Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden booking, offering exposure, payments, and invites
CI / No Debug Code (pull_request) Successful in 3s
Details
CI / Tests (PHP 8.1) (pull_request) Successful in 49s
Details
CI / Coding Standards (pull_request) Successful in 55s
Details
CI / PHPStan (pull_request) Successful in 1m7s
Details
CI / Tests (PHP 8.3) (pull_request) Successful in 1m41s
Details
CI / Tests (PHP 8.2) (pull_request) Successful in 44s
Details
CI / Build Plugin Zip (pull_request) Has been skipped
Details

Browse Source 
Security fixes from a pen-test review (issues #31–#37):

- #31 Booking no longer trusts a client-supplied offering_id: a slot-tied
  offering is authoritative and any offering used must belong to the slot's
  instructor, closing a free/misrouted-payment bypass.
- #34 Availability slot creation rejects an offering the instructor does not
  own (AvailabilityEndpoint now takes OfferingRepository).
- #32 Offering/question/policy listing endpoints now require book_lesson
  instead of being public (no anonymous consumer exists); Offering::toArray
  also omits etransfer_email from listings as defense-in-depth.
- #33 Slots are claimed atomically (UPDATE ... WHERE is_booked = 0) before a
  lesson is inserted, preventing a double-booking race.
- #35 A single weekly booking is capped (MAX_WEEKLY_OCCURRENCES) and only
  creates lessons for slots it actually claimed.
- #36 Stripe secret/webhook keys are write-only in the settings UI and a blank
  submit keeps the stored value; secrets are never echoed back into HTML.
- #37 Pending invites expire after 14 days (Invite::isAcceptable), enforced at
  registration and surfaced on the admin invites list.

Adds BookingEndpointTest plus Invite/Offering/AvailabilityRepository coverage
and minimal WP_REST_Request/WP_REST_Response stubs. composer test (200),
lint, and cs all green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
James Griffin-Allwood
2026-06-09 17:00:54 -03:00
parent fe43f91fb1
commit 061d09e034
18 changed files with 437 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Unit/Availability/AvailabilityRepositoryTest.php
+13 -4
View File
@@ -116,16 +116,25 @@ class AvailabilityRepositoryTest extends TestCase
self::assertSame(5, $slot->instructorId);
}
public function testMarkBookedUpdatesRecord(): void
public function testClaimReturnsTrueWhenSlotWasUnbooked(): void
{
$this->db->shouldReceive('update')
->once()
->with('wp_us_availability', ['is_booked' => 1], ['id' => 7], ['%d'], ['%d'])
->with('wp_us_availability', ['is_booked' => 1], ['id' => 7, 'is_booked' => 0], ['%d'], ['%d', '%d'])
->andReturn(1);
$result = $this->repo->markBooked(7);
self::assertTrue($this->repo->claim(7));
}
self::assertTrue($result);
public function testClaimReturnsFalseWhenSlotAlreadyBooked(): void
{
// The is_booked = 0 guard matches no row once the slot is taken.
$this->db->shouldReceive('update')
->once()
->with('wp_us_availability', ['is_booked' => 1], ['id' => 7, 'is_booked' => 0], ['%d'], ['%d', '%d'])
->andReturn(0);
self::assertFalse($this->repo->claim(7));
}
public function testDeleteReturnsFalseWhenRowNotDeleted(): void