Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden booking, offering exposure, payments, and invites
CI / No Debug Code (pull_request) Successful in 11s
Details
CI / Tests (PHP 8.2) (pull_request) Successful in 1m42s
Details
CI / Tests (PHP 8.3) (pull_request) Successful in 2m17s
Details
CI / Tests (PHP 8.1) (pull_request) Successful in 2m17s
Details
CI / Coding Standards (pull_request) Successful in 2m26s
Details
CI / PHPStan (pull_request) Successful in 2m38s
Details
CI / Build Plugin Zip (pull_request) Has been skipped
Details

Browse Source 
Security fixes from a pen-test review (issues #31–#37):

- #31 Booking no longer trusts a client-supplied offering_id: a slot-tied
  offering is authoritative and any offering used must belong to the slot's
  instructor, closing a free/misrouted-payment bypass.
- #34 Availability slot creation rejects an offering the instructor does not
  own (AvailabilityEndpoint now takes OfferingRepository).
- #32 Offering/question/policy listing endpoints now require book_lesson
  instead of being public (no anonymous consumer exists); Offering::toArray
  also omits etransfer_email from listings as defense-in-depth.
- #33 Slots are claimed atomically (UPDATE ... WHERE is_booked = 0) before a
  lesson is inserted, preventing a double-booking race.
- #35 A single weekly booking is capped (MAX_WEEKLY_OCCURRENCES) and only
  creates lessons for slots it actually claimed.
- #36 Stripe secret/webhook keys are write-only in the settings UI and a blank
  submit keeps the stored value; secrets are never echoed back into HTML.
- #37 Pending invites expire after 14 days (Invite::isAcceptable), enforced at
  registration and surfaced on the admin invites list.

Adds BookingEndpointTest plus Invite/Offering/AvailabilityRepository coverage
and minimal WP_REST_Request/WP_REST_Response stubs. composer test (200),
lint, and cs all green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
James Griffin-Allwood
2026-06-09 17:00:54 -03:00
parent b5c076c3d6
commit 5140e76347
18 changed files with 437 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Unit/Auth/InviteTest.php
+35
View File
@@ -60,6 +60,41 @@ class InviteTest extends TestCase
self::assertTrue($invite->isPending());
}
public function testIsExpiredWhenOlderThanExpiryWindow(): void
{
$created = gmdate('Y-m-d H:i:s', strtotime('2026-06-01 09:00:00'));
$now = '2026-06-20 09:00:00'; // 19 days later, beyond the 14-day window.
$invite = new Invite('a@b.test', 'tok', createdAt: $created);
self::assertTrue($invite->isExpired($now));
self::assertFalse($invite->isAcceptable($now));
}
public function testIsNotExpiredWithinExpiryWindow(): void
{
$invite = new Invite('a@b.test', 'tok', createdAt: '2026-06-01 09:00:00');
$now = '2026-06-10 09:00:00'; // 9 days later, inside the window.
self::assertFalse($invite->isExpired($now));
self::assertTrue($invite->isAcceptable($now));
}
public function testIsNotExpiredWhenCreatedAtUnknown(): void
{
$invite = new Invite('a@b.test', 'tok');
self::assertFalse($invite->isExpired('2030-01-01 00:00:00'));
self::assertTrue($invite->isAcceptable('2030-01-01 00:00:00'));
}
public function testAcceptedInviteIsNotAcceptableEvenWhenFresh(): void
{
$invite = new Invite('a@b.test', 'tok', status: Invite::STATUS_ACCEPTED, createdAt: '2026-06-01 09:00:00');
self::assertFalse($invite->isAcceptable('2026-06-02 09:00:00'));
}
public function testToArrayContainsExpectedKeys(): void
{
$arr = (new Invite('a@b.test', 'tok', id: 1))->toArray();