Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
061d09e034f1f59a083e90df2fe7ee37334f40b9
unsupervised-scheduler/src/Offering/OfferingEndpoint.php
T
thatguygriff 061d09e034
CI / No Debug Code (pull_request) Successful in 3s
Details
CI / Tests (PHP 8.1) (pull_request) Successful in 49s
Details
CI / Coding Standards (pull_request) Successful in 55s
Details
CI / PHPStan (pull_request) Successful in 1m7s
Details
CI / Tests (PHP 8.3) (pull_request) Successful in 1m41s
Details
CI / Tests (PHP 8.2) (pull_request) Successful in 44s
Details
CI / Build Plugin Zip (pull_request) Has been skipped
Details
Harden booking, offering exposure, payments, and invites 
Security fixes from a pen-test review (issues #31–#37):

- #31 Booking no longer trusts a client-supplied offering_id: a slot-tied
  offering is authoritative and any offering used must belong to the slot's
  instructor, closing a free/misrouted-payment bypass.
- #34 Availability slot creation rejects an offering the instructor does not
  own (AvailabilityEndpoint now takes OfferingRepository).
- #32 Offering/question/policy listing endpoints now require book_lesson
  instead of being public (no anonymous consumer exists); Offering::toArray
  also omits etransfer_email from listings as defense-in-depth.
- #33 Slots are claimed atomically (UPDATE ... WHERE is_booked = 0) before a
  lesson is inserted, preventing a double-booking race.
- #35 A single weekly booking is capped (MAX_WEEKLY_OCCURRENCES) and only
  creates lessons for slots it actually claimed.
- #36 Stripe secret/webhook keys are write-only in the settings UI and a blank
  submit keeps the stored value; secrets are never echoed back into HTML.
- #37 Pending invites expire after 14 days (Invite::isAcceptable), enforced at
  registration and surfaced on the admin invites list.

Adds BookingEndpointTest plus Invite/Offering/AvailabilityRepository coverage
and minimal WP_REST_Request/WP_REST_Response stubs. composer test (200),
lint, and cs all green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-09 17:08:22 -03:00

