Access denied after update

Hi! That’s very strange, I haven’t had any reports about this and nothing has been changed in this area either… Is this with a regular WooCommerce setup or do you also use a marketplace plugin like WC Vendors or Dokan?
Can you post a URL of a page that give you this error? You can leave out the order ID and/or domain name, as long as all the other parameters are visible. It’s possible that something is causing the URL to have missing or corrupted parameters.

The URL is the following:

https://example.com/wp-admin/admin-ajax.php?action=generate_wpo_wcpdf&document_type=invoice&order_ids=14953&_wpnonce=b913843509

Plugins:
Abandoned Cart Pro for WooCommerce
Admin Columns Pro
Admin Columns Pro – Advanced Custom Fields (ACF)
Admin Columns Pro – WooCommerce
Advanced Custom Fields PRO
AJAX Thumbnail Rebuild
Archived Post Status
Breadcrumb NavXT
Category Wise Search Widget
Custom Post Type UI
Custom Taxonomy Order NE
Email Notifications for WP Security Audit Log
Enable Media Replace
Enhanced E-commerce for Woocommerce store
Enhanced Media Library
Flip Book
GetResponse Integration Plugin
Gravity Forms
Icegram – Popups, Optins, CTAs & lot more…
MCE Table Buttons
Post Types Order
Posts Date Ranges
PW Advanced Woo Reporting
Redirection
Reports for WP Security Audit Log
Reset User Passwords
SB Welcome Email Editor
Search for WP Security Audit Log
User Role Editor
User Role Editor
Users Sessions Management for WP Security Audit Log
wBounce
Woo Checkout Field Editor Pro
WooCommerce
WooCommerce Create Customer on Order
WooCommerce Customer History
WooCommerce Customer/Order CSV Export
WooCommerce Extended Coupon Features PRO
WooCommerce Helper
WooCommerce Order Export and More
WooCommerce PayPal Pro (Classic and PayFlow Editions) Gateway
WooCommerce PDF Invoices & Packing Slips
WooCommerce Sales Report Email
WooCommerce Shop as Customer
WooCommerce Smart Reminder Emails
WooCommerce Store Credit
WooCommerce Zapier Integration
WP Security Audit Log
WP Smush
Yoast SEO

All the plugins are up to date.

• This reply was modified 7 years, 2 months ago by zhakal. Reason: Removal of junk from Copy-Paste

If I disable all the plugins except:
Advanced Custom Fields PRO
WooCommerce
WooCommerce Customer/Order CSV Export

The issue still occurs. Have even tried to change back to the “simple” template.

Hello zhakal,
Seeing you have the “User Role Editor” plugin, I think it may be related to that. I have no other reports from people with issues like these. To be allowed to view the invoice, one of the following conditions should be met:

• User is logged in, has capability ‘edit_shop_orders’ or ‘manage_woocommerce_orders’
• User is logged in, accesses via “My account”, an is either owner of the order or has capability ‘edit_shop_orders’ or ‘manage_woocommerce_orders’

There’s also a filter wpo_wcpdf_check_privs, but I assume you haven’t applied that in your theme functions because you would probably know…

Ewout

One more thing: Which version of WooCommerce do you use?

It seems the creator of the theme has added the following line:
add_filter( ‘wpo_wcpdf_check_privs’, function() { return false; });

By removing this, everything seem to be working.

What does this line do? Is it needed for security?

Hi! Which theme is that?
This line will basically disable invoice creation for everyone, regardless of anything…
It’s certainly not required for security, as the plugin has multiple layers of security built in already.

Are you sure it wasn’t inserted in functions.php by anyone working on your site?

It’s a custom theme developed by an American Company.
It’s added in a file called filters.php, and seem to have been there for a long while (Pre 2017) and hasn’t given any issue until now.

At least it was solved by removing it.