Harden booking, offering exposure, payments, and invites
CI / No Debug Code (pull_request) Successful in 3s
CI / Tests (PHP 8.1) (pull_request) Successful in 49s
CI / Coding Standards (pull_request) Successful in 55s
CI / PHPStan (pull_request) Successful in 1m7s
CI / Tests (PHP 8.3) (pull_request) Successful in 1m41s
CI / Tests (PHP 8.2) (pull_request) Successful in 44s
CI / Build Plugin Zip (pull_request) Has been skipped
CI / No Debug Code (pull_request) Successful in 3s
CI / Tests (PHP 8.1) (pull_request) Successful in 49s
CI / Coding Standards (pull_request) Successful in 55s
CI / PHPStan (pull_request) Successful in 1m7s
CI / Tests (PHP 8.3) (pull_request) Successful in 1m41s
CI / Tests (PHP 8.2) (pull_request) Successful in 44s
CI / Build Plugin Zip (pull_request) Has been skipped
Security fixes from a pen-test review (issues #31–#37): - #31 Booking no longer trusts a client-supplied offering_id: a slot-tied offering is authoritative and any offering used must belong to the slot's instructor, closing a free/misrouted-payment bypass. - #34 Availability slot creation rejects an offering the instructor does not own (AvailabilityEndpoint now takes OfferingRepository). - #32 Offering/question/policy listing endpoints now require book_lesson instead of being public (no anonymous consumer exists); Offering::toArray also omits etransfer_email from listings as defense-in-depth. - #33 Slots are claimed atomically (UPDATE ... WHERE is_booked = 0) before a lesson is inserted, preventing a double-booking race. - #35 A single weekly booking is capped (MAX_WEEKLY_OCCURRENCES) and only creates lessons for slots it actually claimed. - #36 Stripe secret/webhook keys are write-only in the settings UI and a blank submit keeps the stored value; secrets are never echoed back into HTML. - #37 Pending invites expire after 14 days (Invite::isAcceptable), enforced at registration and surfaced on the admin invites list. Adds BookingEndpointTest plus Invite/Offering/AvailabilityRepository coverage and minimal WP_REST_Request/WP_REST_Response stubs. composer test (200), lint, and cs all green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -14,6 +14,57 @@ define('USC_PLUGIN_FILE', dirname(__DIR__) . '/unsupervised-schedular.php');
|
||||
define('USC_PLUGIN_DIR', dirname(__DIR__) . '/');
|
||||
define('USC_PLUGIN_URL', 'http://example.com/wp-content/plugins/unsupervised-schedular/');
|
||||
|
||||
// Minimal WP_REST_Request stub: a simple parameter bag.
|
||||
if (! class_exists('WP_REST_Request')) {
|
||||
class WP_REST_Request
|
||||
{
|
||||
/** @param array<string, mixed> $params */
|
||||
public function __construct(private array $params = [])
|
||||
{
|
||||
}
|
||||
|
||||
public function get_param(string $key): mixed
|
||||
{
|
||||
return $this->params[$key] ?? null;
|
||||
}
|
||||
|
||||
public function set_param(string $key, mixed $value): void
|
||||
{
|
||||
$this->params[$key] = $value;
|
||||
}
|
||||
|
||||
public function get_body(): string
|
||||
{
|
||||
return (string) ($this->params['__body'] ?? '');
|
||||
}
|
||||
|
||||
public function get_header(string $key): string
|
||||
{
|
||||
return (string) ($this->params[$key] ?? '');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Minimal WP_REST_Response stub exposing the data and status.
|
||||
if (! class_exists('WP_REST_Response')) {
|
||||
class WP_REST_Response
|
||||
{
|
||||
public function __construct(public mixed $data = null, public int $status = 200)
|
||||
{
|
||||
}
|
||||
|
||||
public function get_data(): mixed
|
||||
{
|
||||
return $this->data;
|
||||
}
|
||||
|
||||
public function get_status(): int
|
||||
{
|
||||
return $this->status;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Minimal WP_Error stub for code under test that returns error objects.
|
||||
if (! class_exists('WP_Error')) {
|
||||
class WP_Error
|
||||
|
||||
Reference in New Issue
Block a user