Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request 'Add account registration with signup policy acceptance' (#18) from feature/account-registration into main
CI / Coding Standards (push) Successful in 47s
Details
CI / PHPStan (push) Successful in 1m3s
Details
CI / Tests (PHP 8.1) (push) Successful in 48s
Details
CI / Tests (PHP 8.2) (push) Successful in 47s
Details
CI / Tests (PHP 8.3) (push) Successful in 46s
Details
CI / No Debug Code (push) Successful in 3s
Details
CI / Build Plugin Zip (push) Successful in 41s
Details

Browse Source 
Reviewed-on: #18
This commit was merged in pull request #18.
This commit is contained in:
James Griffin-Allwood
2026-06-05 19:52:57 +00:00
parent 5eb096c5cf 9c900d6553
commit 9b8fa5d698
25 changed files with 957 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/features/account-registration.md
+63
View File
@@ -0,0 +1,63 @@
# Feature: Account Registration
## Overview
People register for a student account through a front-end page, accepting any
signup-scoped policies at that time. Registration is **invite-only** by default: a
studio admin sends an invite, and the invitee completes signup via a tokenised
link. A settings seam (`us_registration_mode`) allows switching to open
self-registration with approval later.
## Registration Modes
Stored in the `us_registration_mode` option (default `invite`):
- `invite` — only a valid, pending invite token grants access to the registration form. *(implemented)*
- `self_approval` — anyone may register; the account is created in a pending state until a studio admin approves it. *(reserved for a later iteration)*
## Data Model — `{prefix}us_invites`
| Column | Type | Notes |
|--------------------|------------------|--------------------------------------------------------|
| `id` | BIGINT UNSIGNED | Primary key |
| `email` | VARCHAR(191) | Invited email address |
| `token` | VARCHAR(64) | Opaque token embedded in the registration link |
| `role` | VARCHAR(32) | Role granted on acceptance (default `us_student`) |
| `status` | VARCHAR(20) | `pending` / `accepted` / `revoked` |
| `invited_by` | BIGINT UNSIGNED | WordPress user ID of the studio admin who invited |
| `accepted_user_id` | BIGINT UNSIGNED | The created user's ID once accepted; NULL while pending |
| `created_at` | DATETIME | Insertion time |
| `accepted_at` | DATETIME | When accepted; NULL while pending |
## Policy Acceptance Scope
Policies declare **when** they must be accepted via `us_policies.acceptance_scope`:
`signup`, `booking`, or `both` (see `policies.md`). The registration form requires
acceptance of every published policy scoped `signup` or `both`. Acceptances are
recorded in `us_policy_acceptances` with `registration_type = account` and
`registration_id = <new user ID>`.
## Flow (invite mode)
1. Studio admin opens **Invites** (`manage_students`) and invites an email; an invite row is created with a token and a registration link.
2. The invitee opens `[us_student_register]` with the token (`?us_invite=<token>`).
3. The form pre-fills the email and collects a display name and password, and renders the signup-scoped published policies, each with a required acceptance checkbox.
4. On submit, the token is re-validated; a `us_student` user is created, the policy acceptances are recorded (`account` type), the invite is marked `accepted`, and the user is logged in.
## Admin Interface
**Invites** in wp-admin (`manage_students`, studio admin only):
- Invite an email (creates a pending invite + link)
- List pending invites; revoke an invite
## Frontend Shortcode
- `[us_student_register]` — the registration page. Shows the form for a valid pending invite; otherwise shows an "by invitation only" message (in `invite` mode).
## Capabilities
- `manage_students` — manage invites (studio admin; administrators inherit it via the `user_has_cap` filter). Added to `RoleManager::STUDIO_ADMIN_CAPS`.
## Implementation
- Models: `Unsupervised\Schedular\Auth\Invite`
- Repository: `Unsupervised\Schedular\Auth\InviteRepository`
- Admin controller: `Unsupervised\Schedular\Auth\RegistrationController`
- Frontend: `Unsupervised\Schedular\Auth\RegistrationPage`
- Reuses `Policy\PolicyRepository`, `Policy\PolicyVersionRepository`, `Policy\AcceptanceRepository`
- Schema: `us_invites`; `us_policies.acceptance_scope`
## Tests
- `tests/Unit/Auth/InviteTest.php`
- `tests/Unit/Auth/InviteRepositoryTest.php`
docs/features/policies.md
+1
View File
@@ -11,6 +11,7 @@ The studio admin drafts, versions, and publishes policies (e.g. cancellation, pa
| `title` | VARCHAR(191) | Display name |
| `slug` | VARCHAR(191) | Unique key, e.g. `cancellation` |
| `current_version_id` | BIGINT UNSIGNED | Nullable FK → `us_policy_versions.id` (published) |
| `acceptance_scope` | VARCHAR(20) | `signup` / `booking` / `both` — when it must be accepted |
| `created_at` | DATETIME | Insertion time |
## Data Model — `{prefix}us_policy_versions`
src/AdminMenu.php
+16 -1
View File
@@ -5,6 +5,8 @@ namespace Unsupervised\Schedular;
use Unsupervised\Schedular\Availability\AvailabilityController;
use Unsupervised\Schedular\Availability\AvailabilityRepository;
use Unsupervised\Schedular\Auth\InviteRepository;
use Unsupervised\Schedular\Auth\RegistrationController;
use Unsupervised\Schedular\Auth\RoleManager;
use Unsupervised\Schedular\Booking\BookingRepository;
use Unsupervised\Schedular\Booking\LessonController;
@@ -24,13 +26,15 @@ class AdminMenu {
private OfferingController $offeringController;
private QuestionController $questionController;
private PolicyController $policyController;
private RegistrationController $registrationController;
public function __construct( AvailabilityRepository $availability, BookingRepository $bookings, OfferingRepository $offerings, QuestionRepository $questions, PolicyRepository $policies, PolicyVersionRepository $policyVersions, PolicyService $policyService ) {
public function __construct( AvailabilityRepository $availability, BookingRepository $bookings, OfferingRepository $offerings, QuestionRepository $questions, PolicyRepository $policies, PolicyVersionRepository $policyVersions, PolicyService $policyService, InviteRepository $invites ) {
$this->availabilityController = new AvailabilityController( $availability, $offerings );
$this->lessonController = new LessonController( $bookings );
$this->offeringController = new OfferingController( $offerings );
$this->questionController = new QuestionController( $questions, $offerings );
$this->policyController = new PolicyController( $policies, $policyVersions, $policyService );
$this->registrationController = new RegistrationController( $invites );
}
public function register(): void {
@@ -92,6 +96,17 @@ class AdminMenu {
34
);
// Studio admin: invite students to register.
