12

I'm trying to add another PayPal email address into Woocommerce if the customer is within a certain role, in this case a Wholesale Customer. Woocommerce by default only allows you to setup one PayPal account but I have been able to find the woocommerce_paypal_args function to change the arguments which are sent to PayPal. I can see the business field is responsible for holding the email address the payments are sent to.

I've got the code below which should intercept this and change it if the user is a wholesale_customer.

The question is.. How secure is this? Is there a better method of doing what I want?

add_filter( 'woocommerce_paypal_args', 'woocommerce_paypal_args', 10, 2 );
function woocommerce_paypal_args( $paypal_args, $order ) {

    //Get the customer ID
    $user_id = $order->get_user_id();

    // Get the user data
    $user_data = get_userdata( $customer_id );
    // Adding an additional recipient for a custom user role

    if ( in_array( 'wholesale_customer', $user_data->roles )  )
         $paypal_args['business'] = 'email@email.com';

    return $paypal_args;
}
Shaun
  • 757
  • 1
  • 8
  • 36
  • 2
    You're only changing the paypal email so there should be no additional security concerns. If you do a search for woocommerce_paypal_args you'll see many people doing similar things, even changing accounts based on products purchased, so I'd feel comfortable that's the best way to proceed. Any concerns and you can use paypal sandbox mode to check. – Buster Dec 14 '17 at 19:02
  • As @Buster has mentioned this should not affect the security. However make sure that you do some test transactions using sandbox to cover different order types, shipping, tax, order holds, cancellations, refunds etc. – Dhaval Shah Dec 16 '17 at 06:51
  • 1
    Hi both, thanks for getting back to me. I tested this in sandbox mode and the payment successfully went into the account when checking out as a wholesale customer. However, in the orders section of Woocommerce the status of the order is 'on hold' and has an error message ' Validation error: PayPal IPN response from a different email address'. Is this because I have sandbox enabled? – Shaun Dec 18 '17 at 10:22
  • 1
    Also, my concern with the security was that If someone gained access into the websites functions.php code, it'd be very easy for them to change the business email address to theres wouldn't it? – Shaun Dec 18 '17 at 10:24
  • 1
    I think the only way for someone to gain access to your functions.php is to have your ftp or hosting credentials. If someone can access your functions.php they can access your wp-config.php too which has login for your wp databases and all sorts of other private info would be available. – Buster Dec 18 '17 at 19:55
  • 1
    @Buster Very good point! – Shaun Dec 19 '17 at 09:28
  • As my concern you can change paypal email on the fly using filter, but for ipn verification i believe there is one more request will fall to verify that mail id is valid and authentic, also for ipn check it still use the old email which is saved in settings page. Try to find any filter associate with ipn verification process/payment token process, you may get some idea. – Vignesh Pichamani Dec 19 '17 at 09:40

1 Answers1

2

I can tell you from experience building and modding WooCommerce gateways that this is both a perfectly secure and reasonable way of achieving this using your current plugin. That said... use some brackets when writing an if statement... this isn't python.

Nicholas Koskowski
  • 793
  • 1
  • 4
  • 23