Upgrade PHPStan to 2.x and raise analysis level from 6 to 10
CI / No Debug Code (pull_request) Successful in 3s
CI / Tests (PHP 8.2) (pull_request) Successful in 48s
CI / Tests (PHP 8.3) (pull_request) Successful in 52s
CI / Coding Standards (pull_request) Successful in 57s
CI / Tests (PHP 8.1) (pull_request) Successful in 1m1s
CI / PHPStan (pull_request) Successful in 1m11s
CI / Build Plugin Zip (pull_request) Has been skipped
CI / No Debug Code (pull_request) Successful in 3s
CI / Tests (PHP 8.2) (pull_request) Successful in 48s
CI / Tests (PHP 8.3) (pull_request) Successful in 52s
CI / Coding Standards (pull_request) Successful in 57s
CI / Tests (PHP 8.1) (pull_request) Successful in 1m1s
CI / PHPStan (pull_request) Successful in 1m11s
CI / Build Plugin Zip (pull_request) Has been skipped
- Bump phpstan/phpstan ^2.0 and szepeviktor/phpstan-wordpress ^2.0 - Move the analysis level into phpstan.neon (single source) and raise it to 10 - Add Val, a runtime coercion helper that narrows untyped WordPress boundary values (wpdb rows, REST params, superglobals, options) with explicit checks instead of blind casts, plus unit tests - Type value-object fromRow() params as stdClass (what wpdb returns) and map columns through Val so unexpected shapes degrade safely - Use %i identifier placeholders for table names in all wpdb::prepare() calls so every query string is a literal and identifiers are escaped by WordPress; raises the minimum WordPress version to 6.2 where %i was introduced - Guard wpdb::prepare() null result before wpdb::query() in updateTax() - Fix nullable get_permalink()/strtotime() handling, list types at REST and capability call sites, dead null-coalescing on checked superglobals, and narrow get_users() results before mapping - Register Val method names with the ValidatedSanitizedInput sniff so it validates the real sanitizer around each superglobal read - Update repository unit tests for the %i placeholder arguments Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -5,6 +5,7 @@ namespace Unsupervised\Schedular\Availability;
|
||||
|
||||
use Unsupervised\Schedular\Auth\RoleManager;
|
||||
use Unsupervised\Schedular\Offering\OfferingRepository;
|
||||
use Unsupervised\Schedular\Val;
|
||||
|
||||
class AvailabilityEndpoint {
|
||||
|
||||
@@ -13,6 +14,11 @@ class AvailabilityEndpoint {
|
||||
private OfferingRepository $offerings,
|
||||
) {}
|
||||
|
||||
/**
|
||||
* Registers this endpoint's REST routes.
|
||||
*
|
||||
* @param non-falsy-string $route_namespace REST namespace the routes are registered under (e.g. `us-scheduler/v1`).
|
||||
*/
|
||||
public function registerRoutes( string $route_namespace ): void {
|
||||
register_rest_route(
|
||||
$route_namespace,
|
||||
@@ -96,11 +102,11 @@ class AvailabilityEndpoint {
|
||||
|
||||
public function index( \WP_REST_Request $request ): \WP_REST_Response {
|
||||
$slots = $this->repository->findAvailable(
|
||||
(int) $request->get_param( 'instructor_id' ),
|
||||
(int) $request->get_param( 'offering_id' ),
|
||||
(int) $request->get_param( 'duration_minutes' ),
|
||||
(string) $request->get_param( 'from' ),
|
||||
(string) $request->get_param( 'to' ),
|
||||
Val::int( $request->get_param( 'instructor_id' ) ),
|
||||
Val::int( $request->get_param( 'offering_id' ) ),
|
||||
Val::int( $request->get_param( 'duration_minutes' ) ),
|
||||
Val::string( $request->get_param( 'from' ) ),
|
||||
Val::string( $request->get_param( 'to' ) ),
|
||||
);
|
||||
|
||||
return new \WP_REST_Response( array_map( fn( AvailabilitySlot $s ) => $s->toArray(), $slots ), 200 );
|
||||
@@ -108,8 +114,8 @@ class AvailabilityEndpoint {
|
||||
|
||||
public function create( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
|
||||
$instructorId = get_current_user_id();
|
||||
$offeringId = absint( $request->get_param( 'offering_id' ) );
|
||||
$duration = absint( $request->get_param( 'duration_minutes' ) );
|
||||
$offeringId = absint( Val::int( $request->get_param( 'offering_id' ) ) );
|
||||
$duration = absint( Val::int( $request->get_param( 'duration_minutes' ) ) );
|
||||
|
||||
// A slot may only be tied to an offering the instructor owns, so it can
|
||||
// never inherit another instructor's price or payment routing at booking.
|
||||
@@ -120,8 +126,8 @@ class AvailabilityEndpoint {
|
||||
}
|
||||
}
|
||||
|
||||
$startDt = AvailabilitySlot::normalizeDateTime( (string) $request->get_param( 'start_dt' ) );
|
||||
$endDt = AvailabilitySlot::normalizeDateTime( (string) $request->get_param( 'end_dt' ) );
|
||||
$startDt = AvailabilitySlot::normalizeDateTime( Val::string( $request->get_param( 'start_dt' ) ) );
|
||||
$endDt = AvailabilitySlot::normalizeDateTime( Val::string( $request->get_param( 'end_dt' ) ) );
|
||||
|
||||
if ( null === $startDt || null === $endDt || $endDt <= $startDt ) {
|
||||
return new \WP_Error( 'invalid_datetime', __( 'Provide a valid start and end, with the end after the start.', 'unsupervised-schedular' ), [ 'status' => 400 ] );
|
||||
@@ -136,7 +142,7 @@ class AvailabilityEndpoint {
|
||||
);
|
||||
|
||||
if ( 'weekly' === $request->get_param( 'recurrence' ) ) {
|
||||
$ids = $this->repository->createWeeklySeries( $slot, absint( $request->get_param( 'weeks' ) ) );
|
||||
$ids = $this->repository->createWeeklySeries( $slot, absint( Val::int( $request->get_param( 'weeks' ) ) ) );
|
||||
|
||||
return new \WP_REST_Response( [ 'ids' => $ids ], 201 );
|
||||
}
|
||||
@@ -147,7 +153,7 @@ class AvailabilityEndpoint {
|
||||
}
|
||||
|
||||
public function delete( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
|
||||
$id = absint( $request->get_param( 'id' ) );
|
||||
$id = absint( Val::int( $request->get_param( 'id' ) ) );
|
||||
$slot = $this->repository->findById( $id );
|
||||
|
||||
if ( null === $slot ) {
|
||||
|
||||
Reference in New Issue
Block a user