add_menu_page(
__( 'Invites', 'unsupervised-schedular' ),
__( 'Invites', 'unsupervised-schedular' ),
RoleManager::CAP_MANAGE_STUDENTS,
'us-invites',
[ $this->registrationController, 'renderPage' ],
'dashicons-email',
35
);
// Instructor: view their upcoming lessons.
add_menu_page(
__( 'My Lessons', 'unsupervised-schedular' ),
src/Auth/Invite.php
+64
View File
@@ -0,0 +1,64 @@
<?php
declare(strict_types=1);
namespace Unsupervised\Schedular\Auth;
class Invite {
public const STATUS_PENDING = 'pending';
public const STATUS_ACCEPTED = 'accepted';
public const STATUS_REVOKED = 'revoked';
/**
* All valid invite statuses.
*
* @var list<string>
*/
public const VALID_STATUSES = [ self::STATUS_PENDING, self::STATUS_ACCEPTED, self::STATUS_REVOKED ];
public function __construct(
public readonly string $email,
public readonly string $token,
public readonly string $role = RoleManager::STUDENT,
public readonly string $status = self::STATUS_PENDING,
public readonly ?int $invitedBy = null,
public readonly ?int $acceptedUserId = null,
public readonly ?string $acceptedAt = null,
public readonly ?int $id = null,
) {}
public static function fromRow( object $row ): self {
return new self(
email: $row->email,
token: $row->token,
role: $row->role,
status: $row->status,
invitedBy: null !== $row->invited_by ? (int) $row->invited_by : null,
acceptedUserId: null !== $row->accepted_user_id ? (int) $row->accepted_user_id : null,
acceptedAt: $row->accepted_at,
id: (int) $row->id,
);
}
public function isPending(): bool {
return self::STATUS_PENDING === $this->status;
}
/**
* Returns a plain array representation of the invite.
*
* @return array<string, mixed>
*/
public function toArray(): array {
return [
'id' => $this->id,
'email' => $this->email,
'token' => $this->token,
'role' => $this->role,
'status' => $this->status,
'invited_by' => $this->invitedBy,
'accepted_user_id' => $this->acceptedUserId,
'accepted_at' => $this->acceptedAt,
];
}
}
src/Auth/InviteRepository.php
+103
View File
@@ -0,0 +1,103 @@
<?php
declare(strict_types=1);
namespace Unsupervised\Schedular\Auth;
class InviteRepository {
private string $table;
public function __construct( private \wpdb $db ) {
$this->table = $db->prefix . 'us_invites';
}
public function insert( Invite $invite ): int {
$this->db->insert(
$this->table,
[
'email' => $invite->email,
'token' => $invite->token,
'role' => $invite->role,
'status' => $invite->status,
'invited_by' => $invite->invitedBy,
'accepted_user_id' => $invite->acceptedUserId,
'created_at' => current_time( 'mysql' ),
'accepted_at' => $invite->acceptedAt,
],
[ '%s', '%s', '%s', '%s', '%d', '%d', '%s', '%s' ]
);
return $this->db->insert_id;
}
public function findByToken( string $token ): ?Invite {
$row = $this->db->get_row(
$this->db->prepare( "SELECT * FROM {$this->table} WHERE token = %s", $token )
);
return $row ? Invite::fromRow( $row ) : null;
}
public function findById( int $id ): ?Invite {
$row = $this->db->get_row(
$this->db->prepare( "SELECT * FROM {$this->table} WHERE id = %d", $id )
);
return $row ? Invite::fromRow( $row ) : null;
}
/**
* The most recent pending invite for an email, if any.
*/
public function findPendingByEmail( string $email ): ?Invite {
$row = $this->db->get_row(
$this->db->prepare(
"SELECT * FROM {$this->table} WHERE email = %s AND status = %s ORDER BY id DESC LIMIT 1",
$email,
Invite::STATUS_PENDING
)
);
return $row ? Invite::fromRow( $row ) : null;
}
/**
* All invites awaiting acceptance, newest first.
*
* @return list<Invite>
*/
public function findPending(): array {
$rows = $this->db->get_results(
$this->db->prepare(
"SELECT * FROM {$this->table} WHERE status = %s ORDER BY created_at DESC",
Invite::STATUS_PENDING
)
);
return array_map( Invite::fromRow( ... ), $rows ?? [] );
}
public function markAccepted( int $id, int $userId ): bool {
return false !== $this->db->update(
$this->table,
[
'status' => Invite::STATUS_ACCEPTED,
'accepted_user_id' => $userId,
'accepted_at' => current_time( 'mysql' ),
],
[ 'id' => $id ],
[ '%s', '%d', '%s' ],
[ '%d' ]
);
}
public function revoke( int $id ): bool {
return false !== $this->db->update(
$this->table,
[ 'status' => Invite::STATUS_REVOKED ],
[ 'id' => $id ],
[ '%s' ],
[ '%d' ]
);
}
}
src/Auth/RegistrationController.php
+55
View File
@@ -0,0 +1,55 @@
<?php
declare(strict_types=1);
namespace Unsupervised\Schedular\Auth;
class RegistrationController {
public function __construct( private InviteRepository $invites ) {}
public function renderPage(): void {
if ( ! current_user_can( RoleManager::CAP_MANAGE_STUDENTS ) ) {
wp_die( esc_html__( 'You do not have permission to manage invites.', 'unsupervised-schedular' ) );
}
if ( isset( $_POST['usc_action'] ) && check_admin_referer( 'usc_invite_action' ) ) {
$this->handleFormAction();
}
$pendingInvites = $this->invites->findPending();
include USC_PLUGIN_DIR . 'templates/admin/invites.php';
}
private function handleFormAction(): void {
// Nonce is verified by the caller (renderPage) before this method runs.
