Payment cancellation incorrectly revokes enrollment after successful retry

[indigetal]

There is a bug in classes/WooCommerce.php, function enrolled_courses_status_change() (lines 524-567) that triggers on the woocommerce_order_status_changed hook (registered at line 73) to get enrollment IDs by order ID and changes enrollment status based on new order status, but it doesn't check if the student has another successful payment for the same course. When Stripe auto-cancels an incomplete payment ~24 hours later, WooCommerce fires woocommerce_order_status_changed with status_to = 'cancelled'. The function then cancels the enrollment without verifying if a subsequent successful payment exists.

Importantly, the WooCommerce "order isolation" is incomplete. While it uses get_course_enrolled_ids_by_order_id() (classes/Utils.php, lines 2691-2732) to find enrollments linked to a specific order via the _tutor_order_for_course_id_{course_id} meta stored on the order, this meta is not cleaned up when multiple orders reference the same enrollment. When do_enroll() (classes/Utils.php, lines 2478-2550) is called for a retry payment and finds an existing completed enrollment, it returns that enrollment ID and sets the new order's meta to point to it (line 2533)—but does not remove the failed order's stale reference. As a result, both the failed Order A and successful Order B can have _tutor_order_for_course_id_{course_id} pointing to the same enrollment. When Order A is cancelled, get_course_enrolled_ids_by_order_id(Order A) still finds and cancels the shared enrollment, even though Order B (successful) also references it.

Tutor LMS's Native Ecommerce has the same bug, but worse. In ecommerce/HooksHandler.php, function manage_earnings_and_enrollments() (lines 323-435), when a payment fails or is cancelled, the system finds the enrollment using is_enrolled($course_id, $student_id, false) (line 361). This lookup returns ANY enrollment for that course+student combination—it doesn't filter by order at all. The enrollment status is then updated to 'cancel' via update_enrollments() (line 364, calling classes/Utils.php line 10030) without checking whether this enrollment was created by the failing order, or whether another successful order exists for the same course/student. Unlike the WooCommerce integration, which at least attempts order-level lookup, Native Ecommerce can cancel an enrollment created by a completely different successful order.

The WooCommerce integration has better order isolation than Native Ecommerce, but both lack the critical safeguard: checking for other successful orders before cancelling an enrollment.

The _tutor_enrolled_by_order_id meta key exists (stored on the enrollment post) and tracks which order created or last updated an enrollment, but in Native Ecommerce it is set AFTER the enrollment status change (ecommerce/HooksHandler.php, line 378), not used as validation BEFORE. It is never checked when processing a cancellation to verify order ownership and is not used to prevent cancelling enrollments linked to different orders.

NOTE: While the EDD integration does not have the same bug, I could not locate a handler for refunds or cancellations.

[indigetal]

Bug Location 1: WooCommerce Integration

File: classes/WooCommerce.php
Function: enrolled_courses_status_change()
Lines: 524-567
Hook: woocommerce_order_status_changed (registered at line 73)

The Problem:

When a WooCommerce order status changes to "cancelled," this function retrieves enrollments linked to that order and cancels them without verifying whether another successful order exists for the same course/student.

// Line 551 - Current vulnerable code
} else {
    tutor_utils()->course_enrol_status_change( $enrolled_id, $status_to );
}

Why this causes the bug:

The _tutor_order_for_course_id_{course_id} meta is stored on the ORDER, not the enrollment. When a student retries payment:

• Order A (failed) has meta pointing to enrollment_456
• Order B (successful) also gets meta pointing to the same enrollment_456

When Order A is cancelled, get_course_enrolled_ids_by_order_id(Order A) still finds enrollment_456, and the code cancels it—even though Order B (successful) also references it.

Missing Check: Before line 551, the code should verify:

// Does this user have ANY other successful order for this course?
if ( 'cancelled' === $status_to || 'failed' === $status_to ) {
    if ( $this->has_other_successful_order( $order_id, $course_id, $user_id ) ) {
        continue; // Skip - student has valid access via another order
    }
}

---

Bug Location 2: Native Ecommerce (MORE SEVERE)

File: ecommerce/HooksHandler.php
Function: manage_earnings_and_enrollments()
Lines: 323-435
Hook: tutor_order_payment_status_changed

The Problem:

This implementation has a worse variant of the bug. When finding the enrollment to cancel, it uses:

// Line 361
$has_enrollment = tutor_utils()->is_enrolled( $object_id, $student_id, false );

This lookup finds ANY enrollment for the course+student combination—not specifically the enrollment created by the failing order. This means:

• Order A (failed) can cancel an enrollment that was created by Order B (successful)
• There's no order-level isolation at all

Cancellation happens at line 364:

tutor_utils()->update_enrollments( $enrollment_status, array( $has_enrollment->ID ) );

The _tutor_enrolled_by_order_id meta exists (line 378) but is never used for validation before cancellation.

---

Why Two Functions Need Fixing

The WooCommerce and Native Ecommerce paths call different underlying functions:

Path	Enrollment Status Function	Location
WooCommerce	course_enrol_status_change()	Utils.php:2562
Native Ecommerce	update_enrollments()	Utils.php:10030

These functions:

• Do NOT call each other
• Do NOT share a common downstream function
• Both directly execute $wpdb->update() on the enrollment post status
• Neither has a safeguard check before cancellation

Recommended fix: Add safeguard checks inside BOTH Utils.php functions:

• course_enrol_status_change() at line ~2565
• update_enrollments() at line ~10032

---

Proposed Safeguard Function

A new helper function is needed in Utils.php:

/**
 * Check if user has a successful order for the course linked to this enrollment
 *
 * @param int $enrollment_id Enrollment post ID
 * @return bool True if a successful order exists
 */
public function has_successful_order_for_course_by_enrollment( $enrollment_id ) {
    $course_id = get_post_field( 'post_parent', $enrollment_id );
    $user_id   = get_post_field( 'post_author', $enrollment_id );
    
    if ( ! $course_id || ! $user_id ) {
        return false;
    }
    
    $monetize_by = $this->get_option( 'monetize_by' );
    
    if ( 'wc' === $monetize_by ) {
        // Check WooCommerce orders
        $product_id = $this->get_course_product_id( $course_id );
        if ( ! $product_id ) {
            return false;
        }
        
        $orders = wc_get_orders( array(
            'customer_id' => $user_id,
            'status'      => array( 'completed', 'processing' ),
            'limit'       => -1,
            'return'      => 'ids',
        ) );
        
        foreach ( $orders as $order_id ) {
            $order = wc_get_order( $order_id );
            foreach ( $order->get_items() as $item ) {
                if ( $item->get_product_id() == $product_id ) {
                    return true;
                }
            }
        }
    } elseif ( 'tutor' === $monetize_by ) {
        // Check native Tutor orders
        global $wpdb;
        $result = $wpdb->get_var(
            $wpdb->prepare(
                "SELECT o.id 
                 FROM {$wpdb->prefix}tutor_orders o
                 INNER JOIN {$wpdb->prefix}tutor_order_items i ON o.id = i.order_id
                 WHERE o.user_id = %d 
                   AND i.item_id = %d 
                   AND o.order_status = 'completed'
                 LIMIT 1",
                $user_id,
                $course_id
            )
        );
        return ! empty( $result );
    }
    
    return false;
}

---

The core issue is straightforward—just add a check for other successful orders before allowing enrollment cancellation.