fix: implement code review fixes for form builder
Critical fixes: - Implement get_current_form_data() method for template saving functionality - Add sanitize_field_value() method with comprehensive field sanitization High priority fixes: - Add pagination limits (100) to venue and organizer queries to prevent performance issues - Add capability checks to AJAX template handler for proper access control Medium priority fixes: - Add comprehensive documentation for hvac_event_form_after_basic_fields integration hook - Add debug logging for cache initialization failures when WP_DEBUG is enabled 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
		
							parent
							
								
									9cc5624d0d
								
							
						
					
					
						commit
						63d7f5efa3
					
				
					 1 changed files with 49 additions and 6 deletions
				
			
		|  | @ -127,6 +127,9 @@ class HVAC_Event_Form_Builder extends HVAC_Form_Builder { | ||||||
| 
 | 
 | ||||||
|         // Initialize cache if available
 |         // Initialize cache if available
 | ||||||
|         $this->cache = class_exists('HVAC_Event_Cache') ? HVAC_Event_Cache::instance() : null; |         $this->cache = class_exists('HVAC_Event_Cache') ? HVAC_Event_Cache::instance() : null; | ||||||
|  |         if (!$this->cache && defined('WP_DEBUG') && WP_DEBUG) { | ||||||
|  |             error_log('HVAC Event Cache unavailable - performance may be impacted'); | ||||||
|  |         } | ||||||
| 
 | 
 | ||||||
|         $this->init_event_form_hooks(); |         $this->init_event_form_hooks(); | ||||||
|     } |     } | ||||||
|  | @ -169,7 +172,15 @@ class HVAC_Event_Form_Builder extends HVAC_Form_Builder { | ||||||
|         // Basic event fields
 |         // Basic event fields
 | ||||||
|         $this->add_basic_event_fields(); |         $this->add_basic_event_fields(); | ||||||
| 
 | 
 | ||||||
|         // Add TEC ticketing integration hook
 |         /** | ||||||
|  |          * Action hook for TEC ticketing integration | ||||||
|  |          * | ||||||
|  |          * Allows other components to add fields after basic event fields | ||||||
|  |          * are rendered but before optional field groups like datetime fields. | ||||||
|  |          * | ||||||
|  |          * @param HVAC_Event_Form_Builder $form_builder Current form instance | ||||||
|  |          * @since 3.2.0 (Phase 2B - TEC Integration) | ||||||
|  |          */ | ||||||
|         do_action('hvac_event_form_after_basic_fields', $this); |         do_action('hvac_event_form_after_basic_fields', $this); | ||||||
| 
 | 
 | ||||||
|         // Optional field groups
 |         // Optional field groups
 | ||||||
|  | @ -576,9 +587,35 @@ class HVAC_Event_Form_Builder extends HVAC_Form_Builder { | ||||||
|      * @return array Current form data |      * @return array Current form data | ||||||
|      */ |      */ | ||||||
|     private function get_current_form_data(): array { |     private function get_current_form_data(): array { | ||||||
|         // This would typically be called after form submission
 |         $data = []; | ||||||
|         // For now, return empty array - implement based on specific needs
 |         foreach ($this->fields as $field) { | ||||||
|         return []; |             if (isset($_POST[$field['name']])) { | ||||||
|  |                 $data[$field['name']] = $this->sanitize_field_value($field, $_POST[$field['name']]); | ||||||
|  |             } | ||||||
|  |         } | ||||||
|  |         return $data; | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     /** | ||||||
|  |      * Sanitize field value based on field type | ||||||
|  |      * | ||||||
|  |      * @param array $field Field configuration | ||||||
|  |      * @param mixed $value Field value to sanitize | ||||||
|  |      * @return mixed Sanitized value | ||||||
|  |      */ | ||||||
|  |     private function sanitize_field_value(array $field, $value) { | ||||||
|  |         $sanitize_type = $field['sanitize'] ?? 'text'; | ||||||
|  | 
 | ||||||
|  |         return match($sanitize_type) { | ||||||
|  |             'text' => sanitize_text_field($value), | ||||||
|  |             'textarea' => sanitize_textarea_field($value), | ||||||
|  |             'int' => absint($value), | ||||||
|  |             'float' => floatval($value), | ||||||
|  |             'datetime' => sanitize_text_field($value), | ||||||
|  |             'url' => esc_url_raw($value), | ||||||
|  |             'email' => sanitize_email($value), | ||||||
|  |             default => sanitize_text_field($value) | ||||||
|  |         }; | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|     /** |     /** | ||||||
|  | @ -779,7 +816,7 @@ class HVAC_Event_Form_Builder extends HVAC_Form_Builder { | ||||||
|         $venues = get_posts([ |         $venues = get_posts([ | ||||||
|             'post_type' => 'tribe_venue', |             'post_type' => 'tribe_venue', | ||||||
|             'post_status' => 'publish', |             'post_status' => 'publish', | ||||||
|             'posts_per_page' => -1, |             'posts_per_page' => 100, // Limit to prevent performance issues
 | ||||||
|             'orderby' => 'title', |             'orderby' => 'title', | ||||||
|             'order' => 'ASC', |             'order' => 'ASC', | ||||||
|         ]); |         ]); | ||||||
|  | @ -816,7 +853,7 @@ class HVAC_Event_Form_Builder extends HVAC_Form_Builder { | ||||||
|         $organizers = get_posts([ |         $organizers = get_posts([ | ||||||
|             'post_type' => 'tribe_organizer', |             'post_type' => 'tribe_organizer', | ||||||
|             'post_status' => 'publish', |             'post_status' => 'publish', | ||||||
|             'posts_per_page' => -1, |             'posts_per_page' => 100, // Limit to prevent performance issues
 | ||||||
|             'orderby' => 'title', |             'orderby' => 'title', | ||||||
|             'order' => 'ASC', |             'order' => 'ASC', | ||||||
|         ]); |         ]); | ||||||
|  | @ -1167,6 +1204,12 @@ class HVAC_Event_Form_Builder extends HVAC_Form_Builder { | ||||||
|             return; |             return; | ||||||
|         } |         } | ||||||
| 
 | 
 | ||||||
|  |         // Capability check - ensure user can create/edit events
 | ||||||
|  |         if (!current_user_can('edit_posts') && !array_intersect(['hvac_trainer', 'hvac_master_trainer'], wp_get_current_user()->roles)) { | ||||||
|  |             wp_send_json_error(['message' => __('Permission denied', 'hvac-community-events')]); | ||||||
|  |             return; | ||||||
|  |         } | ||||||
|  | 
 | ||||||
|         $template_id = sanitize_text_field($_GET['template_id'] ?? ''); |         $template_id = sanitize_text_field($_GET['template_id'] ?? ''); | ||||||
|         if (empty($template_id) || $template_id === '0') { |         if (empty($template_id) || $template_id === '0') { | ||||||
|             wp_send_json_success(['template_data' => [], 'message' => __('Template cleared', 'hvac-community-events')]); |             wp_send_json_success(['template_data' => [], 'message' => __('Template cleared', 'hvac-community-events')]); | ||||||
|  |  | ||||||
		Loading…
	
		Reference in a new issue