Upgrade PHPStan to 2.x and raise analysis level from 6 to 10
CI / No Debug Code (pull_request) Successful in 3s
CI / Tests (PHP 8.2) (pull_request) Successful in 48s
CI / Tests (PHP 8.3) (pull_request) Successful in 52s
CI / Coding Standards (pull_request) Successful in 57s
CI / Tests (PHP 8.1) (pull_request) Successful in 1m1s
CI / PHPStan (pull_request) Successful in 1m11s
CI / Build Plugin Zip (pull_request) Has been skipped
CI / No Debug Code (pull_request) Successful in 3s
CI / Tests (PHP 8.2) (pull_request) Successful in 48s
CI / Tests (PHP 8.3) (pull_request) Successful in 52s
CI / Coding Standards (pull_request) Successful in 57s
CI / Tests (PHP 8.1) (pull_request) Successful in 1m1s
CI / PHPStan (pull_request) Successful in 1m11s
CI / Build Plugin Zip (pull_request) Has been skipped
- Bump phpstan/phpstan ^2.0 and szepeviktor/phpstan-wordpress ^2.0 - Move the analysis level into phpstan.neon (single source) and raise it to 10 - Add Val, a runtime coercion helper that narrows untyped WordPress boundary values (wpdb rows, REST params, superglobals, options) with explicit checks instead of blind casts, plus unit tests - Type value-object fromRow() params as stdClass (what wpdb returns) and map columns through Val so unexpected shapes degrade safely - Use %i identifier placeholders for table names in all wpdb::prepare() calls so every query string is a literal and identifiers are escaped by WordPress; raises the minimum WordPress version to 6.2 where %i was introduced - Guard wpdb::prepare() null result before wpdb::query() in updateTax() - Fix nullable get_permalink()/strtotime() handling, list types at REST and capability call sites, dead null-coalescing on checked superglobals, and narrow get_users() results before mapping - Register Val method names with the ValidatedSanitizedInput sniff so it validates the real sanitizer around each superglobal read - Update repository unit tests for the %i placeholder arguments Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -46,7 +46,8 @@ class AcceptanceRepository {
|
||||
public function findByRegistration( string $registrationType, int $registrationId ): array {
|
||||
$rows = $this->db->get_results(
|
||||
$this->db->prepare(
|
||||
"SELECT * FROM {$this->table} WHERE registration_type = %s AND registration_id = %d ORDER BY id ASC",
|
||||
'SELECT * FROM %i WHERE registration_type = %s AND registration_id = %d ORDER BY id ASC',
|
||||
$this->table,
|
||||
$registrationType,
|
||||
$registrationId
|
||||
)
|
||||
|
||||
@@ -3,6 +3,8 @@ declare(strict_types=1);
|
||||
|
||||
namespace Unsupervised\Schedular\Policy;
|
||||
|
||||
use Unsupervised\Schedular\Val;
|
||||
|
||||
class Policy {
|
||||
|
||||
public const SCOPE_SIGNUP = 'signup';
|
||||
@@ -24,13 +26,13 @@ class Policy {
|
||||
public readonly ?int $id = null,
|
||||
) {}
|
||||
|
||||
public static function fromRow( object $row ): self {
|
||||
public static function fromRow( \stdClass $row ): self {
|
||||
return new self(
|
||||
title: $row->title,
|
||||
slug: $row->slug,
|
||||
currentVersionId: null !== $row->current_version_id ? (int) $row->current_version_id : null,
|
||||
acceptanceScope: $row->acceptance_scope,
