Skip to content

t741: fix(checkout): add form_has_auto_generate_password() and strip JS password rules #742

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
superdav42 merged 1 commit into from
Apr 3, 2026
Merged

t741: fix(checkout): add form_has_auto_generate_password() and strip JS password rules #742

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 32 additions & 29 deletions inc/checkout/class-checkout.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2123,6 +2123,33 @@ public function get_checkout_variables() {
return apply_filters('wu_get_checkout_variables', $variables, $this);
}

/**
* Returns true when the current checkout form has a password field
* configured with auto_generate_password enabled.
*
* Used to suppress client-side password validation rules when no
* password input is rendered.
*
* @since 2.0.20
* @return bool
*/
protected function form_has_auto_generate_password(): bool {

if ( ! $this->checkout_form) {
return false;
}

foreach ($this->checkout_form->get_settings() as $step) {
foreach (wu_get_isset($step, 'fields', []) as $field) {
if ('password' === wu_get_isset($field, 'type') && ! empty($field['auto_generate_password'])) {
return true;
}
}
}

return false;
}

/**
* Converts the PHP validation rules into a JS-friendly structure.
*
Expand All @@ -2140,39 +2167,15 @@ public function get_checkout_variables() {
*/
public function get_js_validation_rules(): array {

/*
* When the checkout form has a password field with auto_generate_password
* enabled, the hidden flag is submitted with the form but is not present
* in the GET request at render time. We detect this from the form settings
* so the JS validator knows to skip password rules without needing the
* flag to be in the request.
*/
$form_auto_generates_password = false;

if ($this->checkout_form) {
$password_fields = $this->checkout_form->get_all_fields_by_type('password');

foreach ($password_fields as $field) {
if (! empty($field['auto_generate_password'])) {
$form_auto_generates_password = true;
break;
}
}
}

$raw_rules = $this->validation_rules();

/*
* When the form auto-generates the password, clear the password rules
* so the JS validator does not require a password field that is not
* rendered. The server-side validation_rules() already handles this via
* request_or_session(), but at render time the flag is not in the request
* so we must detect it from the form settings instead.
* When the checkout form uses auto-generated passwords, strip the
* password-related rules from the JS ruleset so the client-side
* validator does not block submission on a field that is never shown.
*/
if ($form_auto_generates_password) {
$raw_rules['password'] = '';
$raw_rules['password_conf'] = '';
$raw_rules['valid_password'] = '';
if ($this->form_has_auto_generate_password()) {
unset($raw_rules['password'], $raw_rules['password_conf'], $raw_rules['valid_password']);
}

/*
Expand Down
Loading