Thanks to visit codestin.com
Credit goes to Github.com

Skip to content

[Fraud Protection] Do not track admin users #62813

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
leonardola wants to merge 3 commits into
base: trunk
Choose a base branch
from
Open

[Fraud Protection] Do not track admin users #62813

leonardola wants to merge 3 commits into from

Conversation

@leonardola
Copy link
Contributor

@leonardola leonardola commented Jan 14, 2026

Fraud Protection: Do Not Track Admin Users

Summary

Modifies the fraud protection system to exclude admin users from tracking. Previously, all users were tracked when fraud protection was enabled. Now, only non-admin users (those without the manage_woocommerce capability) are tracked.

Why This Change?

Admin users performing testing, debugging, or routine store management should not be tracked as potential fraud risks. This reduces noise in fraud detection data and focuses tracking on actual customer behavior.

Test Plan

Manual Testing Instructions

Prerequisites

  1. Enable fraud protection feature:
    • Navigate to WooCommerce → Settings → Advanced → Features
    • Enable Fraud Protection
    • Save changes

Test Scenario 1: Admin User Not Tracked

  1. Log in as an admin user (or shop manager)
  2. Add products to cart
  3. Update cart quantities
  4. Remove items from cart
  5. Complete checkout
  6. Expected: No fraud protection events should be dispatched (check logs or monitoring)

Test Scenario 2: Regular User Tracked

  1. Create a test customer account with Customer or Subscriber role
  2. Log in as that user
  3. Add products to cart
  4. Update cart quantities
  5. Complete checkout
  6. Expected: Fraud protection events should be tracked normally

Test Scenario 3: Guest User Tracked

  1. Log out (browse as guest)
  2. Add products to cart
  3. Update cart quantities
  4. Complete checkout as guest
  5. Expected: Fraud protection events should be tracked normally

Test Scenario 4: Feature Disabled

  1. Disable fraud protection feature in settings
  2. Perform cart/checkout operations as any user type
  3. Expected: No fraud protection events tracked for any user

Verification Points

For scenarios where tracking is expected, verify events are dispatched at these points:

  • Cart item added
  • Cart item removed
  • Cart item quantity updated
  • Cart item restored
  • Order placed
  • Payment method added

For admin users, verify these events are not dispatched even when fraud protection is enabled.

Milestone

Note: Check the box above to have the milestone automatically assigned when merged.
Alternatively (e.g. for point releases), manually assign the appropriate milestone.

Changelog entry

  • Automatically create a changelog entry from the details below.
  • This Pull Request does not require a changelog entry. (Comment required below)
Changelog Entry Details

Significance

  • Patch
  • Minor
  • Major

Type

  • Fix - Fixes an existing bug
  • Add - Adds functionality
  • Update - Update existing functionality
  • Dev - Development related task
  • Tweak - A minor adjustment to the codebase
  • Performance - Address performance issues
  • Enhancement - Improvement to existing functionality

Message

Changelog Entry Comment

Comment

@github-actions github-actions bot added the plugin: woocommerce Issues related to the WooCommerce Core plugin. label Jan 14, 2026
@leonardola leonardola changed the title Now we only track non-admin users [Fraud Protection] Do not track admin users Jan 14, 2026
@leonardola leonardola force-pushed the add/do-not-track-admin-users branch from 25c1551 to c234da0 Compare January 14, 2026 19:59
@leonardola leonardola force-pushed the add/do-not-track-admin-users branch from c234da0 to 4dd42e4 Compare January 15, 2026 16:15
@leonardola leonardola added this to the 10.6.0 milestone Jan 15, 2026
@leonardola leonardola marked this pull request as ready for review January 15, 2026 16:35
@leonardola leonardola requested a review from a team as a code owner January 15, 2026 16:35
@leonardola leonardola requested review from opr and removed request for a team January 15, 2026 16:35
@github-actions
Copy link
Contributor

github-actions bot commented Jan 15, 2026
edited
Loading

Testing Guidelines

Hi @luizreis ,

Apart from reviewing the code changes, please make sure to review the testing instructions (Guide) and verify that relevant tests (E2E, Unit, Integration, etc.) have been added or updated as needed.

