Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
693246c1c10d6f3b61a67b48621c1eb07d2d2155
unsupervised-scheduler/templates/admin/invites.php
T
thatguygriff 061d09e034
CI / No Debug Code (pull_request) Successful in 3s
Details
CI / Tests (PHP 8.1) (pull_request) Successful in 49s
Details
CI / Coding Standards (pull_request) Successful in 55s
Details
CI / PHPStan (pull_request) Successful in 1m7s
Details
CI / Tests (PHP 8.3) (pull_request) Successful in 1m41s
Details
CI / Tests (PHP 8.2) (pull_request) Successful in 44s
Details
CI / Build Plugin Zip (pull_request) Has been skipped
Details
Harden booking, offering exposure, payments, and invites 
Security fixes from a pen-test review (issues #31–#37):

- #31 Booking no longer trusts a client-supplied offering_id: a slot-tied
  offering is authoritative and any offering used must belong to the slot's
  instructor, closing a free/misrouted-payment bypass.
- #34 Availability slot creation rejects an offering the instructor does not
  own (AvailabilityEndpoint now takes OfferingRepository).
- #32 Offering/question/policy listing endpoints now require book_lesson
  instead of being public (no anonymous consumer exists); Offering::toArray
  also omits etransfer_email from listings as defense-in-depth.
- #33 Slots are claimed atomically (UPDATE ... WHERE is_booked = 0) before a
  lesson is inserted, preventing a double-booking race.
- #35 A single weekly booking is capped (MAX_WEEKLY_OCCURRENCES) and only
  creates lessons for slots it actually claimed.
- #36 Stripe secret/webhook keys are write-only in the settings UI and a blank
  submit keeps the stored value; secrets are never echoed back into HTML.
- #37 Pending invites expire after 14 days (Invite::isAcceptable), enforced at
  registration and surfaced on the admin invites list.

Adds BookingEndpointTest plus Invite/Offering/AvailabilityRepository coverage
and minimal WP_REST_Request/WP_REST_Response stubs. composer test (200),
lint, and cs all green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-09 17:08:22 -03:00

105 lines
5.2 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
if (! defined('ABSPATH')) {
exit;
}
/**
* @var list<\Unsupervised\Schedular\Auth\Invite> $pendingInvites
* @var int $registrationPageId
* @var string $registrationPageUrl
*/
?>
<div class="wrap">
<h1><?php esc_html_e('Invites', 'unsupervised-schedular'); ?></h1>
<p class="description"><?php esc_html_e('Invite a student by email, then send them the registration link below. They complete signup and accept any required policies through the [us_student_register] page.', 'unsupervised-schedular'); ?></p>
<h2><?php esc_html_e('Registration Page', 'unsupervised-schedular'); ?></h2>
<form method="post">
<?php wp_nonce_field('usc_invite_action'); ?>
<input type="hidden" name="usc_action" value="set_page">
<table class="form-table">
<tr>
<th><label for="registration_page_id"><?php esc_html_e('Page with the registration form', 'unsupervised-schedular'); ?></label></th>
<td>
<?php
wp_dropdown_pages(
[
'name' => 'registration_page_id',
'id' => 'registration_page_id',
'selected' => $registrationPageId,
'show_option_none' => esc_html__('— Select a page —', 'unsupervised-schedular'),
'option_none_value' => '0',
]
);
?>
<p class="description"><?php esc_html_e('Choose the page that contains the [us_student_register] shortcode. Invitation links point here.', 'unsupervised-schedular'); ?></p>
</td>
</tr>
</table>
<?php submit_button(esc_html__('Save Page', 'unsupervised-schedular'), 'secondary'); ?>
</form>
<?php if ($registrationPageUrl === '') : ?>
<div class="notice notice-warning inline"><p><?php esc_html_e('No registration page is set yet — invitation links will fall back to the site home page. Select a page above.', 'unsupervised-schedular'); ?></p></div>
<?php endif; ?>
<h2><?php esc_html_e('Invite a Student', 'unsupervised-schedular'); ?></h2>
<form method="post">
<?php wp_nonce_field('usc_invite_action'); ?>
<input type="hidden" name="usc_action" value="invite">
<table class="form-table">
<tr>
<th><label for="email"><?php esc_html_e('Email', 'unsupervised-schedular'); ?></label></th>
<td><input type="email" name="email" id="email" class="regular-text" required></td>
</tr>
</table>
<?php submit_button(esc_html__('Generate Invitation Link', 'unsupervised-schedular')); ?>
</form>
<h2><?php esc_html_e('Pending Invites', 'unsupervised-schedular'); ?></h2>
<?php if (empty($pendingInvites)) : ?>
<p><?php esc_html_e('No pending invites.', 'unsupervised-schedular'); ?></p>
<?php else : ?>
<table class="wp-list-table widefat fixed striped">
<thead>
<tr>
<th><?php esc_html_e('Email', 'unsupervised-schedular'); ?></th>
<th><?php esc_html_e('Registration link', 'unsupervised-schedular'); ?></th>
<th><?php esc_html_e('Actions', 'unsupervised-schedular'); ?></th>
</tr>
</thead>
<tbody>
<?php $linkBase = $registrationPageUrl !== '' ? $registrationPageUrl : home_url('/'); ?>
<?php $now = current_time('mysql'); ?>
<?php foreach ($pendingInvites as $invite) : ?>
<?php $link = esc_url(add_query_arg('us_invite', $invite->token, $linkBase)); ?>
<tr>
<td>
<?php echo esc_html($invite->email); ?>
<?php if ($invite->isExpired($now)) : ?>
<span class="us-invite-expired" style="color:#b32d2e;">— <?php esc_html_e('expired', 'unsupervised-schedular'); ?></span>
<?php endif; ?>
</td>
<td>
<input type="text" class="large-text code" readonly value="<?php echo esc_attr($link); ?>" onclick="this.select()">
</td>
<td>
<form method="post" style="display:inline;">
<?php wp_nonce_field('usc_invite_action'); ?>
<input type="hidden" name="usc_action" value="revoke">
<input type="hidden" name="invite_id" value="<?php echo esc_attr((string) $invite->id); ?>">
<button type="submit" class="button button-small button-link-delete">
<?php esc_html_e('Revoke', 'unsupervised-schedular'); ?>
</button>
</form>
</td>
</tr>
<?php endforeach; ?>
</tbody>
</table>
<?php endif; ?>
</div>
Reference in New Issue View Git Blame Copy Permalink