Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
63e2fbcc5baf4d1dcd31d3a80875ba1f5c778535
unsupervised-scheduler/src/Policy/PolicyEndpoint.php
T
thatguygriff f3f5c7801f
CI / No Debug Code (pull_request) Successful in 3s
Details
CI / Tests (PHP 8.1) (pull_request) Successful in 43s
Details
CI / Tests (PHP 8.3) (pull_request) Successful in 49s
Details
CI / Tests (PHP 8.2) (pull_request) Successful in 59s
Details
CI / Coding Standards (pull_request) Successful in 1m11s
Details
CI / PHPStan (pull_request) Successful in 1m20s
Details
CI / Build Plugin Zip (pull_request) Has been skipped
Details
Security fixes: CSV injection, policy body output, invite hashing, slot datetimes 
Four fixes from a security review pass:

- Neutralise CSV formula injection in the payments export: fields with a
  leading =, +, -, @, tab, or CR (e.g. a hostile student display name) are
  apostrophe-prefixed in PaymentReport::csvLine() so they open as text in
  Excel/Google Sheets. Fixes #39.
- Sanitise policy bodies with wp_kses_post at output in
  PolicyEndpoint::index() (the booking JS renders that HTML raw), so a
  future write path that forgets kses can never become stored XSS.
  Fixes #40.
- Store invite tokens hashed (SHA-256) at rest: a database leak can no
  longer redeem pending invites. The registration link is shown once, at
  creation; the pending list shows email/invited date; lookups hash the
  submitted token. Existing plaintext pending invites must be re-issued.
  Fixes #41.
- Validate availability slot datetimes on both creation paths (REST and
  admin form) via AvailabilitySlot::normalizeDateTime(): canonical and
  datetime-local forms normalise to Y-m-d H:i:s, garbage and end <= start
  are rejected (REST 400) instead of reaching the DATETIME column or
  throwing inside the weekly-series date arithmetic. Fixes #42.

composer test (204 tests, 594 assertions), PHPStan L6, and PHPCS all green.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 16:36:26 -03:00