// phpcs:disable WordPress.Security.NonceVerification.Missing
$action = sanitize_key( wp_unslash( $_POST['usc_action'] ?? '' ) );
if ( 'invite' === $action ) {
$email = sanitize_email( wp_unslash( $_POST['email'] ?? '' ) );
if (
is_email( $email )
&& false === email_exists( $email )
&& null === $this->invites->findPendingByEmail( $email )
) {
$this->invites->insert(
new Invite(
email: $email,
token: wp_generate_password( 32, false ),
invitedBy: get_current_user_id(),
)
);
}
}
if ( 'revoke' === $action ) {
$inviteId = absint( $_POST['invite_id'] ?? 0 );
if ( $inviteId > 0 ) {
$this->invites->revoke( $inviteId );
}
}
// phpcs:enable WordPress.Security.NonceVerification.Missing
}
}
src/Auth/RegistrationPage.php
+159
View File
@@ -0,0 +1,159 @@
<?php
declare(strict_types=1);
namespace Unsupervised\Schedular\Auth;
use Unsupervised\Schedular\Policy\AcceptanceRepository;
use Unsupervised\Schedular\Policy\Policy;
use Unsupervised\Schedular\Policy\PolicyAcceptance;
use Unsupervised\Schedular\Policy\PolicyRepository;
use Unsupervised\Schedular\Policy\PolicyVersionRepository;
class RegistrationPage {
public function __construct(
private InviteRepository $invites,
private PolicyRepository $policies,
private PolicyVersionRepository $versions,
private AcceptanceRepository $acceptances,
) {}
/**
* Renders the student registration shortcode output.
*
* @param array<string, string> $atts Shortcode attributes (unused — reserved for future options).
*/
public function render( array $atts ): string { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.Found
if ( is_user_logged_in() ) {
return '<p>' . esc_html__( 'You already have an account and are logged in.', 'unsupervised-schedular' ) . '</p>';
}
// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- token identifies the invite; the form submit is nonce-checked below.
$token = sanitize_text_field( wp_unslash( $_REQUEST['us_invite'] ?? '' ) );
$invite = '' !== $token ? $this->invites->findByToken( $token ) : null;
$error = '';
$success = false;
if ( isset( $_POST['us_register'] ) && check_admin_referer( 'us_student_register' ) ) {
$result = $this->handleSubmit( $invite );
if ( true === $result ) {
$success = true;
} else {
$error = $result;
}
}
$policyForms = $this->signupPolicies();
$canRegister = null !== $invite && $invite->isPending();
ob_start();
include USC_PLUGIN_DIR . 'templates/frontend/register-page.php';
return (string) ob_get_clean();
}
/**
* Process the submitted registration. Returns true on success or an error
* message string on failure.
*/
private function handleSubmit( ?Invite $invite ): string|bool {
if ( null === $invite || ! $invite->isPending() ) {
return esc_html__( 'This invitation is invalid or has already been used.', 'unsupervised-schedular' );
}
// The submit nonce is verified by the caller (render) before this runs.
// phpcs:disable WordPress.Security.NonceVerification.Missing
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- passwords must not be sanitized.
$password = (string) wp_unslash( $_POST['password'] ?? '' );
$displayName = sanitize_text_field( wp_unslash( $_POST['display_name'] ?? '' ) );
if ( strlen( $password ) < 8 ) {
return esc_html__( 'Please choose a password of at least 8 characters.', 'unsupervised-schedular' );
}
$policyForms = $this->signupPolicies();
$accepted = array_map( 'absint', (array) ( $_POST['accept'] ?? [] ) );
// phpcs:enable WordPress.Security.NonceVerification.Missing
foreach ( $policyForms as $form ) {
if ( ! in_array( (int) $form['version']->id, $accepted, true ) ) {
return esc_html__( 'You must accept all required policies to register.', 'unsupervised-schedular' );
}
}
if ( email_exists( $invite->email ) ) {
return esc_html__( 'An account already exists for this email.', 'unsupervised-schedular' );
}
$userId = wp_insert_user(
[
'user_login' => $invite->email,
'user_email' => $invite->email,
'user_pass' => $password,
'display_name' => '' !== $displayName ? $displayName : $invite->email,
'role' => $invite->role,
]
);
if ( is_wp_error( $userId ) ) {
return esc_html__( 'Could not create the account. Please contact the studio.', 'unsupervised-schedular' );
}
$this->recordAcceptances( $policyForms, (int) $userId );
$this->invites->markAccepted( (int) $invite->id, (int) $userId );
wp_set_current_user( (int) $userId );
wp_set_auth_cookie( (int) $userId );
return true;
}
/**
* Record account-time acceptances for each signup policy version.
*
* @param list<array{policy: Policy, version: \Unsupervised\Schedular\Policy\PolicyVersion}> $policyForms
*/
private function recordAcceptances( array $policyForms, int $userId ): void {
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- IP is stored verbatim for audit.
$ip = sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ?? '' ) );
foreach ( $policyForms as $form ) {
$this->acceptances->insert(
new PolicyAcceptance(
policyVersionId: (int) $form['version']->id,
studentId: $userId,
registrationType: PolicyAcceptance::REG_ACCOUNT,
registrationId: $userId,
ipAddress: '' !== $ip ? $ip : null,
)
);
}
}
/**
* Signup-scoped policies that have a current published version.
