- Fix Client ID regex to allow lowercase letters
- Update HVAC_Zoho_CRM_Auth to use encrypted storage for all operations
- Update class-zoho-admin.php to use HVAC_Secure_Storage for credential retrieval
- Update OAuth callback to use secure storage for token storage
- Update Status.md with blocking production issue (400 Bad Request)
Note: Issue persists on production - needs further investigation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1. OAuth CSRF Protection:
- Added state parameter to OAuth authorization URL
- Generate and store state in transient (10 min expiry)
- Validate state on callback with timing-safe comparison
2. Debug Log Sanitization:
- Added sanitize_log_message() to mask credentials in logs
- Patterns mask client_id, client_secret, access_token, refresh_token
- Error handlers only expose file paths in WP_DEBUG mode
3. Move Inline JS to External File:
- Moved ~100 lines of inline JS to assets/js/zoho-admin.js
- Added redirectUri and oauthUrl to wp_localize_script
- Better CSP compliance and caching
4. Updated .gitignore to track includes/admin/ and includes/zoho/
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace WooCommerce sync with Event Tickets (Tickets Commerce) support
- Add sync_attendees() for Contacts + Campaign Members
- Add sync_rsvps() for Leads + Campaign Members
- Fix user roles filter (hvac_trainer/hvac_master_trainer)
- Fix event query to include past events
- Update admin UI with new sync buttons
- Correct meta keys for Tickets Commerce (_tec_tickets_commerce_*)
- Correct meta keys for RSVPs (_tribe_rsvp_*)
Dry-run tested on staging:
- Events: 20 records
- Trainers: 53 records
- Attendees: 79 records
- RSVPs: 4 records
- Orders: 52 records
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix production debug exposure in Zoho admin interface (WP_DEBUG conditional)
- Implement secure credential storage with AES-256-CBC encryption
- Add file upload size limits (5MB profiles, 2MB logos) with enhanced validation
- Fix privilege escalation via PHP Reflection bypass with public method alternative
- Add comprehensive input validation and security headers
- Update plugin version to 1.0.7 with security hardening
Security improvements:
✅ Debug information exposure eliminated in production
✅ API credentials now encrypted in database storage
✅ File upload security enhanced with size/type validation
✅ AJAX endpoints secured with proper capability checks
✅ SQL injection protection verified via parameterized queries
✅ CSRF protection maintained with nonce verification
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
- Implement singleton pattern for HVAC_Enhanced_Settings to prevent duplicate initialization
- Fix jQuery selector error by checking for valid hash selectors before using $(href)
- Add default email templates with professional copy for trainer notifications
- Update plugin version to 1.0.1 for cache busting
- Remove duplicate Enhanced Settings initialization from HVAC_Community_Events
- Add force cache refresh suffix to admin scripts
This resolves the duplicate content issue on email templates page and fixes
JavaScript errors in the admin interface.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add trainer status system (pending, approved, active, inactive, disabled)
- Create access control system based on trainer status
- Refactor Master Dashboard with enhanced trainer table
- Add status column and filtering
- Implement search and pagination
- Add bulk status update functionality
- Create status pages for pending and disabled trainers
- Implement approval workflow with email notifications
- Add email template management to settings page
- Include comprehensive test suite (unit, integration, E2E)
This allows Master Trainers to manage trainer accounts, approve new registrations,
and control access based on account status. Trainers must be approved before
accessing dashboard features.
Co-Authored-By: Claude <noreply@anthropic.com>
- Removed all CSS debug error_log statements from hvac-community-events.php
- Removed Request URI and OAuth callback debug messages from class-zoho-admin.php
- Updated gitignore to properly track plugin files
This eliminates the debug noise in production error logs.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