Reminder: PR reviewers are required to document testing performed. This includes:

  • 🖼️ Screenshots or screen recordings.
  • 📝 List of functionality tested / steps followed.
  • 🌐 Site details (environment attributes such as hosting type, plugins, theme, store size, store age, and relevant settings).
  • 🔍 Any analysis performed, such as assessing potential impacts on environment attributes and other plugins, conducting performance profiling, or using LLM/AI-based analysis.

⚠️ Within the testing details you provide, please ensure that no sensitive information (such as API keys, passwords, user data, etc.) is included in this public issue.

@leonardola leonardola requested review from luizreis and removed request for opr January 15, 2026 16:35
claude[bot]
claude bot reviewed Jan 15, 2026
View reviewed changes
Copy link

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 Backwards Compatibility Review - Found 1 potential issue

Generated by Claude via this workflow run

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 15, 2026

📝 Walkthrough

Walkthrough

This pull request refactors fraud-protection event tracking across WooCommerce by introducing a new should_track() method on FraudProtectionController that gates tracking based on both feature enablement and user permissions (excluding users with manage_woocommerce capability). All existing calls to feature_is_enabled() are systematically replaced with this new method throughout cart, checkout, payment, block, and API components.

Changes

Cohort / File(s) Summary
FraudProtectionController - New Method
plugins/woocommerce/src/Internal/FraudProtection/FraudProtectionController.php		 Added new public method should_track() that returns true when fraud protection is enabled AND user lacks manage_woocommerce capability
Core WooCommerce Classes - Feature Check Updates
plugins/woocommerce/includes/class-wc-ajax.php, class-wc-cart.php, class-wc-checkout.php, class-wc-payment-gateways.php, data-stores/class-wc-payment-token-data-store.php		 Replaced feature_is_enabled() with should_track() in order review, cart operations (add/remove/restore/quantity), payment processing, and payment token tracking
Shortcode Classes - Feature Check Updates
plugins/woocommerce/includes/shortcodes/class-wc-shortcode-*.php (3 files)		 Replaced feature_is_enabled() with should_track() in cart page, checkout page, and account page tracking conditions
Block Components - Feature Check Updates
plugins/woocommerce/src/Blocks/BlockTypes/Cart.php, Checkout.php		 Replaced feature_is_enabled() with should_track() for cart and checkout page load tracking
Internal Utilities and Store API - Feature Check Updates
plugins/woocommerce/src/Internal/FraudProtection/FraudProtectionDispatcher.php, src/StoreApi/Routes/V1/CartUpdateCustomer.php, Checkout.php, Utilities/CartController.php		 Replaced feature_is_enabled() with should_track() in dispatcher, cart updates, checkout flow, and cart controller
Test Suite Updates
plugins/woocommerce/tests/php/src/Blocks/StoreApi/Utilities/CartControllerTests.php, Internal/FraudProtection/FraudProtectionControllerTest.php, FraudProtectionDispatcherTest.php, PaymentMethodEventTrackerTest.php		 Added four new tests for should_track() covering admin/regular user/guest scenarios with feature enabled/disabled; updated existing test mocks and user context setup

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The PR title clearly and concisely describes the main change: excluding admin users from fraud protection tracking.
Description check ✅ Passed The PR description comprehensively explains the motivation, implementation approach, and includes detailed manual testing instructions aligned with the changeset.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Jan 15, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (4)
plugins/woocommerce/src/Internal/FraudProtection/FraudProtectionController.php (1)

163-170: Add missing @since annotation and return type hint.

Per coding guidelines, the @since annotation should be included with the current WooCommerce version. Additionally, for consistency with feature_is_enabled(), consider adding the bool return type hint.

♻️ Suggested improvement 
 	/**
 	 * Check if the fraud protection is enabled and should track events for the current user.
 	 *
+	 * `@since` 10.5.0
+	 *
 	 * `@return` bool True if fraud protection should track events for the current user, false otherwise.
 	 */
-	public function should_track() {
+	public function should_track(): bool {
 		return $this->feature_is_enabled() && ! current_user_can( 'manage_woocommerce' );
 	}
plugins/woocommerce/src/Internal/FraudProtection/FraudProtectionDispatcher.php (1)

94-105: Log message could be more accurate.