*
* @return list<array{policy: Policy, version: \Unsupervised\Schedular\Policy\PolicyVersion}>
*/
private function signupPolicies(): array {
$out = [];
foreach ( $this->policies->findForScope( Policy::SCOPE_SIGNUP ) as $policy ) {
if ( null === $policy->currentVersionId ) {
continue;
}
$version = $this->versions->findById( $policy->currentVersionId );
if ( null === $version || ! $version->isPublished() ) {
continue;
}
$out[] = [
'policy' => $policy,
'version' => $version,
];
}
return $out;
}
}
src/Auth/RoleManager.php
+2
View File
@@ -14,6 +14,7 @@ class RoleManager {
public const CAP_BOOK_LESSON = 'book_lesson';
public const CAP_MANAGE_INSTRUCTORS = 'manage_instructors';
public const CAP_MANAGE_STUDENTS = 'manage_students';
public const CAP_MANAGE_OFFERINGS = 'manage_offerings';
public const CAP_MANAGE_QUESTIONS = 'manage_questions';
public const CAP_MANAGE_POLICIES = 'manage_policies';
@@ -31,6 +32,7 @@ class RoleManager {
*/
public const STUDIO_ADMIN_CAPS = [
self::CAP_MANAGE_INSTRUCTORS,
self::CAP_MANAGE_STUDENTS,
self::CAP_MANAGE_OFFERINGS,
self::CAP_MANAGE_QUESTIONS,
self::CAP_MANAGE_POLICIES,
src/Plugin.php
+6 -2
View File
@@ -3,10 +3,12 @@ declare(strict_types=1);
namespace Unsupervised\Schedular;
use Unsupervised\Schedular\Auth\InviteRepository;
use Unsupervised\Schedular\Auth\RoleManager;
use Unsupervised\Schedular\Availability\AvailabilityRepository;
use Unsupervised\Schedular\Booking\BookingRepository;
use Unsupervised\Schedular\Offering\OfferingRepository;
use Unsupervised\Schedular\Policy\AcceptanceRepository;
use Unsupervised\Schedular\Policy\PolicyRepository;
use Unsupervised\Schedular\Policy\PolicyService;
use Unsupervised\Schedular\Policy\PolicyVersionRepository;
@@ -25,10 +27,12 @@ class Plugin {
$policies = new PolicyRepository( $wpdb );
$policyVersions = new PolicyVersionRepository( $wpdb );
$policyService = new PolicyService( $policies, $policyVersions );
$acceptances = new AcceptanceRepository( $wpdb );
$invites = new InviteRepository( $wpdb );
( new RoleManager() )->register();
( new AdminMenu( $availability, $bookings, $offerings, $questions, $policies, $policyVersions, $policyService ) )->register();
( new AdminMenu( $availability, $bookings, $offerings, $questions, $policies, $policyVersions, $policyService, $invites ) )->register();
( new RestRegistrar( $availability, $bookings, $offerings, $questions, $policies, $policyVersions, $policyService ) )->register();
( new ShortcodeRegistrar() )->register();
( new ShortcodeRegistrar( $invites, $policies, $policyVersions, $acceptances ) )->register();
}
}
src/Policy/Policy.php
+21
View File
@@ -5,10 +5,22 @@ namespace Unsupervised\Schedular\Policy;
class Policy {
public const SCOPE_SIGNUP = 'signup';
public const SCOPE_BOOKING = 'booking';
public const SCOPE_BOTH = 'both';
/**
* All valid acceptance scopes — when a policy must be accepted.
*
* @var list<string>
*/
public const VALID_SCOPES = [ self::SCOPE_SIGNUP, self::SCOPE_BOOKING, self::SCOPE_BOTH ];
public function __construct(
public readonly string $title,
public readonly string $slug,
public readonly ?int $currentVersionId = null,
public readonly string $acceptanceScope = self::SCOPE_BOOKING,
public readonly ?int $id = null,
) {}
@@ -17,10 +29,18 @@ class Policy {
title: $row->title,
slug: $row->slug,
currentVersionId: null !== $row->current_version_id ? (int) $row->current_version_id : null,
acceptanceScope: $row->acceptance_scope,
id: (int) $row->id,
);
}
/**
* Whether this policy must be accepted in the given gate (`signup` or `booking`).
*/
public function appliesTo( string $scope ): bool {
return $this->acceptanceScope === $scope || self::SCOPE_BOTH === $this->acceptanceScope;
}
/**
* Returns a plain array representation of the policy.
*
@@ -32,6 +52,7 @@ class Policy {
'title' => $this->title,
'slug' => $this->slug,
'current_version_id' => $this->currentVersionId,
'acceptance_scope' => $this->acceptanceScope,
];
}
}
src/Policy/PolicyAcceptance.php
+4 -2
View File
@@ -5,15 +5,17 @@ namespace Unsupervised\Schedular\Policy;
class PolicyAcceptance {
public const REG_ACCOUNT = 'account';
public const REG_LESSON = 'lesson';
public const REG_ENROLLMENT = 'enrollment';
/**
* Polymorphic registration targets an acceptance can attach to.
* Polymorphic registration targets an acceptance can attach to. For `account`
* the registration id is the WordPress user ID.
*
* @var list<string>
*/
public const VALID_REGISTRATION_TYPES = [ self::REG_LESSON, self::REG_ENROLLMENT ];
public const VALID_REGISTRATION_TYPES = [ self::REG_ACCOUNT, self::REG_LESSON, self::REG_ENROLLMENT ];
public function __construct(
public readonly int $policyVersionId,
src/Policy/PolicyController.php
+6 -1
View File
@@ -40,9 +40,14 @@ class PolicyController {
$title = sanitize_text_field( wp_unslash( $_POST['title'] ?? '' ) );
$slugRaw = sanitize_text_field( wp_unslash( $_POST['slug'] ?? '' ) );
$slug = sanitize_title( '' !== $slugRaw ? $slugRaw : $title );
$scope = sanitize_key( wp_unslash( $_POST['acceptance_scope'] ?? Policy::SCOPE_BOOKING ) );
if ( ! in_array( $scope, Policy::VALID_SCOPES, true ) ) {
$scope = Policy::SCOPE_BOOKING;
}
if ( '' !== $title && '' !== $slug && null === $this->policies->findBySlug( $slug ) ) {
$this->service->createPolicy( $title, $slug );
$this->service->createPolicy( $title, $slug, $scope );
}
return;
src/Policy/PolicyEndpoint.php
+6 -1
View File
@@ -113,7 +113,12 @@ class PolicyEndpoint {
return new \WP_Error( 'duplicate_slug', __( 'A policy with that slug already exists.', 'unsupervised-schedular' ), [ 'status' => 409 ] );
}
$id = $this->service->createPolicy( $title, $slug );
$scope = (string) ( $request->get_param( 'acceptance_scope' ) ?? Policy::SCOPE_BOOKING );
if ( ! in_array( $scope, Policy::VALID_SCOPES, true ) ) {
return $this->invalid( __( 'Invalid acceptance scope.', 'unsupervised-schedular' ) );
}
$id = $this->service->createPolicy( $title, $slug, $scope );
return new \WP_REST_Response( [ 'id' => $id ], 201 );
}
src/Policy/PolicyRepository.php
+20 -1
View File
@@ -18,14 +18,33 @@ class PolicyRepository {
'title' => $policy->title,
'slug' => $policy->slug,
'current_version_id' => $policy->currentVersionId,
'acceptance_scope' => $policy->acceptanceScope,
'created_at' => current_time( 'mysql' ),
],
[ '%s', '%s', '%d', '%s' ]
[ '%s', '%s', '%d', '%s', '%s' ]
);
return $this->db->insert_id;
}
/**
* Policies that must be accepted in the given gate — those scoped to it or to
* `both`. Pass `Policy::SCOPE_SIGNUP` or `Policy::SCOPE_BOOKING`.
