dwindown/WooNooW
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5f08c18ec7d44b5467cf2f0dcce7ec934d14db84
WooNooW/.agent/reports/newsletter-module-audit-2026-02-01.md

6.9 KiB
Raw Blame History

Newsletter Module Audit Report

Date: 2026-02-01
Auditor: Antigravity AI
Scope: Full trace of Newsletter module including broadcast, subscribers, templates, events, and multi-channel support

1. Module Architecture Overview

flowchart TD
    subgraph Frontend
        NF[NewsletterForm.tsx]
    end
    
    subgraph API
        NC[NewsletterController.php]
        CC[CampaignsController - via CampaignManager]
    end
    
    subgraph Core
        CM[CampaignManager.php]
        NS[NewsletterSettings.php]
    end
    
    subgraph Notifications
        ER[EventRegistry.php]
        NM[NotificationManager.php]
        ER --> NM
    end
    
    subgraph Admin SPA
        SUB[Subscribers.tsx]
        CAMP[Campaigns.tsx]
    end
    
    NF -->|POST /subscribe| NC
    NC -->|triggers| ER
    CM -->|uses| NM
    SUB -->|GET /subscribers| NC
    CAMP -->|CRUD| CM

2. Components Traced

Component File Status
Subscriber API NewsletterController.php Working
Subscriber UI Subscribers.tsx Working
Campaign Manager CampaignManager.php Built (CPT-based)
Campaign UI Campaigns.tsx Working
Settings Schema NewsletterSettings.php Complete
Frontend Form NewsletterForm.tsx ⚠️ Missing GDPR
Unsubscribe Token-based URL Secure
Email Events EventRegistry.php 3 events registered

3. Defects Found

🔴 Critical

3.1 Double Opt-in NOT Implemented

Location: NewsletterController.php (Line 130-189)
Issue: NewsletterSettings.php defines a double_opt_in toggle (Line 46-51), but the subscribe function ignores it completely.
Impact: GDPR non-compliance in EU regions
Expected: When enabled, subscribers should receive confirmation email before being marked active

3.2 Dead Code: send_welcome_email()

Location: NewsletterController.php (Lines 192-203)
Issue: This method is never called. Welcome emails are now sent via the notification system (woonoow/notification/event).
Impact: Code bloat, potential confusion
Recommendation: Delete this dead method

🟠 High Priority

3.3 No Multi-Channel Support (WhatsApp/Telegram/SMS)

Issue: Only email and push channels exist in NotificationManager.php
Impact: Users cannot broadcast newsletters via WhatsApp, Telegram, or SMS
Current State:

  • allowed_platforms in NotificationsController.php (Line 832) lists telegram, whatsapp for social links (not messaging)
  • No actual message delivery integration exists

Recommendation: Implement channel bridge pattern for:

  1. WhatsApp Business API (or Twilio WhatsApp)
  2. Telegram Bot API
  3. SMS Gateway (Twilio, Vonage, etc.)

3.4 Subscriber Storage Not Scalable

Location: NewsletterController.php (Line 141)
Issue: Subscribers stored in wp_options as serialized array
Impact: Performance degrades with 1000+ subscribers (Options table not designed for large arrays)
Note: NEWSLETTER_CAMPAIGN_PLAN.md mentions custom table but wp_woonoow_subscribers table is not created

Recommendation:

// Create migration for custom table
CREATE TABLE wp_woonoow_subscribers (
  id BIGINT UNSIGNED AUTO_INCREMENT PRIMARY KEY,
  email VARCHAR(255) NOT NULL UNIQUE,
  user_id BIGINT UNSIGNED NULL,
  status ENUM('pending', 'active', 'unsubscribed') DEFAULT 'pending',
  consent TINYINT(1) DEFAULT 0,
  subscribed_at DATETIME,
  unsubscribed_at DATETIME NULL,
  ip_address VARCHAR(45),
  INDEX idx_status (status),
  INDEX idx_email (email)
);

🟡 Medium Priority

3.5 GDPR Consent Checkbox Missing in Frontend

Location: NewsletterForm.tsx
Issue: Settings schema has gdpr_consent and consent_text fields, but the frontend form doesn't render this checkbox
Impact: GDPR non-compliance

Recommendation: Add consent checkbox:

{settings.gdpr_consent && (
  <label className="flex items-start gap-2">
    <input type="checkbox" required />
    <span className="text-xs">{settings.consent_text}</span>
  </label>
)}

3.6 No Audience Segmentation

Issue: All campaigns go to ALL active subscribers
File: CampaignManager.php (Line 393-410)
Impact: Cannot target specific user groups (e.g., "Subscribed in last 30 days", "WP Users only")

Recommendation: Add filter options to get_subscribers():

  • By date range
  • By user_id (registered vs guest)
  • By custom tags (future feature)

3.7 No Open/Click Tracking

Issue: No analytics for campaign performance
Impact: Cannot measure engagement or ROI

Recommendation (Phase 3):

  • Add tracking pixel for opens
  • Wrap links for click tracking
  • Store in wp_woonoow_campaign_events table

4. Gaps Between Plan and Implementation

Feature Plan Status Implementation Status
Subscribers Table "Create migration" Not created
Double Opt-in Schema defined Not enforced
Campaign Scheduling Cron registered Working
GDPR Consent Settings exist UI not integrated
Multi-channel Not planned Not implemented
A/B Testing Phase 3 Not started
Analytics Phase 3 Not started

5. Recommendations Summary

Immediate Actions (Bug Fixes)

  1. Delete or implement send_welcome_email() dead code
  2. Connect double_opt_in setting to subscribe flow
  3. Add GDPR checkbox to NewsletterForm.tsx

Short-term (1-2 weeks)

  1. Create wp_woonoow_subscribers table for scalability
  2. Add audience segmentation to campaign targeting

Medium-term (Future Phases)

  1. Implement WhatsApp/Telegram channel bridges
  2. Add open/click tracking for analytics

6. Security Audit

Area Status Notes
Unsubscribe Token Secure HMAC-SHA256 with auth salt
Email Validation Validated is_email() + custom validation
CSRF Protection Via REST nonce API uses WP nonces
IP Logging Stored For GDPR data export if needed
Rate Limiting ⚠️ None Could be abused for spam subscriptions

Recommendation: Add rate limiting to /newsletter/subscribe endpoint (e.g., 5 requests per IP per hour)

7. Conclusion

The Newsletter module is functionally complete for basic use cases. The campaign system is well-architected using WordPress Custom Post Types, and the integration with the notification system is clean.

Critical gaps exist around GDPR compliance (double opt-in, consent checkbox) and scalability (options-based storage). Multi-channel support (WhatsApp/Telegram) is not implemented and would require significant new development.

Priority Order:

  1. GDPR fixes (double opt-in + consent checkbox)
  2. Custom subscribers table
  3. Audience segmentation
  4. Multi-channel bridges (optional, significant scope)