JWT on Woocommerce cannot work with "Customer" role user

[suhardiyan]

I developed mobile apps, that connect directly to woocommerce rest api directly. I used this plugin for authenticating, like registering and login, make an order , etc.

So the issue come, when I register new user (with default role is Customer) then, I try to access an endpoint like : http://123.456.789.910/lili_shop/wp-json/wc/v3/orders , it says :

{
    "code": "woocommerce_rest_cannot_view",
    "message": "Sorry, you cannot list resources.",
    "data": {
        "status": 403
    }
}

Then I change user role of registered user to "Administrator", it works.

But, what I want is, a new registered user (with default role is Customer) can access woocommerce API with JWT too, how can I achieve this? Anyhelp will appreciate. Thanks.

[mostafaebrahimi]

@suhardiyan may you provide more information? for example request headers,body and user roles

[suhardiyan]

http://my-link.com/lili_shop/wp-json/wc/v3/orders [POST]

Content-Type: application/json
Authorization: Bearer TOKEN_FROM_JWT

{
  "payment_method": "bacs",
  "payment_method_title": "Direct Bank Transfer",
  "set_paid": true,
  "billing": {
    "first_name": "John",
    "last_name": "Doe",
    "address_1": "969 Market",
    "address_2": "",
    "city": "San Francisco",
    "state": "CA",
    "postcode": "94103",
    "country": "US",
    "email": "john.doe@example.com",
    "phone": "(555) 555-5555"
  },
  "shipping": {
    "first_name": "John",
    "last_name": "Doe",
    "address_1": "969 Market",
    "address_2": "",
    "city": "San Francisco",
    "state": "CA",
    "postcode": "94103",
    "country": "US"
  },
  "line_items": [
    {
      "product_id": 9,
      "quantity": 2
    }
  ],
  "shipping_lines": [
    {
      "method_id": "woongkir"
    }
  ]
}

POST, GET also same if role is not administrator, the registered customer cant create an order, this plugin will work if user roles is Administrator

[Bobeta]

@suhardiyan I am experiencing the same thing, did you ever find a solution for this?

[suhardiyan]

@suhardiyan I am experiencing the same thing, did you ever find a solution for this?

I just created a dummy user as Administrator role, whenever customer order, I pass the orders with that dummy user in backend.

[mostafaebrahimi]

I changed the plugin and commented these three lines

  public function rest_pre_dispatch($request)
    {
   //  if (is_wp_error($this->jwt_error)) {
   //      return $this->jwt_error;
   // }
        return $request;
   }

[marioshtika]

Instead of changing the plugin, maybe something like this could help https://github.com/Tmeister/wp-api-jwt-auth/issues/48#issuecomment-503291246

[nilsnolde]

Note, that's expected WooCommerce behavior. It can be annoying but no customer role is able to see any WC REST endpoint, even for reading. It's a design decision. I also wanted to change that, so that a customer can at least see his own profile, i.e. query his /costumer/<id> entity with his own JWT with this filter:

add_filter( 'woocommerce_rest_check_permissions', array( $this, 'changeWooPermissions') , 10, 4 );

function changeWooPermissions( $permission, $context, $object_id, $type ) {
 // Only allow the logged-in user to see his own profile
    if ($type === 'user') {
        $current_user_id = get_current_user_id();
        return $current_user_id === $object_id;
     }
     return $permission;
}

Be aware that using administrator credentials in any client-side code is highly dangerous.. Integrating the JWT flow with WC is a few lines extra but definitely worth it.