*
* @return list<Policy>
*/
public function findForScope( string $scope ): array {
$rows = $this->db->get_results(
$this->db->prepare(
"SELECT * FROM {$this->table} WHERE acceptance_scope = %s OR acceptance_scope = %s ORDER BY title ASC",
$scope,
Policy::SCOPE_BOTH
)
);
return array_map( Policy::fromRow( ... ), $rows ?? [] );
}
public function updateCurrentVersion( int $policyId, int $versionId ): bool {
return false !== $this->db->update(
$this->table,
src/Policy/PolicyService.php
+2 -2
View File
@@ -13,8 +13,8 @@ class PolicyService {
private PolicyVersionRepository $versions,
) {}
public function createPolicy( string $title, string $slug ): int {
return $this->policies->insert( new Policy( $title, $slug ) );
public function createPolicy( string $title, string $slug, string $scope = Policy::SCOPE_BOOKING ): int {
return $this->policies->insert( new Policy( $title, $slug, acceptanceScope: $scope ) );
}
/**
src/Schema.php
+19 -1
View File
@@ -100,9 +100,11 @@ class Schema {
title VARCHAR(191) NOT NULL,
slug VARCHAR(191) NOT NULL,
current_version_id BIGINT UNSIGNED DEFAULT NULL,
acceptance_scope VARCHAR(20) NOT NULL DEFAULT 'booking',
created_at DATETIME NOT NULL,
PRIMARY KEY (id),
UNIQUE KEY slug (slug)
UNIQUE KEY slug (slug),
KEY acceptance_scope (acceptance_scope)
) {$charset};",
"CREATE TABLE {$prefix}us_policy_versions (
@@ -131,6 +133,22 @@ class Schema {
KEY student_id (student_id),
KEY registration (registration_type, registration_id)
) {$charset};",
"CREATE TABLE {$prefix}us_invites (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
email VARCHAR(191) NOT NULL,
token VARCHAR(64) NOT NULL,
role VARCHAR(32) NOT NULL DEFAULT 'us_student',
status VARCHAR(20) NOT NULL DEFAULT 'pending',
invited_by BIGINT UNSIGNED DEFAULT NULL,
accepted_user_id BIGINT UNSIGNED DEFAULT NULL,
created_at DATETIME NOT NULL,
accepted_at DATETIME DEFAULT NULL,
PRIMARY KEY (id),
UNIQUE KEY token (token),
KEY email (email),
KEY status (status)
) {$charset};",
];
}
}
src/ShortcodeRegistrar.php
+16 -3
View File
@@ -3,22 +3,35 @@ declare(strict_types=1);
namespace Unsupervised\Schedular;
use Unsupervised\Schedular\Auth\InviteRepository;
use Unsupervised\Schedular\Auth\LoginPage;
use Unsupervised\Schedular\Auth\RegistrationPage;
use Unsupervised\Schedular\Booking\BookingPage;
use Unsupervised\Schedular\Policy\AcceptanceRepository;
use Unsupervised\Schedular\Policy\PolicyRepository;
use Unsupervised\Schedular\Policy\PolicyVersionRepository;
class ShortcodeRegistrar {
private BookingPage $bookingPage;
private LoginPage $loginPage;
private RegistrationPage $registrationPage;
public function __construct() {
$this->bookingPage = new BookingPage();
$this->loginPage = new LoginPage();
public function __construct(
InviteRepository $invites,
PolicyRepository $policies,
PolicyVersionRepository $policyVersions,
AcceptanceRepository $acceptances,
) {
$this->bookingPage = new BookingPage();
$this->loginPage = new LoginPage();
$this->registrationPage = new RegistrationPage( $invites, $policies, $policyVersions, $acceptances );
}
public function register(): void {
add_shortcode( 'us_booking', [ $this->bookingPage, 'render' ] );
add_shortcode( 'us_student_login', [ $this->loginPage, 'render' ] );
add_shortcode( 'us_student_register', [ $this->registrationPage, 'render' ] );
add_action( 'wp_enqueue_scripts', [ $this, 'enqueueAssets' ] );
}
templates/admin/invites.php
+64
View File
@@ -0,0 +1,64 @@
<?php
declare(strict_types=1);
if (! defined('ABSPATH')) {
exit;
}
/** @var list<\Unsupervised\Schedular\Auth\Invite> $pendingInvites */
?>
<div class="wrap">
<h1><?php esc_html_e('Invites', 'unsupervised-schedular'); ?></h1>
<p class="description"><?php esc_html_e('Invite a student by email, then send them the registration link below. They complete signup and accept any required policies through the [us_student_register] page.', 'unsupervised-schedular'); ?></p>
<h2><?php esc_html_e('Invite a Student', 'unsupervised-schedular'); ?></h2>
<form method="post">
<?php wp_nonce_field('usc_invite_action'); ?>
<input type="hidden" name="usc_action" value="invite">
<table class="form-table">
<tr>
<th><label for="email"><?php esc_html_e('Email', 'unsupervised-schedular'); ?></label></th>
<td><input type="email" name="email" id="email" class="regular-text" required></td>
</tr>
</table>
<?php submit_button(esc_html__('Send Invite', 'unsupervised-schedular')); ?>
</form>
<h2><?php esc_html_e('Pending Invites', 'unsupervised-schedular'); ?></h2>
<?php if (empty($pendingInvites)) : ?>
<p><?php esc_html_e('No pending invites.', 'unsupervised-schedular'); ?></p>
<?php else : ?>
<table class="wp-list-table widefat fixed striped">
<thead>
<tr>
<th><?php esc_html_e('Email', 'unsupervised-schedular'); ?></th>
<th><?php esc_html_e('Registration link', 'unsupervised-schedular'); ?></th>
<th><?php esc_html_e('Actions', 'unsupervised-schedular'); ?></th>
</tr>
</thead>
<tbody>
<?php foreach ($pendingInvites as $invite) : ?>
<?php $link = esc_url(add_query_arg('us_invite', $invite->token, home_url('/'))); ?>
