From 63d7f5efa3c0a8a6b764506c31b102a5d9c8bc51 Mon Sep 17 00:00:00 2001
From: ben <ben@tealmaker.com>
Date: Thu, 25 Sep 2025 14:36:41 -0300
Subject: [PATCH] fix: implement code review fixes for form builder
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Critical fixes:
- Implement get_current_form_data() method for template saving functionality
- Add sanitize_field_value() method with comprehensive field sanitization

High priority fixes:
- Add pagination limits (100) to venue and organizer queries to prevent performance issues
- Add capability checks to AJAX template handler for proper access control

Medium priority fixes:
- Add comprehensive documentation for hvac_event_form_after_basic_fields integration hook
- Add debug logging for cache initialization failures when WP_DEBUG is enabled

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 includes/class-hvac-event-form-builder.php | 55 +++++++++++++++++++---
 1 file changed, 49 insertions(+), 6 deletions(-)

diff --git a/includes/class-hvac-event-form-builder.php b/includes/class-hvac-event-form-builder.php
index d3748dbe..e560f9ec 100644
--- a/includes/class-hvac-event-form-builder.php
+++ b/includes/class-hvac-event-form-builder.php
@@ -127,6 +127,9 @@ class HVAC_Event_Form_Builder extends HVAC_Form_Builder {
 
         // Initialize cache if available
         $this->cache = class_exists('HVAC_Event_Cache') ? HVAC_Event_Cache::instance() : null;
+        if (!$this->cache && defined('WP_DEBUG') && WP_DEBUG) {
+            error_log('HVAC Event Cache unavailable - performance may be impacted');
+        }
 
         $this->init_event_form_hooks();
     }
@@ -169,7 +172,15 @@ class HVAC_Event_Form_Builder extends HVAC_Form_Builder {
         // Basic event fields
         $this->add_basic_event_fields();
 
-        // Add TEC ticketing integration hook
+        /**
+         * Action hook for TEC ticketing integration
+         *
+         * Allows other components to add fields after basic event fields
+         * are rendered but before optional field groups like datetime fields.
+         *
+         * @param HVAC_Event_Form_Builder $form_builder Current form instance
+         * @since 3.2.0 (Phase 2B - TEC Integration)
+         */
         do_action('hvac_event_form_after_basic_fields', $this);
 
         // Optional field groups
@@ -576,9 +587,35 @@ class HVAC_Event_Form_Builder extends HVAC_Form_Builder {
      * @return array Current form data
      */
     private function get_current_form_data(): array {
-        // This would typically be called after form submission
-        // For now, return empty array - implement based on specific needs
-        return [];
+        $data = [];
+        foreach ($this->fields as $field) {
+            if (isset($_POST[$field['name']])) {
+                $data[$field['name']] = $this->sanitize_field_value($field, $_POST[$field['name']]);
+            }
+        }
+        return $data;
+    }
+
+    /**
+     * Sanitize field value based on field type
+     *
+     * @param array $field Field configuration
+     * @param mixed $value Field value to sanitize
+     * @return mixed Sanitized value
+     */
+    private function sanitize_field_value(array $field, $value) {
+        $sanitize_type = $field['sanitize'] ?? 'text';
+
+        return match($sanitize_type) {
+            'text' => sanitize_text_field($value),
+            'textarea' => sanitize_textarea_field($value),
+            'int' => absint($value),
+            'float' => floatval($value),
+            'datetime' => sanitize_text_field($value),
+            'url' => esc_url_raw($value),
+            'email' => sanitize_email($value),
+            default => sanitize_text_field($value)
+        };
     }
 
     /**
@@ -779,7 +816,7 @@ class HVAC_Event_Form_Builder extends HVAC_Form_Builder {
         $venues = get_posts([
             'post_type' => 'tribe_venue',
             'post_status' => 'publish',
-            'posts_per_page' => -1,
+            'posts_per_page' => 100, // Limit to prevent performance issues
             'orderby' => 'title',
             'order' => 'ASC',
         ]);
@@ -816,7 +853,7 @@ class HVAC_Event_Form_Builder extends HVAC_Form_Builder {
         $organizers = get_posts([
             'post_type' => 'tribe_organizer',
             'post_status' => 'publish',
-            'posts_per_page' => -1,
+            'posts_per_page' => 100, // Limit to prevent performance issues
             'orderby' => 'title',
             'order' => 'ASC',
         ]);
@@ -1167,6 +1204,12 @@ class HVAC_Event_Form_Builder extends HVAC_Form_Builder {
             return;
         }
 
+        // Capability check - ensure user can create/edit events
+        if (!current_user_can('edit_posts') && !array_intersect(['hvac_trainer', 'hvac_master_trainer'], wp_get_current_user()->roles)) {
+            wp_send_json_error(['message' => __('Permission denied', 'hvac-community-events')]);
+            return;
+        }
+
         $template_id = sanitize_text_field($_GET['template_id'] ?? '');
         if (empty($template_id) || $template_id === '0') {
             wp_send_json_success(['template_data' => [], 'message' => __('Template cleared', 'hvac-community-events')]);