223 lines
6.7 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace Unsupervised\Schedular\Policy;
use Unsupervised\Schedular\Auth\RoleManager;
class PolicyEndpoint {
public function __construct(
private PolicyRepository $policies,
private PolicyVersionRepository $versions,
private PolicyService $service,
) {}
public function registerRoutes( string $route_namespace ): void {
register_rest_route(
$route_namespace,
'/policies',
[
[
'methods' => \WP_REST_Server::READABLE,
'callback' => [ $this, 'index' ],
'permission_callback' => [ $this, 'canBook' ],
],
[
'methods' => \WP_REST_Server::CREATABLE,
'callback' => [ $this, 'create' ],
'permission_callback' => [ $this, 'canManage' ],
],
]
);
register_rest_route(
$route_namespace,
'/policies/(?P<id>\d+)/versions',
[
[
'methods' => \WP_REST_Server::CREATABLE,
'callback' => [ $this, 'addVersion' ],
'permission_callback' => [ $this, 'canManage' ],
],
]
);
register_rest_route(
$route_namespace,
'/policies/(?P<id>\d+)/versions/(?P<vid>\d+)',
[
[
'methods' => \WP_REST_Server::EDITABLE,
'callback' => [ $this, 'updateVersion' ],
'permission_callback' => [ $this, 'canManage' ],
],
]
);
register_rest_route(
$route_namespace,
'/policies/(?P<id>\d+)/versions/(?P<vid>\d+)/publish',
[
[
'methods' => \WP_REST_Server::CREATABLE,
'callback' => [ $this, 'publish' ],
'permission_callback' => [ $this, 'canManage' ],
],
]
);
}
/**
* Public: the current published version of every policy (the registration
* gate). Pass `?scope=signup|booking` to limit to that gate (includes
* `both`-scoped policies).
*/
public function index( \WP_REST_Request $request ): \WP_REST_Response {
$scope = (string) $request->get_param( 'scope' );
$policies = in_array( $scope, [ Policy::SCOPE_SIGNUP, Policy::SCOPE_BOOKING ], true )
? $this->policies->findForScope( $scope )
: $this->policies->findAll();
$out = [];
foreach ( $policies as $policy ) {
if ( null === $policy->currentVersionId ) {
continue;
}
$version = $this->versions->findById( $policy->currentVersionId );
if ( null === $version || ! $version->isPublished() ) {
continue;
}
$out[] = [
'id' => $policy->id,
'title' => $policy->title,
'slug' => $policy->slug,
'policy_version_id' => $version->id,
'version_number' => $version->versionNumber,
// Bodies are kses'd on every write path, but the booking JS renders
// this HTML raw — sanitise at output too so a missed write path can
// never become stored XSS.
'body' => wp_kses_post( (string) $version->body ),
];
}
return new \WP_REST_Response( $out, 200 );
}
public function create( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$title = sanitize_text_field( (string) $request->get_param( 'title' ) );
if ( '' === $title ) {
return $this->invalid( __( 'A policy title is required.', 'unsupervised-schedular' ) );
}
$slugParam = sanitize_text_field( (string) $request->get_param( 'slug' ) );
$slug = sanitize_title( '' !== $slugParam ? $slugParam : $title );
if ( '' === $slug ) {
return $this->invalid( __( 'A valid policy slug is required.', 'unsupervised-schedular' ) );
}
if ( null !== $this->policies->findBySlug( $slug ) ) {
return new \WP_Error( 'duplicate_slug', __( 'A policy with that slug already exists.', 'unsupervised-schedular' ), [ 'status' => 409 ] );
}
$scope = (string) ( $request->get_param( 'acceptance_scope' ) ?? Policy::SCOPE_BOOKING );
if ( ! in_array( $scope, Policy::VALID_SCOPES, true ) ) {
return $this->invalid( __( 'Invalid acceptance scope.', 'unsupervised-schedular' ) );
}
$id = $this->service->createPolicy( $title, $slug, $scope );
return new \WP_REST_Response( [ 'id' => $id ], 201 );
}
public function addVersion( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$policy = $this->policies->findById( absint( $request->get_param( 'id' ) ) );
if ( null === $policy ) {
return $this->notFound();
}
$body = wp_kses_post( (string) $request->get_param( 'body' ) );
$id = $this->service->addDraftVersion( (int) $policy->id, $body );
return new \WP_REST_Response( [ 'id' => $id ], 201 );
}
public function updateVersion( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$version = $this->loadVersionForPolicy( $request );
if ( $version instanceof \WP_Error ) {
return $version;
}
if ( PolicyVersion::STATUS_DRAFT !== $version->status ) {
return $this->invalid( __( 'Only draft versions can be edited.', 'unsupervised-schedular' ) );
}
$body = wp_kses_post( (string) $request->get_param( 'body' ) );
$this->versions->updateBody( (int) $version->id, $body );
return new \WP_REST_Response(
[
'id' => $version->id,
'body' => $body,
],
200
);
}
public function publish( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
$version = $this->loadVersionForPolicy( $request );
if ( $version instanceof \WP_Error ) {
return $version;
}
$this->service->publishVersion( (int) $request->get_param( 'id' ), (int) $version->id );
return new \WP_REST_Response(
[
'id' => $version->id,
'status' => PolicyVersion::STATUS_PUBLISHED,
],
200
);
}
public function canManage(): bool {
return is_user_logged_in() && current_user_can( RoleManager::CAP_MANAGE_POLICIES );
}
/**
* The published-policy listing is only read by the logged-in student
* booking/enrolment flow (the signup gate renders its policies server-side, not
* via this endpoint), so reading it requires the booking capability — there is
* no anonymous consumer.
*/
public function canBook(): bool {
return is_user_logged_in() && current_user_can( RoleManager::CAP_BOOK_LESSON );
}
/**
* Load the version named in the route and confirm it belongs to the policy.
*/
private function loadVersionForPolicy( \WP_REST_Request $request ): PolicyVersion|\WP_Error {
$policyId = absint( $request->get_param( 'id' ) );
$version = $this->versions->findById( absint( $request->get_param( 'vid' ) ) );
if ( null === $version || $version->policyId !== $policyId ) {
return $this->notFound();
}
return $version;
}
private function notFound(): \WP_Error {
return new \WP_Error( 'not_found', __( 'Policy or version not found.', 'unsupervised-schedular' ), [ 'status' => 404 ] );
}
private function invalid( string $message ): \WP_Error {
return new \WP_Error( 'invalid_policy', $message, [ 'status' => 400 ] );
}
}
Reference in New Issue View Git Blame Copy Permalink