<tr>
<td><?php echo esc_html($invite->email); ?></td>
<td>
<input type="text" class="large-text code" readonly value="<?php echo esc_attr($link); ?>" onclick="this.select()">
<span class="description"><?php esc_html_e('Point this token (?us_invite=…) at the page containing the registration shortcode.', 'unsupervised-schedular'); ?></span>
</td>
<td>
<form method="post" style="display:inline;">
<?php wp_nonce_field('usc_invite_action'); ?>
<input type="hidden" name="usc_action" value="revoke">
<input type="hidden" name="invite_id" value="<?php echo esc_attr((string) $invite->id); ?>">
<button type="submit" class="button button-small button-link-delete">
<?php esc_html_e('Revoke', 'unsupervised-schedular'); ?>
</button>
</form>
</td>
</tr>
<?php endforeach; ?>
</tbody>
</table>
<?php endif; ?>
</div>
templates/admin/policies.php
+11
View File
@@ -1,6 +1,7 @@
<?php
declare(strict_types=1);
use Unsupervised\Schedular\Policy\Policy;
use Unsupervised\Schedular\Policy\PolicyVersion;
if (! defined('ABSPATH')) {
@@ -31,6 +32,16 @@ if (! defined('ABSPATH')) {
<input type="text" name="slug" id="slug" class="regular-text" placeholder="<?php esc_attr_e('e.g. cancellation (defaults from title)', 'unsupervised-schedular'); ?>">
</td>
</tr>
<tr>
<th><label for="acceptance_scope"><?php esc_html_e('Accept at', 'unsupervised-schedular'); ?></label></th>
<td>
<select name="acceptance_scope" id="acceptance_scope">
<option value="<?php echo esc_attr(Policy::SCOPE_BOOKING); ?>" selected><?php esc_html_e('Booking', 'unsupervised-schedular'); ?></option>
<option value="<?php echo esc_attr(Policy::SCOPE_SIGNUP); ?>"><?php esc_html_e('Account signup', 'unsupervised-schedular'); ?></option>
<option value="<?php echo esc_attr(Policy::SCOPE_BOTH); ?>"><?php esc_html_e('Both', 'unsupervised-schedular'); ?></option>
</select>
</td>
</tr>
</table>
<?php submit_button(esc_html__('Add Policy', 'unsupervised-schedular')); ?>
</form>
templates/frontend/register-page.php
+67
View File
@@ -0,0 +1,67 @@
<?php
declare(strict_types=1);
if (! defined('ABSPATH')) {
exit;
}
/**
* @var \Unsupervised\Schedular\Auth\Invite|null $invite
* @var bool $canRegister
* @var bool $success
* @var string $error
* @var list<array{policy: \Unsupervised\Schedular\Policy\Policy, version: \Unsupervised\Schedular\Policy\PolicyVersion}> $policyForms
*/
?>
<div class="us-register-form">
<?php if ($success) : ?>
<p class="us-success"><?php esc_html_e('Your account has been created and you are now logged in.', 'unsupervised-schedular'); ?></p>
<?php elseif (! $canRegister) : ?>
<p><?php esc_html_e('Registration is by invitation only. Please use the link from your invitation email, or contact the studio.', 'unsupervised-schedular'); ?></p>
<?php else : ?>
<?php if ($error !== '') : ?>
<p class="us-error" role="alert"><?php echo esc_html($error); ?></p>
<?php endif; ?>
<form method="post" action="">
<?php wp_nonce_field('us_student_register'); ?>
<input type="hidden" name="us_invite" value="<?php echo esc_attr($invite->token); ?>">
<p>
<label for="us-reg-email"><?php esc_html_e('Email', 'unsupervised-schedular'); ?></label>
<input type="email" id="us-reg-email" value="<?php echo esc_attr($invite->email); ?>" readonly>
</p>
<p>
<label for="us-reg-name"><?php esc_html_e('Your name', 'unsupervised-schedular'); ?></label>
<input type="text" name="display_name" id="us-reg-name" autocomplete="name" required>
</p>
<p>
<label for="us-reg-pass"><?php esc_html_e('Password', 'unsupervised-schedular'); ?></label>
<input type="password" name="password" id="us-reg-pass" autocomplete="new-password" minlength="8" required>
</p>
<?php if (! empty($policyForms)) : ?>
<fieldset class="us-policies">
<legend><?php esc_html_e('Policies', 'unsupervised-schedular'); ?></legend>
<?php foreach ($policyForms as $form) : ?>
<div class="us-policy">
<h4><?php echo esc_html($form['policy']->title); ?></h4>
<div class="us-policy-body"><?php echo wp_kses_post((string) $form['version']->body); ?></div>
<label>
<input type="checkbox" name="accept[]" value="<?php echo esc_attr((string) $form['version']->id); ?>" required>
<?php
/* translators: %s: policy title */
echo esc_html(sprintf(__('I have read and agree to the %s.', 'unsupervised-schedular'), $form['policy']->title));
?>
</label>
</div>
<?php endforeach; ?>
</fieldset>
<?php endif; ?>
<p>
<input type="submit" name="us_register" value="<?php esc_attr_e('Create Account', 'unsupervised-schedular'); ?>">
</p>
</form>
<?php endif; ?>
</div>
tests/Unit/Auth/InviteRepositoryTest.php
+138
View File
@@ -0,0 +1,138 @@
<?php
declare(strict_types=1);
namespace Unsupervised\Schedular\Tests\Unit\Auth;
use Brain\Monkey\Functions;
use Mockery;
use Unsupervised\Schedular\Auth\Invite;
use Unsupervised\Schedular\Auth\InviteRepository;
use Unsupervised\Schedular\Tests\Unit\TestCase;
class InviteRepositoryTest extends TestCase
{
private \wpdb $db;
private InviteRepository $repo;
protected function setUp(): void
{
parent::setUp();
