Skip to content

Fix Vendor Staff Can Access Vendor Payment Settings Page and Modify Manual Order Setting via REST API#3080

Merged
MdAsifHossainNadim merged 8 commits intodevelopfrom
fix/two-permission-related-issue
Jan 27, 2026
Merged

Fix Vendor Staff Can Access Vendor Payment Settings Page and Modify Manual Order Setting via REST API#3080
MdAsifHossainNadim merged 8 commits intodevelopfrom
fix/two-permission-related-issue

Conversation

@akzmoudud
Copy link
Contributor

@akzmoudud akzmoudud commented Jan 19, 2026
edited
Loading

All Submissions:

  • My code follow the WordPress' coding standards
  • My code satisfies feature requirements
  • My code is tested
  • My code passes the PHPCS tests
  • My code has proper inline documentation
  • I've included related pull request(s) (optional)
  • I've included developer documentation (optional)
  • I've added proper labels to this pull request

Changes proposed in this Pull Request:

Related Pull Request(s)

  • Full PR Link

Closes

How to test the changes in this Pull Request:

  • Steps or issue link

Changelog entry

Fixed vendor staff could view vendor payment settings without proper permission.

Before Changes

Describe the issue before changes with screenshots(s).

After Changes

Describe the issue after changes with screenshot(s).

Feature Video (optional)

Link of detailed video if this PR is for a feature.

PR Self Review Checklist:

  • Code is not following code style guidelines
  • Bad naming: make sure you would understand your code if you read it a few months from now.
  • KISS: Keep it simple, Sweetie (not stupid!).
  • DRY: Don't Repeat Yourself.
  • Code that is not readable: too many nested 'if's are a bad sign.
  • Performance issues
  • Complicated constructions that need refactoring or comments: code should almost always be self-explanatory.
  • Grammar errors.

FOR PR REVIEWER ONLY:

As a reviewer, your feedback should be focused on the idea, not the person. Seek to understand, be respectful, and focus on constructive dialog.

As a contributor, your responsibility is to learn from suggestions and iterate your pull request should it be needed based on feedback. Seek to collaborate and produce the best possible contribution to the greater whole.

  • Correct — Does the change do what it’s supposed to? ie: code 100% fulfilling the requirements?
  • Secure — Would a nefarious party find some way to exploit this change? ie: everything is sanitized/escaped appropriately for any SQL or XSS injection possibilities?
  • Readable — Will your future self be able to understand this change months down the road?
  • Elegant — Does the change fit aesthetically within the overall style and architecture?

Summary by CodeRabbit

  • Bug Fixes
    • Added authorization checks so only permitted users can view payment content.
    • Now verifies active payment methods before showing payment pages; otherwise an informative error is shown.
    • Validation now runs up front and prevents payment content from loading when checks fail.
    • Improved error output for safer display.

✏️ Tip: You can customize this high-level summary in your review settings.

@akzmoudud akzmoudud requested a review from mrabbani January 19, 2026 10:06
@akzmoudud akzmoudud self-assigned this Jan 19, 2026
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 19, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Adds a protected validator method that enforces the dokan_view_store_payment_menu capability and verifies there are active payment methods; load_payment_content() now calls this validator and aborts rendering with a global error template if validation fails.

Changes

Cohort / File(s) Change Summary
Payment settings template
includes/Dashboard/Templates/Settings.php		 Added protected validate_payment_access( $active_methods ) to check dokan_view_store_payment_menu capability and presence of active payment methods (returns bool). load_payment_content() now calls the validator and short-circuits to render the global error template (uses esc_html__) on failure; docblock updated.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

  • mrabbani
  • Aunshon

Poem

A rabbit hops where code paths meet, 🐇
I guard the gate and check the seat,
If caps or methods do not show,
I gently close the dashboard flow,
Then nibble logs beneath moon’s glow.

🚥 Pre-merge checks | ✅ 3 | ❌ 2
❌ Failed checks (2 inconclusive)
Check name Status Explanation Resolution
Linked Issues check ❓ Inconclusive Code adds permission validation to the payment settings page but insufficient detail provided to confirm REST API endpoint authorization fix and complete requirement fulfillment. Verify that REST API endpoints (/wp-json/settings/v1) include proper capability checks to prevent vendor/vendor_staff from modifying enable_manual_order and other vendor-level settings.
Description check ❓ Inconclusive The PR description follows the required template structure but lacks detailed explanations in key sections such as 'Changes proposed', test steps, and before/after scenarios. Provide detailed descriptions of the changes made, specific test steps, and screenshots showing the before/after behavior to clarify how the permission validation fix addresses the security issue.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly describes the main security fix: preventing vendor staff from accessing the vendor payment settings page and modifying manual order settings via REST API.
Out of Scope Changes check ✅ Passed The changes are focused solely on adding permission validation to the payment settings page and do not introduce any unrelated modifications outside the scope of the linked issue.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@akzmoudud akzmoudud added the In Progress The issues is being worked on label Jan 20, 2026
@akzmoudud akzmoudud added Needs: Testing This requires further testing Needs: Dev Review It requires a developer review and approval and removed In Progress The issues is being worked on labels Jan 20, 2026
MdAsifHossainNadim
MdAsifHossainNadim requested changes Jan 26, 2026
View reviewed changes
@dev-shahed dev-shahed added 🎉 QA Approved This PR is approved by the QA team Needs: Dev Review It requires a developer review and approval and removed Needs: Dev Review It requires a developer review and approval QA In Progress Needs: Testing This requires further testing labels Jan 27, 2026
@MdAsifHossainNadim MdAsifHossainNadim added Dev Review Done and removed Needs: Dev Review It requires a developer review and approval labels Jan 27, 2026
@MdAsifHossainNadim MdAsifHossainNadim merged commit d9aadd1 into develop Jan 27, 2026
1 of 6 checks passed
@MdAsifHossainNadim MdAsifHossainNadim deleted the fix/two-permission-related-issue branch January 27, 2026 12:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MdAsifHossainNadim MdAsifHossainNadim MdAsifHossainNadim approved these changes

@mrabbani mrabbani Awaiting requested review from mrabbani

Assignees

@akzmoudud akzmoudud

Labels

Dev Review Done 🎉 QA Approved This PR is approved by the QA team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@akzmoudud @MdAsifHossainNadim @dev-shahed