Support » Plugin: WooCommerce » Checkout through REST API and permissions

  • Resolved NSPT

    (@nsptfr)


    Hello,

    I’m using the mobile app fluxstore in order to show products to the customers on my mobile app.

    I’ve tried to create a generic account with “Customer” permissions in order to show products on my app. But it seams to require at least “Shop manager” permissions to be able to list the products. Won’t really be a problem, but it is not possible to make anonymous checkout without read/write permissions.

    Is it possible to make anonymous checkout through the REST API, and which permission would be the best suited, please ?

    Thanks,

    https://codecanyon.net/item/fluxstore-woocommerce-flutter-ecommerce-full-app/24050041

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support Job a11n

    (@jobthomas)

    Automattic Happiness Engineer

    Hey @nsptfr – I’m not entirely sure what your code looks like but I’m a bit confused about your set up.

    It’s logical that the permissions to change things would be the same on both the REST API and the WooCommerce site. I’d expect that this app on CodeCanyon allows for a shop manager to configure the app and in doing so allows guest users to check out through that account.

    However, this is a plugin that’s not developed or supported by WooCommerce.com so I’d advise to ask for input from their developers at https://codecanyon.net/item/fluxstore-woocommerce-flutter-ecommerce-full-app/24050041/support

    I hope this helps you.

    Thread Starter NSPT

    (@nsptfr)

    Hello,
    Thanks for your reply,

    It is not really my code, I’m using PostMan to connect to the REST API.
    To do so, I’ve created a WOOCOMMERCEAPI user and a pair key to log into the REST API.

    if this user is “Customer”, the REST API returns 403 Forbidden. If I set it to “Shop Manager”, I’m then able to get Products for the REST API.
    So if I want to be able to also pass orders, I have to enable read/write on those keys. But I don’t want to do it on a “Shop Manager” pair key.

    Thanks,

    Plugin Support Job a11n

    (@jobthomas)

    Automattic Happiness Engineer

    if this user is “Customer”, the REST API returns 403 Forbidden. If I set it to “Shop Manager”, I’m then able to get Products for the REST API.
    So if I want to be able to also pass orders, I have to enable read/write on those keys. But I don’t want to do it on a “Shop Manager” pair key.

    This indeed as expected. A customer does not have the ability to change the details on your WooCommerce store and also would not be able to do so. Changing these settings would open up your store to being hacked or messed around with by people who do not have the proper authorization to do so.

    I would highly advise against changing these rules.

    Thread Starter NSPT

    (@nsptfr)

    My questions are:

    1. is it normal that I receiving 403-forbiden when trying to get the product’s catalog with “Customer” READ privilege ?

    2. is it possible to make anonymous purchases with “Customer” READ/WRITE privilege ?

    Regards,

    Plugin Support Job a11n

    (@jobthomas)

    Automattic Happiness Engineer

    Hi @nsptfr – If you give access READ/WRITE access to customers, this will cause a massive security gap on your site because you give customers the key to your site. With that type of access they would be able to review everything on your database if they know a bit of coding.

    The same goes for READ access. Even though they wouldn’t be able to make changes to your website they’d be able to review confidential information.

    As I’ve indicated above, you shouldn’t give READ/WRITE privileges to customers. Any app you create should be connected to someone who has an admin account rather than working on a per-customer base.

    Since no new information is added to this thread, I’m going to mark it as resolved.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Checkout through REST API and permissions’ is closed to new replies.