When using Toolset WooCommerce Views v 2.8.1.1 (but it occurs also with previous versions), when visiting the URL hidden link an archive of WooCommerce orders is publicly displayed with exposure of some relatively sensitive information data, like the number of orders, and the date/time of each order.
The same occurs on several websites with different configurations, and I have tracked down the issue to the Toolset WooCommerce Views plugin.
This behavior seems made by design, as there's an explicit method named wcviews_make_shop_order_views_queryable which causes the orders to be publicly visible, but in my opinion, this is a very bad approach.
At the moment I have fixed this behavior with a tiny custom plugin that disables that filter and makes the orders not public as they should be. I am not sure why you need that orders are publicly queryable, but I am confident you could find an alternative solution that doesn't involve making the CPT shop_order public.
For anyone interested, below is the code of the aforementioned custom plugin.
add_action( 'plugins_loaded', 'bsfix_remove_wcviews_make_shop_order_views_queryable' );
function bsfix_remove_wcviews_make_shop_order_views_queryable( ) {
global $Class_WooCommerce_Views;
if ( ! empty( $Class_WooCommerce_Views ) ) {
remove_filter( 'woocommerce_register_post_type_shop_order', array(
$Class_WooCommerce_Views,
'wcviews_make_shop_order_views_queryable'
), 10, 1 );
}
}
register_activation_hook( __FILE__, 'bsfix_activation' );
function bsfix_activation() {
if ( ! get_option( 'bsfix_flush_rewrite_rules_flag' ) ) {
add_option( 'bsfix_flush_rewrite_rules_flag', true );
}
}
register_deactivation_hook( __FILE__, 'bsfix_deactivation' );
function bsfix_deactivation() {
flush_rewrite_rules();
}
add_action( 'init', 'bsfix_flush_rewrite_rules_maybe', 20 );
function bsfix_flush_rewrite_rules_maybe() {
if ( get_option( 'bsfix_flush_rewrite_rules_flag' ) ) {
flush_rewrite_rules();
delete_option( 'bsfix_flush_rewrite_rules_flag' );
}
}
Our 2nd Tier confirms that this has been done on purpose after several feature requests to make orders visible on the frontend and be displayed with Views.
You can control the visibility of Orders on the front-end using Access, including disabling it.
Finally, this was decided to be escalated as a feature request, and an option in Toolset WooCommerce view will be added to make orders visible on the front-end or not, especially when Toolset Access is used.
I hope this answers your questions. I remain at your disposal.
A quick note about the code provided in the initial message. It should be used as a custom plugin, and it's also necessary to activate the plugin itself. It will not work if you put the code in the theme's functions.php or in an existing activated custom plugin. That's because, in order to work, the fix requires a flush of the permalinks, which is done upon plugin activation (it would be too resource-consuming doing it on every page load).
That said, I believe it would be a bit overwhelming to install Toolset Access for the sole purpose of hiding the orders on the frontend as they are supposed to be protected data (according to WooCommerce data architecture). If someone needs the orders to be public, it should work the other way round: use Toolset Access to let the orders be publicly queryable.
I believe having an option for that directly in Toolset WooCommerce Views would still be preferable, but it should be disabled by default.
I am pretty sure the majority of store owners don't like the fact that part of their orders data is publicly exposed without notice.
I would consider this a security issue and not just simple misbehavior.
Looking forward to having updates from you.
In the meantime, I will be keeping using my fix.
Thank you for your feedback. I understand your point of view, so I got back to our 2nd Tier with your feedback and we confirm that we will add the visibility of orders as an option in the WooCommerce Views plugin itself and that it will be off by default so that Access won't be required.
