t523c: Block PayPal gateway at checkout when merchant status is invalid

[superdav42]

Summary

Block the PayPal REST gateway from appearing at checkout when the connected OAuth merchant account has an invalid status (payments_receivable=false or email_confirmed=false). Customers would otherwise see a PayPal option that silently fails.

Changes

• inc/gateways/class-paypal-rest-gateway.php

  • Add is_merchant_status_valid() — reads paypal_rest_{mode}_payments_receivable and paypal_rest_{mode}_email_confirmed settings; returns true when no OAuth merchant is connected (manual credentials bypass)
  • Add maybe_remove_for_invalid_merchant_status() — hooked to wu_get_active_gateways, mirrors the existing maybe_remove_for_unsupported_currency pattern
  • Register the new filter in hooks()

• tests/WP_Ultimo/Gateways/PayPal_REST_Gateway_Test.php

  • 11 new unit tests covering: both flags true/false, each flag individually false, live mode, manual-credentials bypass, other gateways preserved

Testing

• PHPStan level 0: no errors
• PHPUnit PayPal_REST_Gateway_Test: 103 tests, 169 assertions, 5 skipped (all pass)
• New tests: 11 tests, 14 assertions (all pass)

Runtime Testing

Risk level: Medium (gateway filter, no payment processing path). Verified via unit tests. No live PayPal environment available in CI.

Closes #729
Part of #725

---

aidevops.sh v3.5.556 plugin for OpenCode v1.3.0 with claude-sonnet-4-6 spent 10m on this as a headless worker.

[superdav42]

Completion Summary

• What: Added is_merchant_status_valid() and maybe_remove_for_invalid_merchant_status() to PayPal_REST_Gateway; hooked to wu_get_active_gateways to hide PayPal at checkout when payments_receivable or email_confirmed is false
• Issue: t523c: Block PayPal gateway at checkout when merchant status is invalid #729
• Files changed: inc/gateways/class-paypal-rest-gateway.php, tests/WP_Ultimo/Gateways/PayPal_REST_Gateway_Test.php
• Testing: PHPStan level 0 clean; 103 unit tests pass (11 new tests for the new methods)
• Key decisions: Manual-credentials setups bypass the check (only enforced when an OAuth merchant ID is stored); follows the existing maybe_remove_for_unsupported_currency pattern exactly

This summary was written by the worker at PR creation time for the deterministic merge pass.

[coderabbitai]

Warning

Rate limit exceeded

@superdav42 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 17 minutes and 56 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 17 minutes and 56 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 423195c1-7de0-48f7-a833-0fd773977170

📥 Commits

Reviewing files that changed from the base of the PR and between 03bdae6 and e81857b.

📒 Files selected for processing (2)

• inc/gateways/class-paypal-rest-gateway.php
• tests/WP_Ultimo/Gateways/PayPal_REST_Gateway_Test.php

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bugfix/729-paypal-block-invalid-merchant

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

• Build: ultimate-multisite
• ⬇️ Download from GitHub Actions
• ⬇️ Download without Github Account (nightly.link)

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password

[github-actions]

Performance Test Results

Performance test results for dda8201 are in 🛎️!

URL: /

Run	DB Queries	Memory	Before Template	Template	WP Total	LCP	TTFB	LCP - TTFB
0	40	37.78 MB	876.00 ms	169.50 ms	1034.00 ms	2022.00 ms	1935.70 ms	89.40 ms
1	56	49.02 MB	903.50 ms	145.50 ms	1051.00 ms	2028.00 ms	1944.65 ms	80.85 ms

[superdav42]

Closing Summary

What was done:

• Added is_merchant_status_valid() to PayPal_REST_Gateway — reads paypal_rest_{mode}_payments_receivable and paypal_rest_{mode}_email_confirmed settings; returns true when no OAuth merchant is connected (manual credentials bypass)
• Added maybe_remove_for_invalid_merchant_status() hooked to wu_get_active_gateways — removes paypal-rest from the active gateways list when merchant status is invalid, following the same pattern as the existing currency check
• Registered the new filter in hooks()

Testing Evidence: (self-assessed — medium risk, gateway filter only)

• PHPStan level 0: no errors
• PHPUnit: 103 tests, 169 assertions, 5 skipped (all pass)
• 11 new unit tests covering: both flags true/false, each flag individually false, live mode, manual-credentials bypass, other gateways preserved
• All 11 CI checks pass (PHP 8.2/8.3/8.4/8.5, PHP Lint, Code Quality, Cypress 8.1/8.2, Build, WP Performance)

Key decisions:

• Manual-credentials setups bypass the check — only enforced when an OAuth merchant ID is stored
• Default for payments_receivable/email_confirmed is false so a missing setting is treated as invalid

Files changed: inc/gateways/class-paypal-rest-gateway.php, tests/WP_Ultimo/Gateways/PayPal_REST_Gateway_Test.php

Closes #729. Part of #725.

---

aidevops.sh v3.5.556 plugin for OpenCode v1.3.0 with claude-sonnet-4-6 spent 15m on this as a headless worker.