upskill-event-manager

ben/upskill-event-manager

Fork 0

Commit graph

Author	SHA1	Message	Date
ben	9f4667fbb4	fix(security): Multi-model code review - 12 security and architecture fixes Comprehensive code review using GPT-5, Gemini 3, Kimi K2.5, and Zen MCP tools across 11 critical files (~9,000 lines). Identified and fixed issues by consensus prioritization. CRITICAL fixes: - Strip passwords from transients in registration error handling - Rewrite O(3600) token verification loop to O(1) with embedded timestamp HIGH fixes: - Replace remove_all_actions() with targeted hook removal (breaks WP isolation) - Prefer wp-config.php constant for encryption key storage - Add revocation check before generating certificate download URLs - Fix security headers condition to apply to AJAX requests - Add zoho-config.php to .gitignore MEDIUM fixes: - IP spoofing: only trust proxy headers when behind configured trusted proxies - Remove unsafe-eval from CSP (keep unsafe-inline for compatibility) - Remove duplicate Master Trainer component initialization - Remove file-scope side-effect initialization in profile manager - Use WordPress current_time() for consistent timezone in cert numbers Validated as non-issues: - Path traversal (token-based system prevents) - SQL injection (proper $wpdb->prepare throughout) - OAuth CSRF (correctly implemented with hash_equals) All 7 modified PHP files pass syntax validation (php -l). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-31 20:06:43 -04:00
ben	1032fbfe85	feat: complete PHP 8+ modernization with backward compatibility Some checks failed Security Monitoring & Compliance / Static Code Security Analysis (push) Has been cancelled Details Security Monitoring & Compliance / Security Compliance Validation (push) Has been cancelled Details HVAC Plugin CI/CD Pipeline / Security Analysis (push) Has been cancelled Details HVAC Plugin CI/CD Pipeline / Code Quality & Standards (push) Has been cancelled Details HVAC Plugin CI/CD Pipeline / Unit Tests (push) Has been cancelled Details HVAC Plugin CI/CD Pipeline / Integration Tests (push) Has been cancelled Details Security Monitoring & Compliance / Dependency Vulnerability Scan (push) Has been cancelled Details Security Monitoring & Compliance / Secrets & Credential Scan (push) Has been cancelled Details Security Monitoring & Compliance / WordPress Security Analysis (push) Has been cancelled Details Security Monitoring & Compliance / Security Summary Report (push) Has been cancelled Details HVAC Plugin CI/CD Pipeline / Deploy to Staging (push) Has been cancelled Details HVAC Plugin CI/CD Pipeline / Deploy to Production (push) Has been cancelled Details HVAC Plugin CI/CD Pipeline / Notification (push) Has been cancelled Details Security Monitoring & Compliance / Security Team Notification (push) Has been cancelled Details Major modernization of HVAC plugin for PHP 8+ with full backward compatibility: CORE MODERNIZATION: - Implement strict type declarations throughout codebase - Modernize main plugin class with PHP 8+ features - Convert array syntax to modern PHP format - Add constructor property promotion where applicable - Enhance security helpers with modern PHP patterns COMPATIBILITY FIXES: - Fix PHP 8.1+ enum compatibility (convert to class constants) - Fix union type compatibility (true\|WP_Error → bool\|WP_Error) - Remove mixed type declarations for PHP 8.0 compatibility - Add default arms to match expressions preventing UnhandledMatchError - Fix method naming inconsistency (ensureRegistrationAccess callback) - Add null coalescing in TEC integration for strict type compliance DEPLOYMENT STATUS: ✅ Successfully deployed and tested on staging ✅ Site functional at https://upskill-staging.measurequick.com ✅ Expert code review completed with GPT-5 validation ✅ MCP Playwright testing confirms functionality Ready for production deployment when requested. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-08-31 17:44:39 -03:00
bengizmo	2cb37d0285	fix: Ensure trainer registration page is publicly accessible - Added explicit checks to prevent authentication redirects on registration page - Added ensure_registration_page_public() method with priority 1 to run before other auth checks - Included registration-pending and training-login pages in public pages list - Added fallback function in main plugin file to remove auth hooks on registration page This ensures that users can access /trainer/registration/ without being logged in, as intended for new trainer signups.	2025-07-28 10:30:54 -03:00

Author

SHA1

Message

Date

ben

9f4667fbb4

fix(security): Multi-model code review - 12 security and architecture fixes

Comprehensive code review using GPT-5, Gemini 3, Kimi K2.5, and Zen MCP tools
across 11 critical files (~9,000 lines). Identified and fixed issues by
consensus prioritization.

