Robustness: guard process_checkout() against missing cart and invalid gateway

[vuckro]

Summary

Two reachable fatals on the synchronous final-checkout path in
Checkout::process_checkout():

1. $payment->get_meta('wu_original_cart') returns its false default for any
   payment not created by the normal checkout flow (webhook / admin /
   register-API payments). The next line called $this->order->set_membership()
   on that boolean → Error: Call to a member function … on bool. Sibling
   consumers (Discount_Code_Manager, Base_Stripe_Gateway) already validate
   this meta with is_a(..., Cart::class); this path did not.
2. The elseif ($gateway->get_id() === 'free') branch dereferenced $gateway,
   which is false when an unknown gateway request value is supplied.

Changes

• Bail with a clean WP_Error when the stored cart isn't a Cart.
• Guard the gateway dereference so a false gateway falls through to the
  existing "gateway not registered" error.

Both are robustness/DoS fixes; valid checkouts are unaffected.

Note: this PR intentionally does not add the CSRF nonce / payment-ownership
check on this same path — those are real but carry caching/UX trade-offs and
are described in the private advisory for maintainer review.

Summary by CodeRabbit

• Bug Fixes
  • Checkout now validates stored cart data and halts with a clear error when cart information is missing or invalid, preventing downstream failures.
  • Payment gateway selection is more robust against missing/null gateways, avoiding runtime errors in edge-case payment flows.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bb0cf4f0-b30a-411b-b601-7ed5000d6072

📥 Commits

Reviewing files that changed from the base of the PR and between fad78da and 3038c16.

📒 Files selected for processing (1)

• inc/checkout/class-checkout.php

🚧 Files skipped from review as they are similar to previous changes (1)

• inc/checkout/class-checkout.php

---

📝 Walkthrough

Walkthrough

process_checkout() now assigns payment meta 'wu_original_cart' to the order and aborts with WP_Error('no-cart') if it's not a Cart instance. The free-gateway branch now verifies $gateway is truthy before calling get_id().

Changes

Checkout Process Validation

Layer / File(s)	Summary
Cart instance validation inc/checkout/class-checkout.php	process_checkout() assigns wu_original_cart from payment meta to the order and verifies it is a Cart instance; missing/invalid cart sets WP_Error('no-cart', ...) and returns false.
Gateway selection null guard inc/checkout/class-checkout.php	Free-gateway condition now checks $gateway is truthy before evaluating $gateway->get_id() === 'free', preventing method calls on null/false.

Possibly Related PRs

• Ultimate-Multisite/ultimate-multisite#830: Overlaps with gateway selection/default gateway logic edits in inc/checkout/class-checkout.php.
• Ultimate-Multisite/ultimate-multisite#844: Related edits to free checkout and gateway preservation logic in inc/checkout/class-checkout.php.

Suggested Labels

review-feedback-scanned, status:available

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 I peeked the meta under moonlit chart,
Ensured the value truly is a Cart,
If it's not quite right, I stamp my paw — no go,
And guard the gateway so the code won't blow.
Hop safe, small fixes make checkouts glow.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the two main robustness improvements: guarding against missing cart and invalid gateway in process_checkout().
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

inc/checkout/class-checkout.php (1)

3050-3056: Negated instanceof check is already correct in PHP 7.4; no precedence bug
In PHP 7.4, ! $this->order instanceof \WP_Ultimo\Checkout\Cart is parsed as !($this->order instanceof \WP_Ultimo\Checkout\Cart), so the guard should fire and prevent the later $this->order->set_membership($membership) call when $this->order isn’t a Cart. Adding parentheses is optional for readability.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@inc/checkout/class-checkout.php` around lines 3050 - 3056, The instanceof
guard is functionally correct in PHP 7.4 but ambiguous to readers; make the
intent explicit by adding parentheses around the instanceof check so the guard
reads as if (! ($this->order instanceof \WP_Ultimo\Checkout\Cart)) to ensure the
early return fires before calling $this->order->set_membership($membership) and
avoid any accidental dereference of a non-Cart $this->order.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@inc/checkout/class-checkout.php`:
- Around line 3050-3056: The instanceof guard is functionally correct in PHP 7.4
but ambiguous to readers; make the intent explicit by adding parentheses around
the instanceof check so the guard reads as if (! ($this->order instanceof
\WP_Ultimo\Checkout\Cart)) to ensure the early return fires before calling
$this->order->set_membership($membership) and avoid any accidental dereference
of a non-Cart $this->order.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4ff819ef-f9be-4b3d-814b-5bbb8b8a32f4

📥 Commits

Reviewing files that changed from the base of the PR and between 1310078 and 2d0cabe.

📒 Files selected for processing (1)

• inc/checkout/class-checkout.php