Harden booking, offering exposure, payments, and invites

Security fixes from a pen-test review (issues #31–#37): - #31 Booking no longer trusts a client-supplied offering_id: a slot-tied offering is authoritative and any offering used must belong to the slot's instructor, closing a free/misrouted-payment bypass. - #34 Availability slot creation rejects an offering the instructor does not own (AvailabilityEndpoint now takes OfferingRepository). - #32 Offering/question/policy listing endpoints now require book_lesson instead of being public (no anonymous consumer exists); Offering::toArray also omits etransfer_email from listings as defense-in-depth. - #33 Slots are claimed atomically (UPDATE ... WHERE is_booked = 0) before a lesson is inserted, preventing a double-booking race. - #35 A single weekly booking is capped (MAX_WEEKLY_OCCURRENCES) and only creates lessons for slots it actually claimed. - #36 Stripe secret/webhook keys are write-only in the settings UI and a blank submit keeps the stored value; secrets are never echoed back into HTML. - #37 Pending invites expire after 14 days (Invite::isAcceptable), enforced at registration and surfaced on the admin invites list. Adds BookingEndpointTest plus Invite/Offering/AvailabilityRepository coverage and minimal WP_REST_Request/WP_REST_Response stubs. composer test (200), lint, and cs all green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-09 17:00:54 -03:00
parent fe43f91fb1
commit 061d09e034
18 changed files with 437 additions and 43 deletions
@@ -4,10 +4,14 @@ declare(strict_types=1);
 namespace Unsupervised\Schedular\Availability;

 use Unsupervised\Schedular\Auth\RoleManager;
+use Unsupervised\Schedular\Offering\OfferingRepository;

 class AvailabilityEndpoint {

-	public function __construct( private AvailabilityRepository $repository ) {}
+	public function __construct(
+		private AvailabilityRepository $repository,
+		private OfferingRepository $offerings,
+	) {}

 	public function registerRoutes( string $route_namespace ): void {
 		register_rest_route(
@@ -102,12 +106,22 @@ class AvailabilityEndpoint {
 		return new \WP_REST_Response( array_map( fn( AvailabilitySlot $s ) => $s->toArray(), $slots ), 200 );
 	}

-	public function create( \WP_REST_Request $request ): \WP_REST_Response {
-		$offeringId = absint( $request->get_param( 'offering_id' ) );
-		$duration   = absint( $request->get_param( 'duration_minutes' ) );
+	public function create( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
+		$instructorId = get_current_user_id();
+		$offeringId   = absint( $request->get_param( 'offering_id' ) );
+		$duration     = absint( $request->get_param( 'duration_minutes' ) );
+
+		// A slot may only be tied to an offering the instructor owns, so it can
+		// never inherit another instructor's price or payment routing at booking.
+		if ( $offeringId > 0 ) {
+			$offering = $this->offerings->findById( $offeringId );
+			if ( null === $offering || $offering->instructorId !== $instructorId ) {
+				return new \WP_Error( 'invalid_offering', __( 'That offering is not available.', 'unsupervised-schedular' ), [ 'status' => 400 ] );
+			}
+		}

 		$slot = new AvailabilitySlot(
-			instructorId:    get_current_user_id(),
+			instructorId:    $instructorId,
 			startDt:         (string) $request->get_param( 'start_dt' ),
 			endDt:           (string) $request->get_param( 'end_dt' ),
 			durationMinutes: $duration > 0 ? $duration : 60,