Dev news

Commit 6002cabab5e for woocommerce

commit 6002cabab5ecdd06cdc6331b0f986cefdadfb9ba
Author: Michael Pretty <prettyboymp@users.noreply.github.com>
Date:   Thu Jun 18 09:40:11 2026 -0400

    Reject non-WC_Order objects in Store API order authorization (#64568)

diff --git a/plugins/woocommerce/changelog/fix-storeapi-order-auth-refund-guard b/plugins/woocommerce/changelog/fix-storeapi-order-auth-refund-guard
new file mode 100644
index 00000000000..c0319457744
--- /dev/null
+++ b/plugins/woocommerce/changelog/fix-storeapi-order-auth-refund-guard
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fix
+
+Reject refund IDs in Store API order authorization to prevent a fatal when wc_get_order() returns a WC_Order_Refund.
diff --git a/plugins/woocommerce/phpstan-baseline.neon b/plugins/woocommerce/phpstan-baseline.neon
index 9470f1528e9..742d0897472 100644
--- a/plugins/woocommerce/phpstan-baseline.neon
+++ b/plugins/woocommerce/phpstan-baseline.neon
@@ -70651,12 +70651,6 @@ parameters:
 			count: 1
 			path: src/StoreApi/Routes/V1/CheckoutOrder.php

-		-
-			message: '#^Call to an undefined method WC_Order\|WC_Order_Refund\:\:get_customer_id\(\)\.$#'
-			identifier: method.notFound
-			count: 1
-			path: src/StoreApi/Routes/V1/CheckoutOrder.php
-
 		-
 			message: '#^Call to an undefined method WC_Order\|WC_Order_Refund\:\:needs_payment\(\)\.$#'
 			identifier: method.notFound
@@ -70867,12 +70861,6 @@ parameters:
 			count: 1
 			path: src/StoreApi/Routes/V1/Order.php

-		-
-			message: '#^Call to an undefined method WC_Order\|WC_Order_Refund\:\:get_customer_id\(\)\.$#'
-			identifier: method.notFound
-			count: 1
-			path: src/StoreApi/Routes/V1/Order.php
-
 		-
 			message: '#^Method Automattic\\WooCommerce\\StoreApi\\Routes\\V1\\Order\:\:get_route_response\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
 			identifier: missingType.generics
diff --git a/plugins/woocommerce/src/StoreApi/Utilities/OrderAuthorizationTrait.php b/plugins/woocommerce/src/StoreApi/Utilities/OrderAuthorizationTrait.php
index 4237af4e4b1..2ef27e2a083 100644
--- a/plugins/woocommerce/src/StoreApi/Utilities/OrderAuthorizationTrait.php
+++ b/plugins/woocommerce/src/StoreApi/Utilities/OrderAuthorizationTrait.php
@@ -25,7 +25,7 @@ trait OrderAuthorizationTrait {
 		try {
 			$order = wc_get_order( $order_id );

-			if ( ! $order ) {
+			if ( ! $order instanceof \WC_Order ) {
 				throw new RouteException( 'woocommerce_rest_invalid_order', esc_html__( 'Invalid order ID.', 'woocommerce' ), 404 );
 			}