Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden booking, offering exposure, payments, and invites
CI / No Debug Code (pull_request) Successful in 3s
Details
CI / Tests (PHP 8.1) (pull_request) Successful in 49s
Details
CI / Coding Standards (pull_request) Successful in 55s
Details
CI / PHPStan (pull_request) Successful in 1m7s
Details
CI / Tests (PHP 8.3) (pull_request) Successful in 1m41s
Details
CI / Tests (PHP 8.2) (pull_request) Successful in 44s
Details
CI / Build Plugin Zip (pull_request) Has been skipped
Details

Browse Source 
Security fixes from a pen-test review (issues #31–#37):

- #31 Booking no longer trusts a client-supplied offering_id: a slot-tied
  offering is authoritative and any offering used must belong to the slot's
  instructor, closing a free/misrouted-payment bypass.
- #34 Availability slot creation rejects an offering the instructor does not
  own (AvailabilityEndpoint now takes OfferingRepository).
- #32 Offering/question/policy listing endpoints now require book_lesson
  instead of being public (no anonymous consumer exists); Offering::toArray
  also omits etransfer_email from listings as defense-in-depth.
- #33 Slots are claimed atomically (UPDATE ... WHERE is_booked = 0) before a
  lesson is inserted, preventing a double-booking race.
- #35 A single weekly booking is capped (MAX_WEEKLY_OCCURRENCES) and only
  creates lessons for slots it actually claimed.
- #36 Stripe secret/webhook keys are write-only in the settings UI and a blank
  submit keeps the stored value; secrets are never echoed back into HTML.
- #37 Pending invites expire after 14 days (Invite::isAcceptable), enforced at
  registration and surfaced on the admin invites list.

Adds BookingEndpointTest plus Invite/Offering/AvailabilityRepository coverage
and minimal WP_REST_Request/WP_REST_Response stubs. composer test (200),
lint, and cs all green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
James Griffin-Allwood
2026-06-09 17:00:54 -03:00
parent fe43f91fb1
commit 061d09e034
18 changed files with 437 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Unit/Offering/OfferingTest.php
+15
View File
@@ -84,6 +84,21 @@ class OfferingTest extends TestCase
}
}
public function testToArrayIncludesEtransferEmailByDefault(): void
{
$offering = new Offering(1, Offering::KIND_PRIVATE_LESSON, 'Lesson', etransferEmail: 'studio@example.com', id: 10);
self::assertArrayHasKey('etransfer_email', $offering->toArray());
self::assertSame('studio@example.com', $offering->toArray()['etransfer_email']);
}
public function testToArrayOmitsEtransferEmailWhenExcluded(): void
{
$offering = new Offering(1, Offering::KIND_PRIVATE_LESSON, 'Lesson', etransferEmail: 'studio@example.com', id: 10);
self::assertArrayNotHasKey('etransfer_email', $offering->toArray(includeEtransferEmail: false));
}
public function testValidKindAndBillingConstants(): void
{
self::assertContains(Offering::KIND_PRIVATE_LESSON, Offering::VALID_KINDS);