Support » Plugin: Ultimate Reviews » The plugin breaks others REST endpoints in admin

  • Having this plugin installed breaks other Gutenberg Blocks plugins like
    https://github.com/woocommerce/woocommerce-gutenberg-products-block for example.

    It somehow high-jacks the response adding nonce input fields and referer fields before the valid json data causing the response to be corrupt.

    Tried with latest version and with WC 3.5 -> 3.6 and with gutenberg product blocks 1.4 -> 2.0.

    Am going to have to deactivate this plugin for the client where I found this until it’s fixed 🙂

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Contributor EtoileWebDesign

    (@etoilewebdesign)

    Could you provide us with the errors that you are seeing, so we can have some more specific info about where the code is breaking down?

    Jeff

    (@divergeinfinity)

    Not sure about Jonathan, but our plugin registers a WordPress endpoint:

    
    add_action( 'rest_api_init', function() {
    	register_rest_route( self::$g3d_namespace, self::$ec3d_add_to_cart . '/(?P<productid>[\d]+)', array(
    		'methods' => WP_REST_Server::CREATABLE, /* post */
    		'callback' => array( $this, 'ec3d_add_to_cart' ),
    		'args' => array(
    			'productid' => array(
    				'validate_callback' => function( $param, $request, $key ) {
    					return is_numeric( $param );
    				}
    			),
    		),
    	));
    });
    

    And on the Woo single product page we present an iFrame to the user which has an embedded callback URL to our site to add a product to the Cart. This link contains a nonce created with wp_create_nonce which does so for the current user. (non-authenticated is the issue)

    As of Woo 3.6 this is broken, yes 3.5.x is fine. When the REST endpoint is hit, Woo now seems to have altered the expected User ID for it’s SESSION, and now the nonce generated by WordPress is failing as that is from a different User ID.

    adding a filter and forcing the user ID can fix this for us, but unsure of the ramifications:

    
    if ( ! is_user_logged_in() ) {
    	add_filter( 'nonce_user_logged_out', [ $this, 'nonce_user_logged_out' ], 9999 );
    }
    

    The _low_ priority is used to hopefully fire our filter last, so we can force the ID back to zero and in doing so, we can again add products to the Cart as the nonce is valid for the ID they were generated under:

    
    public function nonce_user_logged_out( $uid )
    {
    	$user  = wp_get_current_user();
    	$uid   = (int) $user->ID;
    	return $uid;
    }
    

    Which when hit can show the Woo ID as the input to the filter, and our over-ridden FINAL one that we return:

    
    USERID=68ac4c033bc906dbd936f366540949f4
    FINAL USERID=0
    

    Perhaps we need to do something differently, just documenting how it works as of now.

    Any thoughts would be appreciated.

    Jeff

    (@divergeinfinity)

    Sorry, wrong plugin ticket, ignore this.

    @etoilewebdesign
    Actually no, don’t ignore this.
    Because this is still an issue and I do not see any fix in your changelog.

    To reproduce yourselves:
    1 Install WooCommerce, WooCommerce Blocks and this plugin in a WordPress 5.n installation.
    2. Try to add any of the Product Blocks to a Gutenberg page. They’ll all turn up as “no products found” because this plugin breaks the endpoints.

    To be honest I tried to look for the culprit in your code but the codebase is _massive_.. All I can tell you is that I’m 100% sure this plugin is causing the issue.

    @etoilewebdesign you can take a look at the request response happening when adding a product block in admin.
    this HTML nonce inputs block is added before the actual proper JSON output:
    <input type="hidden" id="_wpnonce" name="_wpnonce" value="20166ab6e7" /><input type="hidden" name="_wp_http_referer" value="/wp-json/wc-blocks/v1/products?status=publish&per_page=3&catalog_visibility=visible&orderby=popularity&_locale=user" /><input type="hidden" name="_wp_http_referer" value="/wp-json/wc-blocks/v1/products?status=publish&per_page=3&catalog_visibility=visible&orderby=popularity&_locale=user" /><input type="hidden" id="_wpnonce" name="_wpnonce" value="20166ab6e7" /><input type="hidden" name="_wp_http_referer" value="/wp-json/wc-blocks/v1/products?status=publish&per_page=3&catalog_visibility=visible&orderby=popularity&_locale=user" /><input type="hidden" name="_wp_http_referer" value="/wp-json/wc-blocks/v1/products?status=publish&per_page=3&catalog_visibility=visible&orderby=popularity&_locale=user" /><input type="hidden" id="_wpnonce" name="_wpnonce" value="20166ab6e7" /><input type="hidden" name="_wp_http_referer" value="/wp-json/wc-blocks/v1/products?status=publish&per_page=3&catalog_visibility=visible&orderby=popularity&_locale=user" /><input type="hidden" name="_wp_http_referer" value="/wp-json/wc-blocks/v1/products?status=publish&per_page=3&catalog_visibility=visible&orderby=popularity&_locale=user" />

    If I had to guess I’d say it’s likely something you do in the Oauth.php file.

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.