|
||||
id: (int) $row->id,
|
||||
title: Val::string( $row->title ),
|
||||
slug: Val::string( $row->slug ),
|
||||
currentVersionId: Val::intOrNull( $row->current_version_id ),
|
||||
acceptanceScope: Val::string( $row->acceptance_scope ),
|
||||
id: Val::int( $row->id ),
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
@@ -3,6 +3,8 @@ declare(strict_types=1);
|
||||
|
||||
namespace Unsupervised\Schedular\Policy;
|
||||
|
||||
use Unsupervised\Schedular\Val;
|
||||
|
||||
class PolicyAcceptance {
|
||||
|
||||
public const REG_ACCOUNT = 'account';
|
||||
@@ -27,15 +29,15 @@ class PolicyAcceptance {
|
||||
public readonly ?int $id = null,
|
||||
) {}
|
||||
|
||||
public static function fromRow( object $row ): self {
|
||||
public static function fromRow( \stdClass $row ): self {
|
||||
return new self(
|
||||
policyVersionId: (int) $row->policy_version_id,
|
||||
studentId: (int) $row->student_id,
|
||||
registrationType: $row->registration_type,
|
||||
registrationId: (int) $row->registration_id,
|
||||
ipAddress: $row->ip_address,
|
||||
acceptedAt: $row->accepted_at,
|
||||
id: (int) $row->id,
|
||||
policyVersionId: Val::int( $row->policy_version_id ),
|
||||
studentId: Val::int( $row->student_id ),
|
||||
registrationType: Val::string( $row->registration_type ),
|
||||
registrationId: Val::int( $row->registration_id ),
|
||||
ipAddress: Val::stringOrNull( $row->ip_address ),
|
||||
acceptedAt: Val::stringOrNull( $row->accepted_at ),
|
||||
id: Val::int( $row->id ),
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
@@ -4,6 +4,7 @@ declare(strict_types=1);
|
||||
namespace Unsupervised\Schedular\Policy;
|
||||
|
||||
use Unsupervised\Schedular\Auth\RoleManager;
|
||||
use Unsupervised\Schedular\Val;
|
||||
|
||||
class PolicyController {
|
||||
|
||||
@@ -23,7 +24,7 @@ class PolicyController {
|
||||
}
|
||||
|
||||
// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- read-only policy selector.
|
||||
$policyId = absint( $_GET['policy_id'] ?? 0 );
|
||||
$policyId = absint( Val::int( $_GET['policy_id'] ?? 0 ) );
|
||||
$policyList = $this->policies->findAll();
|
||||
$selectedPolicy = $policyId > 0 ? $this->policies->findById( $policyId ) : null;
|
||||
$policyVersions = null !== $selectedPolicy ? $this->versions->findByPolicy( (int) $selectedPolicy->id ) : null;
|
||||
@@ -34,13 +35,13 @@ class PolicyController {
|
||||
private function handleFormAction(): void {
|
||||
// Nonce is verified by the caller (renderPage) before this method runs.
|
||||
// phpcs:disable WordPress.Security.NonceVerification.Missing
|
||||
$action = sanitize_key( wp_unslash( $_POST['usc_action'] ?? '' ) );
|
||||
$action = sanitize_key( Val::string( wp_unslash( $_POST['usc_action'] ?? '' ) ) );
|
||||
|
||||
if ( 'create_policy' === $action ) {
|
||||
$title = sanitize_text_field( wp_unslash( $_POST['title'] ?? '' ) );
|
||||
$slugRaw = sanitize_text_field( wp_unslash( $_POST['slug'] ?? '' ) );
|
||||
$title = sanitize_text_field( Val::string( wp_unslash( $_POST['title'] ?? '' ) ) );
|
||||
$slugRaw = sanitize_text_field( Val::string( wp_unslash( $_POST['slug'] ?? '' ) ) );
|
||||