The debug log message says "feature disabled" but should_track() now returns false for two reasons: (1) feature is disabled, or (2) user is an admin. Consider updating the message for better debugging clarity.

♻️ Suggested improvement 
 			// Check if feature is enabled - fail-open if not.
 			if ( ! $this->fraud_protection_controller->should_track() ) {
 				FraudProtectionController::log(
 					'debug',
 					sprintf(
-						'Fraud protection event not dispatched (feature disabled): %s',
+						'Fraud protection event not dispatched (tracking disabled or admin user): %s',
 						$event_type
 					),
 					array( 'event_type' => $event_type )
 				);
 				return;
 			}
plugins/woocommerce/includes/class-wc-ajax.php (1)

380-384: Avoid double container lookups in the tracking block (minor perf/readability).

Cache FraudProtectionController/CheckoutEventTracker locally to avoid multiple wc_get_container()->get(...) calls in the same hot path.

Proposed diff 
 		// Track checkout field update for fraud protection.
-		if ( wc_get_container()->get( FraudProtectionController::class )->should_track() ) {
-			wc_get_container()->get( CheckoutEventTracker::class )
-				->track_shortcode_checkout_field_update( isset( $_POST['post_data'] ) ? wp_unslash( $_POST['post_data'] ) : '' ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
-		}
+		$fraud_protection = wc_get_container()->get( FraudProtectionController::class );
+		if ( $fraud_protection->should_track() ) {
+			$checkout_event_tracker = wc_get_container()->get( CheckoutEventTracker::class );
+			$checkout_event_tracker->track_shortcode_checkout_field_update( isset( $_POST['post_data'] ) ? wp_unslash( $_POST['post_data'] ) : '' ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		}
plugins/woocommerce/src/StoreApi/Utilities/CartController.php (1)

228-232: LGTM: correct gating for “don’t track admins”; consider caching container resolves.

Proposed diff 
 		// Track cart event for fraud protection.
-		if ( $product instanceof \WC_Product && wc_get_container()->get( FraudProtectionController::class )->should_track() ) {
-			wc_get_container()->get( CartEventTracker::class )
-				->track_cart_item_added( $cart_id, $this->get_product_id( $product ), (int) $request_quantity, $this->get_variation_id( $product ) );
-		}
+		if ( $product instanceof \WC_Product ) {
+			$fraud_protection = wc_get_container()->get( FraudProtectionController::class );
+			if ( $fraud_protection->should_track() ) {
+				$cart_event_tracker = wc_get_container()->get( CartEventTracker::class );
+				$cart_event_tracker->track_cart_item_added( $cart_id, $this->get_product_id( $product ), (int) $request_quantity, $this->get_variation_id( $product ) );
+			}
+		}

@github-actions
Copy link
Contributor

github-actions bot commented Jan 15, 2026

Test using WordPress Playground

The changes in this pull request can be previewed and tested using a WordPress Playground instance.
WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Test this pull request with WordPress Playground.

Note that this URL is valid for 30 days from when this comment was last updated. You can update it by closing/reopening the PR or pushing a new commit.

luizreis
luizreis reviewed Jan 15, 2026
View reviewed changes
Copy link
Contributor

@luizreis luizreis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe worth checking with @vbelolapotkov as well, but given Tautvidas' comment:

OK for alpha, for later i'd maybe suggest to track but explicitly allow list admins in the session/transaction list for visibility

Would it make sense to stop tracking admin users for now, just to re-track them later? I'm looking at an angle that perhaps this PR could be simplified and already implement Tautvidas post-alpha suggestion of only whitelisting admins from being blocked, as (based on that comment) it'd be valuable to have that data.

I haven't fully looked at the code yet, but let me know if our MVP/GA plan is to never track admin users and I'll do a proper review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@luizreis luizreis luizreis left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@claude claude[bot] claude[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

plugin: woocommerce Issues related to the WooCommerce Core plugin.

Projects

None yet

Milestone

10.6.0

Development

Successfully merging this pull request may close these issues.

3 participants

@leonardola @luizreis