dwindown/formipay
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: resolve all Week 2 performance & security issues (F1.10–F1.19)

Browse Source 
Security:
- Replace maybe_serialize() in cookies with json_encode() (PHP object injection fix)
- Add PayPal webhook signature verification
- Add current_user_can('manage_options') to all 18 admin-ajax handlers

Performance:
- Remove flush_rewrite_rules() from init hooks (Thankyou + Payment)
- Add activation/deactivation hooks for flush_rewrite_rules
- Cache currency, country, flags JSON reads in static variables
- Add server-side pagination to Customer::formipay_tabledata_customers()
- Optimize Order::formipay_tabledata_orders() with COUNT(*) GROUP BY

Cleanup:
- Delete Paypal.phpbak backup file
- Fix timezone hardcode Asia/Jakarta → wp_timezone_string()
- Create uninstall.php for proper cleanup on uninstall

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
dwindown
2026-04-17 19:52:01 +07:00
parent be9a1a0a86
commit 66e7b37f92
15 changed files with 341 additions and 868 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
includes/License.php
View File

@@ -123,6 +123,10 @@ class License {
public function tabledata() {
check_ajax_referer('formipay-admin-licenses', '_wpnonce');
if ( ! current_user_can( 'manage_options' ) ) {
wp_send_json_error( [ 'message' => 'Unauthorized' ] );
}
global $wpdb;
$table = $wpdb->prefix . 'formipay_licenses';
@@ -200,6 +204,10 @@ class License {
public function delete() {
check_ajax_referer('formipay-admin-licenses', '_wpnonce');
if ( ! current_user_can( 'manage_options' ) ) {
wp_send_json_error( [ 'message' => 'Unauthorized' ] );
}
if (empty($_REQUEST['id'])) {
wp_send_json_error([
'title' => esc_html__('Failed', 'formipay'),
@@ -232,6 +240,10 @@ class License {
public function bulk_delete() {
check_ajax_referer('formipay-admin-licenses', '_wpnonce');
if ( ! current_user_can( 'manage_options' ) ) {
wp_send_json_error( [ 'message' => 'Unauthorized' ] );
}
$ids = isset($_REQUEST['ids']) ? (array) $_REQUEST['ids'] : [];
if (empty($ids)) {
wp_send_json_error([