CRITICAL fixes:
- Strip passwords from transients in registration error handling
- Rewrite O(3600) token verification loop to O(1) with embedded timestamp

HIGH fixes:
- Replace remove_all_actions() with targeted hook removal (breaks WP isolation)
- Prefer wp-config.php constant for encryption key storage
- Add revocation check before generating certificate download URLs
- Fix security headers condition to apply to AJAX requests
- Add zoho-config.php to .gitignore

MEDIUM fixes:
- IP spoofing: only trust proxy headers when behind configured trusted proxies
- Remove unsafe-eval from CSP (keep unsafe-inline for compatibility)
- Remove duplicate Master Trainer component initialization
- Remove file-scope side-effect initialization in profile manager
- Use WordPress current_time() for consistent timezone in cert numbers

Validated as non-issues:
- Path traversal (token-based system prevents)
- SQL injection (proper $wpdb->prepare throughout)
- OAuth CSRF (correctly implemented with hash_equals)

All 7 modified PHP files pass syntax validation (php -l).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-31 20:06:43 -04:00

ben

1032fbfe85

feat: complete PHP 8+ modernization with backward compatibility

Security Monitoring & Compliance / Static Code Security Analysis (push) Has been cancelled

Details

Security Monitoring & Compliance / Security Compliance Validation (push) Has been cancelled

Details

HVAC Plugin CI/CD Pipeline / Security Analysis (push) Has been cancelled

Details

HVAC Plugin CI/CD Pipeline / Code Quality & Standards (push) Has been cancelled

Details

HVAC Plugin CI/CD Pipeline / Unit Tests (push) Has been cancelled

Details

HVAC Plugin CI/CD Pipeline / Integration Tests (push) Has been cancelled

Details

Security Monitoring & Compliance / Dependency Vulnerability Scan (push) Has been cancelled

Details

Security Monitoring & Compliance / Secrets & Credential Scan (push) Has been cancelled

Details

Security Monitoring & Compliance / WordPress Security Analysis (push) Has been cancelled

Details

Security Monitoring & Compliance / Security Summary Report (push) Has been cancelled

Details

HVAC Plugin CI/CD Pipeline / Deploy to Staging (push) Has been cancelled

Details

HVAC Plugin CI/CD Pipeline / Deploy to Production (push) Has been cancelled

Details

HVAC Plugin CI/CD Pipeline / Notification (push) Has been cancelled

Details

Security Monitoring & Compliance / Security Team Notification (push) Has been cancelled

Details

Major modernization of HVAC plugin for PHP 8+ with full backward compatibility:

CORE MODERNIZATION:
- Implement strict type declarations throughout codebase
- Modernize main plugin class with PHP 8+ features
- Convert array syntax to modern PHP format
- Add constructor property promotion where applicable
- Enhance security helpers with modern PHP patterns

COMPATIBILITY FIXES:
- Fix PHP 8.1+ enum compatibility (convert to class constants)
- Fix union type compatibility (true|WP_Error → bool|WP_Error)
- Remove mixed type declarations for PHP 8.0 compatibility
- Add default arms to match expressions preventing UnhandledMatchError
- Fix method naming inconsistency (ensureRegistrationAccess callback)
- Add null coalescing in TEC integration for strict type compliance

DEPLOYMENT STATUS:
✅ Successfully deployed and tested on staging
✅ Site functional at https://upskill-staging.measurequick.com
✅ Expert code review completed with GPT-5 validation
✅ MCP Playwright testing confirms functionality

Ready for production deployment when requested.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-08-31 17:44:39 -03:00

bengizmo

2cb37d0285

fix: Ensure trainer registration page is publicly accessible

- Added explicit checks to prevent authentication redirects on registration page
- Added ensure_registration_page_public() method with priority 1 to run before other auth checks
- Included registration-pending and training-login pages in public pages list
- Added fallback function in main plugin file to remove auth hooks on registration page

This ensures that users can access /trainer/registration/ without being logged in, as intended for new trainer signups.

2025-07-28 10:30:54 -03:00

3 commits