Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5140e76347b4aa861ee6bfca2692ffd2ec4e3143
unsupervised-scheduler/tests/bootstrap.php
T
thatguygriff 5140e76347
CI / No Debug Code (pull_request) Successful in 11s
Details
CI / Tests (PHP 8.2) (pull_request) Successful in 1m42s
Details
CI / Tests (PHP 8.3) (pull_request) Successful in 2m17s
Details
CI / Tests (PHP 8.1) (pull_request) Successful in 2m17s
Details
CI / Coding Standards (pull_request) Successful in 2m26s
Details
CI / PHPStan (pull_request) Successful in 2m38s
Details
CI / Build Plugin Zip (pull_request) Has been skipped
Details
Harden booking, offering exposure, payments, and invites 
Security fixes from a pen-test review (issues #31–#37):

- #31 Booking no longer trusts a client-supplied offering_id: a slot-tied
  offering is authoritative and any offering used must belong to the slot's
  instructor, closing a free/misrouted-payment bypass.
- #34 Availability slot creation rejects an offering the instructor does not
  own (AvailabilityEndpoint now takes OfferingRepository).
- #32 Offering/question/policy listing endpoints now require book_lesson
  instead of being public (no anonymous consumer exists); Offering::toArray
  also omits etransfer_email from listings as defense-in-depth.
- #33 Slots are claimed atomically (UPDATE ... WHERE is_booked = 0) before a
  lesson is inserted, preventing a double-booking race.
- #35 A single weekly booking is capped (MAX_WEEKLY_OCCURRENCES) and only
  creates lessons for slots it actually claimed.
- #36 Stripe secret/webhook keys are write-only in the settings UI and a blank
  submit keeps the stored value; secrets are never echoed back into HTML.
- #37 Pending invites expire after 14 days (Invite::isAcceptable), enforced at
  registration and surfaced on the admin invites list.

Adds BookingEndpointTest plus Invite/Offering/AvailabilityRepository coverage
and minimal WP_REST_Request/WP_REST_Response stubs. composer test (200),
lint, and cs all green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-09 17:00:54 -03:00

100 lines
2.7 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
require_once dirname(__DIR__) . '/vendor/autoload.php';
// Minimal WordPress constants required by plugin code under test.
if (! defined('ABSPATH')) {
define('ABSPATH', sys_get_temp_dir() . '/wordpress/');
}
define('WPINC', 'wp-includes');
define('USC_VERSION', '1.0.0');
define('USC_PLUGIN_FILE', dirname(__DIR__) . '/unsupervised-schedular.php');
define('USC_PLUGIN_DIR', dirname(__DIR__) . '/');
define('USC_PLUGIN_URL', 'http://example.com/wp-content/plugins/unsupervised-schedular/');
// Minimal WP_REST_Request stub: a simple parameter bag.
if (! class_exists('WP_REST_Request')) {
class WP_REST_Request
{
/** @param array<string, mixed> $params */
public function __construct(private array $params = [])
{
}
public function get_param(string $key): mixed
{
return $this->params[$key] ?? null;
}
public function set_param(string $key, mixed $value): void
{
$this->params[$key] = $value;
}
public function get_body(): string
{
return (string) ($this->params['__body'] ?? '');
}
public function get_header(string $key): string
{
return (string) ($this->params[$key] ?? '');
}
}
}
// Minimal WP_REST_Response stub exposing the data and status.
if (! class_exists('WP_REST_Response')) {
class WP_REST_Response
{
public function __construct(public mixed $data = null, public int $status = 200)
{
}
public function get_data(): mixed
{
return $this->data;
}
public function get_status(): int
{
return $this->status;
}
}
}
// Minimal WP_Error stub for code under test that returns error objects.
if (! class_exists('WP_Error')) {
class WP_Error
{
/** @var array<string, list<string>> */
public array $errors = [];
/** @var array<string, mixed> */
public array $error_data = [];
public function __construct(string $code = '', string $message = '', mixed $data = '')
{
if ('' !== $code) {
$this->errors[$code][] = $message;
if ('' !== $data) {
$this->error_data[$code] = $data;
}
}
}
public function get_error_code(): string
{
return (string) (array_key_first($this->errors) ?? '');
}
public function get_error_message(): string
{
$code = $this->get_error_code();
return '' !== $code ? ($this->errors[$code][0] ?? '') : '';
}
}
}
Reference in New Issue View Git Blame Copy Permalink