219 lines
8.6 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace Unsupervised\Schedular\Offering;
use Unsupervised\Schedular\Auth\RoleManager;
class OfferingEndpoint {
public function __construct( private OfferingRepository $repository ) {}
public function registerRoutes( string $route_namespace ): void {
register_rest_route(
$route_namespace,
'/offerings',
[
[
'methods' => \WP_REST_Server::READABLE,
'callback' => [ $this, 'index' ],
'permission_callback' => [ $this, 'canBook' ],
'args' => [
'instructor_id' => [
'type' => 'integer',
'default' => 0,
],
'kind' => [
'type' => 'string',
'default' => '',
],
],
],
[
'methods' => \WP_REST_Server::CREATABLE,
'callback' => [ $this, 'create' ],
'permission_callback' => [ $this, 'canManage' ],
],
]
);
register_rest_route(
$route_namespace,
'/offerings/(?P<id>\d+)',
[
[
'methods' => \WP_REST_Server::EDITABLE,
'callback' => [ $this, 'update' ],
'permission_callback' => [ $this, 'canManage' ],
],
[
'methods' => \WP_REST_Server::DELETABLE,
'callback' => [ $this, 'delete' ],
'permission_callback' => [ $this, 'canManage' ],
],
]
);
}
public function index( \WP_REST_Request $request ): \WP_REST_Response {
$offerings = $this->repository->findAll(
(int) $request->get_param( 'instructor_id' ),
(string) $request->get_param( 'kind' ),
activeOnly: true,
);
// Public listing: omit the private e-transfer destination email.
return new \WP_REST_Response( array_map( fn( Offering $o ) => $o->toArray( includeEtransferEmail: false ), $offerings ), 200 );
}
public function create( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$title = sanitize_text_field( (string) $request->get_param( 'title' ) );
if ( '' === $title ) {
return $this->invalid( __( 'A title is required.', 'unsupervised-schedular' ) );
}
$kind = (string) $request->get_param( 'kind' );
if ( ! in_array( $kind, Offering::VALID_KINDS, true ) ) {
return $this->invalid( __( 'Invalid offering kind.', 'unsupervised-schedular' ) );
}
$billingMode = (string) ( $request->get_param( 'billing_mode' ) ?? Offering::BILLING_ONE_TIME );
if ( ! in_array( $billingMode, Offering::VALID_BILLING_MODES, true ) ) {
return $this->invalid( __( 'Invalid billing mode.', 'unsupervised-schedular' ) );
}
$offering = new Offering(
instructorId: get_current_user_id(),
kind: $kind,
title: $title,
price: $this->price( $request->get_param( 'price' ) ),
currency: sanitize_text_field( (string) ( $request->get_param( 'currency' ) ?? 'CAD' ) ),
billingMode: $billingMode,
description: $this->nullableText( $request->get_param( 'description' ) ),
durationMinutes: $this->nullableInt( $request->get_param( 'duration_minutes' ) ),
allowWeekly: (bool) $request->get_param( 'allow_weekly' ),
capacity: $this->nullableInt( $request->get_param( 'capacity' ) ),
termStart: $this->nullableText( $request->get_param( 'term_start' ) ),
termEnd: $this->nullableText( $request->get_param( 'term_end' ) ),
scheduleNote: $this->nullableText( $request->get_param( 'schedule_note' ) ),
etransferEmail: $this->nullableEmail( $request->get_param( 'etransfer_email' ) ),
isActive: null === $request->get_param( 'is_active' ) ? true : (bool) $request->get_param( 'is_active' ),
);
$id = $this->repository->insert( $offering );
return new \WP_REST_Response( [ 'id' => $id ], 201 );
}
public function update( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$id = absint( $request->get_param( 'id' ) );
$existing = $this->repository->findById( $id );
if ( null === $existing ) {
return new \WP_Error( 'not_found', __( 'Offering not found.', 'unsupervised-schedular' ), [ 'status' => 404 ] );
}
if ( ! $this->ownsOrManagesAll( $existing ) ) {
return new \WP_Error( 'forbidden', __( 'You cannot edit this offering.', 'unsupervised-schedular' ), [ 'status' => 403 ] );
}
$kind = $request->has_param( 'kind' ) ? (string) $request->get_param( 'kind' ) : $existing->kind;
if ( ! in_array( $kind, Offering::VALID_KINDS, true ) ) {
return $this->invalid( __( 'Invalid offering kind.', 'unsupervised-schedular' ) );
}
$billingMode = $request->has_param( 'billing_mode' ) ? (string) $request->get_param( 'billing_mode' ) : $existing->billingMode;
if ( ! in_array( $billingMode, Offering::VALID_BILLING_MODES, true ) ) {
return $this->invalid( __( 'Invalid billing mode.', 'unsupervised-schedular' ) );
}
$offering = new Offering(
instructorId: $existing->instructorId,
kind: $kind,
title: $request->has_param( 'title' ) ? sanitize_text_field( (string) $request->get_param( 'title' ) ) : $existing->title,
price: $request->has_param( 'price' ) ? $this->price( $request->get_param( 'price' ) ) : $existing->price,
currency: $request->has_param( 'currency' ) ? sanitize_text_field( (string) $request->get_param( 'currency' ) ) : $existing->currency,
billingMode: $billingMode,
description: $request->has_param( 'description' ) ? $this->nullableText( $request->get_param( 'description' ) ) : $existing->description,
durationMinutes: $request->has_param( 'duration_minutes' ) ? $this->nullableInt( $request->get_param( 'duration_minutes' ) ) : $existing->durationMinutes,
allowWeekly: $request->has_param( 'allow_weekly' ) ? (bool) $request->get_param( 'allow_weekly' ) : $existing->allowWeekly,
capacity: $request->has_param( 'capacity' ) ? $this->nullableInt( $request->get_param( 'capacity' ) ) : $existing->capacity,
termStart: $request->has_param( 'term_start' ) ? $this->nullableText( $request->get_param( 'term_start' ) ) : $existing->termStart,
termEnd: $request->has_param( 'term_end' ) ? $this->nullableText( $request->get_param( 'term_end' ) ) : $existing->termEnd,
scheduleNote: $request->has_param( 'schedule_note' ) ? $this->nullableText( $request->get_param( 'schedule_note' ) ) : $existing->scheduleNote,
etransferEmail: $request->has_param( 'etransfer_email' ) ? $this->nullableEmail( $request->get_param( 'etransfer_email' ) ) : $existing->etransferEmail,
isActive: $request->has_param( 'is_active' ) ? (bool) $request->get_param( 'is_active' ) : $existing->isActive,
id: $id,
);
$this->repository->update( $id, $offering );
return new \WP_REST_Response( $offering->toArray(), 200 );
}
public function delete( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$id = absint( $request->get_param( 'id' ) );
$existing = $this->repository->findById( $id );
if ( null === $existing ) {
return new \WP_Error( 'not_found', __( 'Offering not found.', 'unsupervised-schedular' ), [ 'status' => 404 ] );
}
if ( ! $this->ownsOrManagesAll( $existing ) ) {
return new \WP_Error( 'forbidden', __( 'You cannot delete this offering.', 'unsupervised-schedular' ), [ 'status' => 403 ] );
}
$this->repository->delete( $id );
return new \WP_REST_Response( null, 204 );
}
public function canManage(): bool {
return is_user_logged_in() && current_user_can( RoleManager::CAP_MANAGE_OFFERINGS );
}
/**
* Reading the offerings catalogue is only needed by the logged-in student
* booking flow, so it requires the same capability as booking — there is no
* anonymous consumer.
*/
public function canBook(): bool {
return is_user_logged_in() && current_user_can( RoleManager::CAP_BOOK_LESSON );
}
/**
* An offering may be changed by its owning instructor or by a studio admin
* (identified by the studio-only manage_instructors capability).
*/
private function ownsOrManagesAll( Offering $offering ): bool {
return get_current_user_id() === $offering->instructorId
|| current_user_can( RoleManager::CAP_MANAGE_INSTRUCTORS );
}
private function invalid( string $message ): \WP_Error {
return new \WP_Error( 'invalid_offering', $message, [ 'status' => 400 ] );
}
private function price( mixed $value ): float {
return max( 0.0, (float) $value );
}
private function nullableEmail( mixed $value ): ?string {
$email = sanitize_email( (string) $value );
return '' !== $email ? $email : null;
}
private function nullableInt( mixed $value ): ?int {
return ( null === $value || '' === $value ) ? null : (int) $value;
}
private function nullableText( mixed $value ): ?string {
if ( null === $value || '' === $value ) {
return null;
}
return sanitize_text_field( (string) $value );
}
}
Reference in New Issue View Git Blame Copy Permalink