我目前正在开发一个表单,它允许用户更新特定的订单详细信息,包括费用和费用原因。表单在成功更新订单时显示JavaScript警报,更新后的数据反映在订单的元数据中。但是,我遇到了一个用户所有权验证的问题。
我面临的问题是:
所有权验证:我希望确保用户只能更新与其用户ID相关联的订单,而不能更新属于其他用户的订单。目前,当用户输入与其帐户不关联的订单ID时,订单元数据不会更新,但仍会触发成功更新的JavaScript警报。
我在下面列出了我的代码以供参考:
<form id="expense_form" class="expense_form" action="" method="post">
<label for="order-id">Order ID:</label>
<input class="exp_order_no" id="exp_order_no" type="text" pattern="[0-9]*" placeholder="Enter the Order Number" required>
<label for="expense">Expense:</label>
<input class="expense_amt" id="expense_amt" type="text" pattern="[0-9]*" placeholder="Enter the expense amount" required>
<label for="reason">Reason for Expense:</label>
<textarea class="expense_reason" id="expense_reason" id="reason" name="reason" rows="4" placeholder="Enter Message" required></textarea>
<input type="submit" class="exp_but" id="exp_but" value="Submit">
</form>
<script>
jQuery(document).ready(function($) {
$('#expense_form').on('submit', function(e) {
e.preventDefault();
var orderid = $('#exp_order_no').val();
var expense = $('#expense_amt').val();
var expense_reason = $('#expense_reason').val();
// console.log (orderid);
// console.log (expense);
// console.log (expense_reason);
$.ajax({
url: '<?php echo admin_url('admin-ajax.php'); ?>',
type: 'POST',
data: {
action:'update_custom_field_order_expense_php',
orderid: orderid,
expense: expense,
expense_reason:expense_reason
},
success: function( response ) {
console.log( 'Custom field updated successfully.' );
alert('Expense Submitted Successfully !!');
location.reload();
},
error: function( response ) {
console.log( 'Failed to Submit Expense.' );
alert('Expense Not Submitted !! Please enter correct order id.');
location.reload();
}
});
});
});
</script>
<?php
add_action( 'wp_ajax_update_custom_field_order_expense_php', 'update_custom_field_order_expense_php' );
add_action('wp_ajax_nopriv_update_custom_field_order_expense_php', 'update_custom_field_order_expense_php');
function update_custom_field_order_expense_php() {
$order_id = $_POST['orderid'];
$order_expense = $_POST['expense'];
$order_expense_reason = $_POST['expense_reason'];
$order = wc_get_order( $order_id );
if ( is_user_logged_in()) {
$current_user = wp_get_current_user();
$current_user_id = $current_user->ID;
$driver_id = get_post_meta($order_id, 'lddfw_driverid', true);
//$current_date = date_i18n( 'j F, Y', strtotime( $current_date_time ) );
if($current_user_id == $driver_id ){
$order->update_meta_data( 'Driver Expense', $order_expense );
$order->update_meta_data( 'Driver Expense Reason',$order_expense_reason);
$order->save();
wp_send_json_success();
exit;
}else{
wp_send_json_error();
exit;
}
}
}
?>
1条答案
按热度按时间8ljdwjyq1#
尝试以下重新访问和增强的代码版本,检查当前用户ID是否与所请求订单ID的注册驱动程序ID订单元数据匹配。
我为用户ID添加了一个隐藏的输入字段,并在其中显示处理消息的隐藏消息框。
形式:
jQuery代码
PHP:
测试和作品。