fix: resolve all Week 2 performance & security issues (F1.10–F1.19)
Security:
- Replace maybe_serialize() in cookies with json_encode() (PHP object injection fix)
- Add PayPal webhook signature verification
- Add current_user_can('manage_options') to all 18 admin-ajax handlers
Performance:
- Remove flush_rewrite_rules() from init hooks (Thankyou + Payment)
- Add activation/deactivation hooks for flush_rewrite_rules
- Cache currency, country, flags JSON reads in static variables
- Add server-side pagination to Customer::formipay_tabledata_customers()
- Optimize Order::formipay_tabledata_orders() with COUNT(*) GROUP BY
Cleanup:
- Delete Paypal.phpbak backup file
- Fix timezone hardcode Asia/Jakarta → wp_timezone_string()
- Create uninstall.php for proper cleanup on uninstall
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
dwindown
@@ -453,6 +453,10 @@ class Coupon {
|
||||
|
||||
check_ajax_referer( 'formipay-frontend-nonce', 'security' );
|
||||
|
||||
if ( ! current_user_can( 'manage_options' ) ) {
|
||||
wp_send_json_error( [ 'message' => 'Unauthorized' ] );
|
||||
}
|
||||
|
||||
$code = isset($_REQUEST['code']) ? sanitize_text_field( wp_unslash($_REQUEST['code']) ) : '';
|
||||
$form_id = isset($_REQUEST['form']) ? intval( $_REQUEST['form'] ) : 0;
|
||||
|
||||
@@ -566,6 +570,10 @@ class Coupon {
|
||||
|
||||
check_ajax_referer( 'formipay-admin-coupon-page', '_wpnonce' );
|
||||
|
||||
if ( ! current_user_can( 'manage_options' ) ) {
|
||||
wp_send_json_error( [ 'message' => 'Unauthorized' ] );
|
||||
}
|
||||
|
||||
$args = [
|
||||
'post_type' => 'formipay-coupon',
|
||||
'posts_per_page' => -1,
|
||||
@@ -670,6 +678,10 @@ class Coupon {
|
||||
|
||||
check_ajax_referer( 'formipay-admin-coupon-page', '_wpnonce' );
|
||||
|
||||
if ( ! current_user_can( 'manage_options' ) ) {
|
||||
wp_send_json_error( [ 'message' => 'Unauthorized' ] );
|
||||
}
|
||||
|
||||
if (!isset($_POST['search']) || empty($_POST['search'])) {
|
||||
wp_send_json_error( __('No search term provided.', 'formipay') );
|
||||
}
|
||||
@@ -700,6 +712,10 @@ class Coupon {
|
||||
|
||||
check_ajax_referer( 'formipay-admin-coupon-page', '_wpnonce' );
|
||||
|
||||
if ( ! current_user_can( 'manage_options' ) ) {
|
||||
wp_send_json_error( [ 'message' => 'Unauthorized' ] );
|
||||
}
|
||||
|
||||
$code = isset($_REQUEST['title']) ? sanitize_text_field( wp_unslash($_REQUEST['title']) ) : '';
|
||||
|
||||
if( !empty($code) && '' !== $code ){
|
||||
@@ -731,6 +747,10 @@ class Coupon {
|
||||
|
||||
check_ajax_referer( 'formipay-admin-coupon-page', '_wpnonce' );
|
||||
|
||||
if ( ! current_user_can( 'manage_options' ) ) {
|
||||
wp_send_json_error( [ 'message' => 'Unauthorized' ] );
|
||||
}
|
||||
|
||||
$post_id = isset($_REQUEST['id']) ? intval($_REQUEST['id']) : 0;
|
||||
|
||||
$delete = wp_delete_post($post_id, true);
|
||||
@@ -755,6 +775,10 @@ class Coupon {
|
||||
|
||||
check_ajax_referer( 'formipay-admin-coupon-page', '_wpnonce' );
|
||||
|
||||
if ( ! current_user_can( 'manage_options' ) ) {
|
||||
wp_send_json_error( [ 'message' => 'Unauthorized' ] );
|
||||
}
|
||||
|
||||
if( empty($_REQUEST['ids']) ){
|
||||
wp_send_json_error( [
|
||||
'title' => esc_html__( 'Failed', 'formipay' ),
|
||||
@@ -798,6 +822,10 @@ class Coupon {
|
||||
|
||||
check_ajax_referer( 'formipay-admin-coupon-page', '_wpnonce' );
|
||||
|
||||
if ( ! current_user_can( 'manage_options' ) ) {
|
||||
wp_send_json_error( [ 'message' => 'Unauthorized' ] );
|
||||
}
|
||||
|
||||
$post_id = isset($_REQUEST['id']) ? intval($_REQUEST['id']) : 0;
|
||||
$post = get_post($post_id);
|
||||
if (!$post) {
|
||||
|
||||
Reference in New Issue
Block a user