rzpTransferDetails()
                                 <button type="submit" onclick="' . $hideSetl . '" name="update_setl_status"  class="btn btn-primary">Save</button>
                                 <input type="hidden" name="action" value="rzp_settlement_change">
                                 <input type="hidden" name="transfer_id" value="' . $transferDetail['id'] . '">
+                                <input type="hidden" name="nonce" value="' . wp_create_nonce('rzp_settlement_change') . '">
                                 </div>
                                 </form>
                             </div>
@@ -977,6 +998,7 @@ function rzpPaymentDetails()
                                 <button type="submit" onclick="' . $hide . '" name="trf_create" class="btn btn-primary" id="payment_transfer_btn">Create</button>
                                 <input type="hidden" name="payment_id" value="' . $paymentDetail['id'] . '">
                                 <input type="hidden" name="action" value="rzp_payment_transfer">
+                                <input type="hidden" name="nonce" value="' . wp_create_nonce('rzp_payment_transfer') . '">
                                 </div>
                                 </form>
                             </div>
@@ -1270,31 +1292,3 @@ function renderPaymentMetaBox(){
 
 }
 
-function razorpayDirectTransfer()
-{
-    $routeAction = new RZP_Route_Action();
-
-    $routeAction->directTransfer();
-}
-
-function razorpayReverseTransfer()
-{
-    $routeAction = new RZP_Route_Action();
-
-    $routeAction->reverseTransfer();
-}
-
-function razorpaySettlementUpdate()
-{
-    $routeAction = new RZP_Route_Action();
-
-    $routeAction->updateTransferSettlement();
-}
-
-function razorpayPaymentTransfer()
-{
-    $routeAction = new RZP_Route_Action();
-
-    $routeAction->createPaymentTransfer();
-}
-
diff --git a/readme.txt b/readme.txt
@@ -3,7 +3,7 @@ Contributors: razorpay
 Tags: razorpay, payments, india, woocommerce, curlec, malaysia, ecommerce, international, cross border
 Requires at least: 3.9.2
 Tested up to: 6.3.1
-Stable tag: 4.5.6
+Stable tag: 4.5.7
 Requires PHP: 7.0
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -69,6 +69,10 @@ Razorpay is available for Store Owners and Merchants in
 
 == Changelog ==
 
+= 4.5.7 =
+* Added nonce and user capability check for route
+* Blocked currencies KWD, OMR, BHD.
+
 = 4.5.6 =
 * Added productId for advance cod support
 * Updated Razorpay SDK to 2.8.7

diff --git a/woo-razorpay.php b/woo-razorpay.php
@@ -3,8 +3,8 @@
  * Plugin Name: Razorpay for WooCommerce
  * Plugin URI: https://razorpay.com
  * Description: Razorpay Payment Gateway Integration for WooCommerce
- * Version: 4.5.6
- * Stable tag: 4.5.6
+ * Version: 4.5.7
+ * Stable tag: 4.5.7
  * Author: Team Razorpay
  * WC tested up to: 7.9.0
  * Author URI: https://razorpay.com
@@ -1138,6 +1138,13 @@ protected function createRazorpayOrderId($orderId, $sessionKey)
             rzpLogInfo(json_encode($data));
             try
             {
+                if ($data['currency'] === "KWD" or
+                    $data['currency'] === "OMR" or
+                    $data['currency'] === "BHD")
+                {
+                    throw new Exception($data['currency'] . " currency is not supported at the moment.");
+                }
+
                 $razorpayOrder = $api->order->create($data);
             }
             catch (Exception $e)