$slug = sanitize_title( '' !== $slugRaw ? $slugRaw : $title );
|
||||
$scope = sanitize_key( wp_unslash( $_POST['acceptance_scope'] ?? Policy::SCOPE_BOOKING ) );
|
||||
$scope = sanitize_key( Val::string( wp_unslash( $_POST['acceptance_scope'] ?? Policy::SCOPE_BOOKING ) ) );
|
||||
|
||||
if ( ! in_array( $scope, Policy::VALID_SCOPES, true ) ) {
|
||||
$scope = Policy::SCOPE_BOOKING;
|
||||
@@ -53,18 +54,18 @@ class PolicyController {
|
||||
return;
|
||||
}
|
||||
|
||||
$policyId = absint( $_POST['policy_id'] ?? 0 );
|
||||
$policyId = absint( Val::int( $_POST['policy_id'] ?? 0 ) );
|
||||
if ( $policyId <= 0 || null === $this->policies->findById( $policyId ) ) {
|
||||
return;
|
||||
}
|
||||
|
||||
if ( 'add_version' === $action ) {
|
||||
$body = wp_kses_post( wp_unslash( $_POST['body'] ?? '' ) );
|
||||
$body = wp_kses_post( Val::string( wp_unslash( $_POST['body'] ?? '' ) ) );
|
||||
$this->service->addDraftVersion( $policyId, $body );
|
||||
}
|
||||
|
||||
if ( 'publish_version' === $action ) {
|
||||
$versionId = absint( $_POST['version_id'] ?? 0 );
|
||||
$versionId = absint( Val::int( $_POST['version_id'] ?? 0 ) );
|
||||
if ( $versionId > 0 ) {
|
||||
$this->service->publishVersion( $policyId, $versionId );
|
||||
}
|
||||
|
||||
@@ -4,6 +4,7 @@ declare(strict_types=1);
|
||||
namespace Unsupervised\Schedular\Policy;
|
||||
|
||||
use Unsupervised\Schedular\Auth\RoleManager;
|
||||
use Unsupervised\Schedular\Val;
|
||||
|
||||
class PolicyEndpoint {
|
||||
|
||||
@@ -13,6 +14,11 @@ class PolicyEndpoint {
|
||||
private PolicyService $service,
|
||||
) {}
|
||||
|
||||
/**
|
||||
* Registers this endpoint's REST routes.
|
||||
*
|
||||
* @param non-falsy-string $route_namespace REST namespace the routes are registered under (e.g. `us-scheduler/v1`).
|
||||
*/
|
||||
public function registerRoutes( string $route_namespace ): void {
|
||||
register_rest_route(
|
||||
$route_namespace,
|
||||
@@ -74,7 +80,7 @@ class PolicyEndpoint {
|
||||
* `both`-scoped policies).
|
||||
*/
|
||||
public function index( \WP_REST_Request $request ): \WP_REST_Response {
|
||||
$scope = (string) $request->get_param( 'scope' );
|
||||
$scope = Val::string( $request->get_param( 'scope' ) );
|
||||
$policies = in_array( $scope, [ Policy::SCOPE_SIGNUP, Policy::SCOPE_BOOKING ], true )
|
||||
? $this->policies->findForScope( $scope )
|
||||
: $this->policies->findAll();
|
||||
@@ -108,12 +114,12 @@ class PolicyEndpoint {
|
||||
}
|
||||
|
||||
public function create( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
|
||||
$title = sanitize_text_field( (string) $request->get_param( 'title' ) );
|
||||
$title = sanitize_text_field( Val::string( $request->get_param( 'title' ) ) );
|
||||
if ( '' === $title ) {
|
||||
return $this->invalid( __( 'A policy title is required.', 'unsupervised-schedular' ) );
|
||||
}
|
||||
|
||||
$slugParam = sanitize_text_field( (string) $request->get_param( 'slug' ) );
|
||||
$slugParam = sanitize_text_field( Val::string( $request->get_param( 'slug' ) ) );
|
||||
$slug = sanitize_title( '' !== $slugParam ? $slugParam : $title );
|
||||
if ( '' === $slug ) {
|
||||
return $this->invalid( __( 'A valid policy slug is required.', 'unsupervised-schedular' ) );