$this->db = Mockery::mock(\wpdb::class);
$this->db->prefix = 'wp_';
$this->repo = new InviteRepository($this->db);
}
public function testInsertReturnsId(): void
{
Functions\expect('current_time')->with('mysql')->andReturn('2026-06-02 09:00:00');
$this->db->shouldReceive('insert')
->once()
->with(
'wp_us_invites',
Mockery::on(static function (array $d): bool {
return $d['email'] === 'a@b.test'
&& $d['token'] === 'tok123'
&& $d['status'] === Invite::STATUS_PENDING
&& $d['invited_by'] === 2;
}),
['%s', '%s', '%s', '%s', '%d', '%d', '%s', '%s']
);
$this->db->insert_id = 5;
self::assertSame(5, $this->repo->insert(new Invite('a@b.test', 'tok123', invitedBy: 2)));
}
public function testFindByTokenReturnsInvite(): void
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/token = %s/'), 'tok123')
->andReturn('SELECT ...');
$this->db->shouldReceive('get_row')->andReturn($this->row());
$invite = $this->repo->findByToken('tok123');
self::assertInstanceOf(Invite::class, $invite);
self::assertSame('a@b.test', $invite->email);
}
public function testFindByTokenReturnsNullWhenMissing(): void
{
$this->db->shouldReceive('prepare')->andReturn('SELECT ...');
$this->db->shouldReceive('get_row')->andReturn(null);
self::assertNull($this->repo->findByToken('nope'));
}
public function testFindPendingByEmailFiltersStatus(): void
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/email = %s AND status = %s/'), 'a@b.test', Invite::STATUS_PENDING)
->andReturn('SELECT ...');
$this->db->shouldReceive('get_row')->andReturn($this->row());
self::assertInstanceOf(Invite::class, $this->repo->findPendingByEmail('a@b.test'));
}
public function testFindPendingMapsRows(): void
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/status = %s/'), Invite::STATUS_PENDING)
->andReturn('SELECT ...');
$this->db->shouldReceive('get_results')->andReturn([$this->row()]);
$pending = $this->repo->findPending();
self::assertCount(1, $pending);
self::assertInstanceOf(Invite::class, $pending[0]);
}
public function testMarkAcceptedUpdatesRow(): void
{
Functions\expect('current_time')->with('mysql')->andReturn('2026-06-02 10:00:00');
$this->db->shouldReceive('update')
->once()
->with(
'wp_us_invites',
Mockery::on(static fn (array $d): bool => $d['status'] === Invite::STATUS_ACCEPTED && $d['accepted_user_id'] === 9),
['id' => 5],
['%s', '%d', '%s'],
['%d']
)
->andReturn(1);
self::assertTrue($this->repo->markAccepted(5, 9));
}
public function testRevokeUpdatesStatus(): void
{
$this->db->shouldReceive('update')
->once()
->with('wp_us_invites', ['status' => Invite::STATUS_REVOKED], ['id' => 5], ['%s'], ['%d'])
->andReturn(1);
self::assertTrue($this->repo->revoke(5));
}
private function row(): object
{
return (object) [
'id' => '5',
'email' => 'a@b.test',
'token' => 'tok123',
'role' => 'us_student',
'status' => Invite::STATUS_PENDING,
'invited_by' => '2',
'accepted_user_id' => null,
'accepted_at' => null,
];
}
}
tests/Unit/Auth/InviteTest.php
+71
View File
@@ -0,0 +1,71 @@
<?php
declare(strict_types=1);
namespace Unsupervised\Schedular\Tests\Unit\Auth;
use Unsupervised\Schedular\Auth\Invite;
use Unsupervised\Schedular\Auth\RoleManager;
use Unsupervised\Schedular\Tests\Unit\TestCase;
class InviteTest extends TestCase
{
public function testDefaults(): void
{
$invite = new Invite('a@b.test', 'tok123');
self::assertSame('a@b.test', $invite->email);
self::assertSame('tok123', $invite->token);
self::assertSame(RoleManager::STUDENT, $invite->role);
self::assertSame(Invite::STATUS_PENDING, $invite->status);
self::assertTrue($invite->isPending());
self::assertNull($invite->invitedBy);
self::assertNull($invite->acceptedUserId);
self::assertNull($invite->id);
}
public function testFromRowMapsCorrectly(): void
{
$invite = Invite::fromRow((object) [
'id' => '5',
'email' => 'a@b.test',
'token' => 'tok123',
'role' => RoleManager::STUDENT,
'status' => Invite::STATUS_ACCEPTED,
'invited_by' => '2',
'accepted_user_id' => '9',
'accepted_at' => '2026-06-02 09:00:00',
]);
self::assertSame(5, $invite->id);
self::assertSame(2, $invite->invitedBy);
self::assertSame(9, $invite->acceptedUserId);
self::assertFalse($invite->isPending());
}
public function testFromRowHandlesNullableIds(): void
{
$invite = Invite::fromRow((object) [
'id' => '5',
'email' => 'a@b.test',
'token' => 'tok123',
'role' => RoleManager::STUDENT,
'status' => Invite::STATUS_PENDING,
'invited_by' => null,
'accepted_user_id' => null,
'accepted_at' => null,
]);
self::assertNull($invite->invitedBy);
self::assertNull($invite->acceptedUserId);
self::assertTrue($invite->isPending());
}
public function testToArrayContainsExpectedKeys(): void
{
$arr = (new Invite('a@b.test', 'tok', id: 1))->toArray();
foreach (['id', 'email', 'token', 'role', 'status', 'invited_by', 'accepted_user_id', 'accepted_at'] as $key) {
self::assertArrayHasKey($key, $arr);
}
}
}
tests/Unit/Policy/PolicyRepositoryTest.php
+25 -3
View File
@@ -31,14 +31,35 @@ class PolicyRepositoryTest extends TestCase
->once()
->with(
'wp_us_policies',