|
||||
@@ -123,7 +129,7 @@ class PolicyEndpoint {
|
||||
return new \WP_Error( 'duplicate_slug', __( 'A policy with that slug already exists.', 'unsupervised-schedular' ), [ 'status' => 409 ] );
|
||||
}
|
||||
|
||||
$scope = (string) ( $request->get_param( 'acceptance_scope' ) ?? Policy::SCOPE_BOOKING );
|
||||
$scope = Val::string( $request->get_param( 'acceptance_scope' ) ?? Policy::SCOPE_BOOKING );
|
||||
if ( ! in_array( $scope, Policy::VALID_SCOPES, true ) ) {
|
||||
return $this->invalid( __( 'Invalid acceptance scope.', 'unsupervised-schedular' ) );
|
||||
}
|
||||
@@ -134,12 +140,12 @@ class PolicyEndpoint {
|
||||
}
|
||||
|
||||
public function addVersion( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
|
||||
$policy = $this->policies->findById( absint( $request->get_param( 'id' ) ) );
|
||||
$policy = $this->policies->findById( absint( Val::int( $request->get_param( 'id' ) ) ) );
|
||||
if ( null === $policy ) {
|
||||
return $this->notFound();
|
||||
}
|
||||
|
||||
$body = wp_kses_post( (string) $request->get_param( 'body' ) );
|
||||
$body = wp_kses_post( Val::string( $request->get_param( 'body' ) ) );
|
||||
$id = $this->service->addDraftVersion( (int) $policy->id, $body );
|
||||
|
||||
return new \WP_REST_Response( [ 'id' => $id ], 201 );
|
||||
@@ -155,7 +161,7 @@ class PolicyEndpoint {
|
||||
return $this->invalid( __( 'Only draft versions can be edited.', 'unsupervised-schedular' ) );
|
||||
}
|
||||
|
||||
$body = wp_kses_post( (string) $request->get_param( 'body' ) );
|
||||
$body = wp_kses_post( Val::string( $request->get_param( 'body' ) ) );
|
||||
$this->versions->updateBody( (int) $version->id, $body );
|
||||
|
||||
return new \WP_REST_Response(
|
||||
@@ -173,7 +179,7 @@ class PolicyEndpoint {
|
||||
return $version;
|
||||
}
|
||||
|
||||
$this->service->publishVersion( (int) $request->get_param( 'id' ), (int) $version->id );
|
||||
$this->service->publishVersion( Val::int( $request->get_param( 'id' ) ), (int) $version->id );
|
||||
|
||||
return new \WP_REST_Response(
|
||||
[
|
||||
@@ -202,8 +208,8 @@ class PolicyEndpoint {
|
||||
* Load the version named in the route and confirm it belongs to the policy.
|
||||
*/
|
||||
private function loadVersionForPolicy( \WP_REST_Request $request ): PolicyVersion|\WP_Error {
|
||||
$policyId = absint( $request->get_param( 'id' ) );
|
||||
$version = $this->versions->findById( absint( $request->get_param( 'vid' ) ) );
|
||||
$policyId = absint( Val::int( $request->get_param( 'id' ) ) );
|
||||
$version = $this->versions->findById( absint( Val::int( $request->get_param( 'vid' ) ) ) );
|
||||
|
||||
if ( null === $version || $version->policyId !== $policyId ) {
|
||||
return $this->notFound();
|
||||
|
||||
@@ -36,7 +36,8 @@ class PolicyRepository {
|
||||
public function findForScope( string $scope ): array {
|
||||
$rows = $this->db->get_results(
|
||||
$this->db->prepare(
|
||||
"SELECT * FROM {$this->table} WHERE acceptance_scope = %s OR acceptance_scope = %s ORDER BY title ASC",
|
||||
'SELECT * FROM %i WHERE acceptance_scope = %s OR acceptance_scope = %s ORDER BY title ASC',
|
||||
$this->table,
|
||||
$scope,
|
||||
Policy::SCOPE_BOTH
|
||||
)
|
||||
@@ -68,7 +69,7 @@ class PolicyRepository {
|
||||
|
||||
public function findById( int $id ): ?Policy {
|
||||
$row = $this->db->get_row(
|
||||
$this->db->prepare( "SELECT * FROM {$this->table} WHERE id = %d", $id )
|
||||
$this->db->prepare( 'SELECT * FROM %i WHERE id = %d', $this->table, $id )
|
||||
);
|
||||
|
||||
return $row ? Policy::fromRow( $row ) : null;
|
||||
@@ -76,7 +77,7 @@ class PolicyRepository {
|
||||
|
||||
public function findBySlug( string $slug ): ?Policy {
|
||||
$row = $this->db->get_row(
|
||||
$this->db->prepare( "SELECT * FROM {$this->table} WHERE slug = %s", $slug )
|
||||
$this->db->prepare( 'SELECT * FROM %i WHERE slug = %s', $this->table, $slug )
|
||||
);
|
||||
|
||||
return $row ? Policy::fromRow( $row ) : null;
|
||||
|
||||
@@ -3,6 +3,8 @@ declare(strict_types=1);
|
||||
|
||||
namespace Unsupervised\Schedular\Policy;
|
||||
|
||||
use Unsupervised\Schedular\Val;
|
||||
|
||||
class PolicyVersion {
|
||||
|
||||
public const STATUS_DRAFT = 'draft';
|
||||
@@ -25,14 +27,14 @@ class PolicyVersion {
|
||||
public readonly ?int $id = null,
|
||||
) {}
|
||||
|
||||
public static function fromRow( object $row ): self {
|
||||
public static function fromRow( \stdClass $row ): self {
|
||||
return new self(
|
||||
policyId: (int) $row->policy_id,
|
||||
versionNumber: (int) $row->version_number,
|
||||
body: $row->body,
|
||||
status: $row->status,
|
||||
publishedAt: $row->published_at,
|
||||
id: (int) $row->id,
|
||||
policyId: Val::int( $row->policy_id ),
|
||||
versionNumber: Val::int( $row->version_number ),
|
||||
body: Val::stringOrNull( $row->body ),
|
||||
status: Val::string( $row->status ),
|
||||
publishedAt: Val::stringOrNull( $row->published_at ),
|
||||
id: Val::int( $row->id ),
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
@@ -59,7 +59,8 @@ class PolicyVersionRepository {
|
||||
public function findByPolicy( int $policyId ): array {
|
||||
$rows = $this->db->get_results(
|
||||
$this->db->prepare(
|
||||
"SELECT * FROM {$this->table} WHERE policy_id = %d ORDER BY version_number DESC",
|
||||
'SELECT * FROM %i WHERE policy_id = %d ORDER BY version_number DESC',
|
||||
$this->table,
|
||||
$policyId
|
||||
)
|
||||
);
|
||||
@@ -69,7 +70,7 @@ class PolicyVersionRepository {
|
||||
|
||||
public function findById( int $id ): ?PolicyVersion {
|
||||
$row = $this->db->get_row(
|
||||
$this->db->prepare( "SELECT * FROM {$this->table} WHERE id = %d", $id )
|
||||
$this->db->prepare( 'SELECT * FROM %i WHERE id = %d', $this->table, $id )
|
||||
);
|
||||
|
||||
return $row ? PolicyVersion::fromRow( $row ) : null;
|
||||
@@ -80,7 +81,7 @@ class PolicyVersionRepository {
|
||||
*/
|
||||
public function maxVersionNumber( int $policyId ): int {
|
||||
$max = $this->db->get_var(
|
||||
$this->db->prepare( "SELECT MAX(version_number) FROM {$this->table} WHERE policy_id = %d", $policyId )
|
||||
$this->db->prepare( 'SELECT MAX(version_number) FROM %i WHERE policy_id = %d', $this->table, $policyId )
|
||||
);
|
||||
|
||||
return null === $max ? 0 : (int) $max;
|
||||
|
||||
Reference in New Issue
Block a user