Mockery::on(static fn (array $d): bool => $d['title'] === 'Cancellation' && $d['slug'] === 'cancellation' && $d['current_version_id'] === null),
['%s', '%s', '%d', '%s']
Mockery::on(static fn (array $d): bool => $d['title'] === 'Cancellation' && $d['slug'] === 'cancellation' && $d['current_version_id'] === null && $d['acceptance_scope'] === Policy::SCOPE_BOOKING),
['%s', '%s', '%d', '%s', '%s']
);
$this->db->insert_id = 7;
self::assertSame(7, $this->repo->insert(new Policy('Cancellation', 'cancellation')));
}
public function testFindForScopeMatchesScopeOrBoth(): void
{
$this->db->shouldReceive('prepare')
->once()
->with(
Mockery::pattern('/acceptance_scope = %s OR acceptance_scope = %s/'),
Policy::SCOPE_SIGNUP,
Policy::SCOPE_BOTH
)
->andReturn('SELECT ...');
$this->db->shouldReceive('get_results')->andReturn([
(object) ['id' => '1', 'title' => 'Terms', 'slug' => 'terms', 'current_version_id' => '5', 'acceptance_scope' => Policy::SCOPE_SIGNUP],
]);
$found = $this->repo->findForScope(Policy::SCOPE_SIGNUP);
self::assertCount(1, $found);
self::assertSame(Policy::SCOPE_SIGNUP, $found[0]->acceptanceScope);
}
public function testUpdateCurrentVersion(): void
{
$this->db->shouldReceive('update')
@@ -57,6 +78,7 @@ class PolicyRepositoryTest extends TestCase
'title' => 'Cancellation',
'slug' => 'cancellation',
'current_version_id' => null,
'acceptance_scope' => Policy::SCOPE_BOOKING,
]);
$policy = $this->repo->findBySlug('cancellation');
@@ -76,7 +98,7 @@ class PolicyRepositoryTest extends TestCase
public function testFindAllMapsRows(): void
{
$this->db->shouldReceive('get_results')->andReturn([
(object) ['id' => '1', 'title' => 'A', 'slug' => 'a', 'current_version_id' => null],
(object) ['id' => '1', 'title' => 'A', 'slug' => 'a', 'current_version_id' => null, 'acceptance_scope' => Policy::SCOPE_BOOKING],
]);
$all = $this->repo->findAll();
tests/Unit/Policy/PolicyServiceTest.php
+3 -3
View File
@@ -56,7 +56,7 @@ class PolicyServiceTest extends TestCase
{
Functions\expect('current_time')->with('mysql')->andReturn('2026-06-01 12:00:00');
$this->policies->shouldReceive('findById')->once()->with(4)->andReturn(new Policy('T', 't', 8, 4));
$this->policies->shouldReceive('findById')->once()->with(4)->andReturn(new Policy('T', 't', 8, id: 4));
$this->versions->shouldReceive('findById')->once()->with(9)->andReturn(new PolicyVersion(4, 2, '<p>x</p>', PolicyVersion::STATUS_DRAFT, null, 9));
$this->versions->shouldReceive('updateStatus')->once()->with(8, PolicyVersion::STATUS_ARCHIVED);
@@ -70,7 +70,7 @@ class PolicyServiceTest extends TestCase
{
Functions\expect('current_time')->andReturn('2026-06-01 12:00:00');
$this->policies->shouldReceive('findById')->once()->with(4)->andReturn(new Policy('T', 't', null, 4));
$this->policies->shouldReceive('findById')->once()->with(4)->andReturn(new Policy('T', 't', null, id: 4));
$this->versions->shouldReceive('findById')->once()->with(9)->andReturn(new PolicyVersion(4, 1, null, PolicyVersion::STATUS_DRAFT, null, 9));
// No archive call expected (no prior current version).
@@ -82,7 +82,7 @@ class PolicyServiceTest extends TestCase
public function testPublishRejectsVersionFromAnotherPolicy(): void
{
$this->policies->shouldReceive('findById')->once()->with(4)->andReturn(new Policy('T', 't', null, 4));
$this->policies->shouldReceive('findById')->once()->with(4)->andReturn(new Policy('T', 't', null, id: 4));
$this->versions->shouldReceive('findById')->once()->with(9)->andReturn(new PolicyVersion(99, 1, null, PolicyVersion::STATUS_DRAFT, null, 9));
// No status/current-version writes when the version belongs elsewhere.
tests/Unit/Policy/PolicyValueObjectsTest.php
+15 -1
View File
@@ -17,12 +17,14 @@ class PolicyValueObjectsTest extends TestCase
'title' => 'Cancellation',
'slug' => 'cancellation',
'current_version_id' => '9',
'acceptance_scope' => Policy::SCOPE_BOTH,
]);
self::assertSame(4, $policy->id);
self::assertSame('cancellation', $policy->slug);
self::assertSame(9, $policy->currentVersionId);
self::assertArrayHasKey('current_version_id', $policy->toArray());
self::assertSame(Policy::SCOPE_BOTH, $policy->acceptanceScope);
self::assertArrayHasKey('acceptance_scope', $policy->toArray());
}
public function testPolicyHandlesNullCurrentVersion(): void
@@ -32,11 +34,23 @@ class PolicyValueObjectsTest extends TestCase
'title' => 'Cancellation',
'slug' => 'cancellation',
'current_version_id' => null,
'acceptance_scope' => Policy::SCOPE_BOOKING,
]);
self::assertNull($policy->currentVersionId);
}
public function testPolicyAppliesToScopeAndBoth(): void
{
$signup = new Policy('Terms', 'terms', acceptanceScope: Policy::SCOPE_SIGNUP);
self::assertTrue($signup->appliesTo(Policy::SCOPE_SIGNUP));
self::assertFalse($signup->appliesTo(Policy::SCOPE_BOOKING));
$both = new Policy('Both', 'both', acceptanceScope: Policy::SCOPE_BOTH);
self::assertTrue($both->appliesTo(Policy::SCOPE_SIGNUP));
self::assertTrue($both->appliesTo(Policy::SCOPE_BOOKING));
}
public function testPolicyVersionFromRowAndStatusHelper(): void
{
$version = PolicyVersion::fromRow((object) [