ben/upskill-event-manager
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2
upskill-event-manager/includes/class-hvac-template-security.php
Ben c3e7fe9140 feat: comprehensive HVAC plugin development framework and modernization 
## Major Enhancements

### 🏗️ Architecture & Infrastructure
- Implement comprehensive Docker testing infrastructure with hermetic environment
- Add Forgejo Actions CI/CD pipeline for automated deployments
- Create Page Object Model (POM) testing architecture reducing test duplication by 90%
- Establish security-first development patterns with input validation and output escaping

### 🧪 Testing Framework Modernization
- Migrate 146+ tests from 80 duplicate files to centralized architecture
- Add comprehensive E2E test suites for all user roles and workflows
- Implement WordPress error detection with automatic site health monitoring
- Create robust browser lifecycle management with proper cleanup

### 📚 Documentation & Guides
- Add comprehensive development best practices guide
- Create detailed administrator setup documentation
- Establish user guides for trainers and master trainers
- Document security incident reports and migration guides

### 🔧 Core Plugin Features
- Enhance trainer profile management with certification system
- Improve find trainer functionality with advanced filtering
- Strengthen master trainer area with content management
- Add comprehensive venue and organizer management

### 🛡️ Security & Reliability
- Implement security-first patterns throughout codebase
- Add comprehensive input validation and output escaping
- Create secure credential management system
- Establish proper WordPress role-based access control

### 🎯 WordPress Integration
- Strengthen singleton pattern implementation across all classes
- Enhance template hierarchy with proper WordPress integration
- Improve page manager with hierarchical URL structure
- Add comprehensive shortcode and menu system

### 🔍 Developer Experience
- Add extensive debugging and troubleshooting tools
- Create comprehensive test data seeding scripts
- Implement proper error handling and logging
- Establish consistent code patterns and standards

### 📊 Performance & Optimization
- Optimize database queries and caching strategies
- Improve asset loading and script management
- Enhance template rendering performance
- Streamline user experience across all interfaces

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-29 11:26:10 -03:00

215 lines
No EOL
7.8 KiB
PHP
Raw Blame History

<?php
/**
* HVAC Template Security Handler
*
* Centralized security and access control for template system
*
* @package HVAC_Community_Events
* @since 2.0.0
*/
if (!defined('ABSPATH')) {
exit;
}
class HVAC_Template_Security {
/**
* Check if current user has access to a page
*
* @param array $page_config Page configuration
* @return bool
*/
public static function check_page_access($page_config) {
// Always allow access if no restrictions
if (empty($page_config['required_capability']) && empty($page_config['required_role'])) {
return true;
}
// Must be logged in for restricted pages
if (!is_user_logged_in()) {
return false;
}
$user = wp_get_current_user();
// Check capability if specified
if (!empty($page_config['required_capability'])) {
if (!current_user_can($page_config['required_capability'])) {
return false;
}
}
// Check role if specified
if (!empty($page_config['required_role'])) {
$required_roles = (array) $page_config['required_role'];
$user_roles = $user->roles;
// Check if user has any of the required roles
if (empty(array_intersect($required_roles, $user_roles))) {
return false;
}
}
return true;
}
/**
* Get access requirements for a page based on slug
*
* @param string $page_slug
* @return array
*/
public static function get_page_requirements($page_slug) {
// Define page access requirements
$requirements = [
// Trainer pages
'trainer/dashboard' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
'trainer/profile' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
'trainer/profile/edit' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
'trainer/certificate-reports' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
'trainer/generate-certificates' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
'trainer/venue/list' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
'trainer/venue/manage' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
'trainer/organizer/list' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
'trainer/organizer/manage' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
'trainer/event/create' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
'trainer/event/edit' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
'trainer/event/manage' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
'trainer/event/summary' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
'trainer/email-attendees' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
'trainer/communication-templates' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
'trainer/communication-schedules' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
'trainer/profile/training-leads' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
'trainer/announcements' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
'trainer/resources' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
'trainer/documentation' => ['required_role' => ['hvac_trainer', 'hvac_master_trainer']],
// Master trainer pages
'master-trainer/master-dashboard' => ['required_role' => ['hvac_master_trainer']],
'master-trainer/announcements' => ['required_role' => ['hvac_master_trainer']],
'master-trainer/manage-announcements' => ['required_role' => ['hvac_master_trainer']],
// Public pages (no requirements)
'community-login' => [],
'trainer/registration' => [],
'registration-pending' => [],
'find-a-trainer' => [],
// Status pages (logged in users only)
'trainer/account-pending' => ['logged_in' => true],
'trainer/account-disabled' => ['logged_in' => true]
];
return $requirements[$page_slug] ?? [];
}
/**
* Handle access denied scenarios
*
* @param string $page_slug
* @param array $page_config
*/
public static function handle_access_denied($page_slug, $page_config) {
if (!is_user_logged_in()) {
// Redirect to login
wp_safe_redirect(home_url('/community-login/?redirect_to=' . urlencode($_SERVER['REQUEST_URI'])));
exit;
}
// Check user status for trainer pages
if (strpos($page_slug, 'trainer/') === 0) {
$user_status = get_user_meta(get_current_user_id(), 'hvac_account_status', true);
switch ($user_status) {
case 'pending':
wp_safe_redirect(home_url('/trainer/account-pending/'));
exit;
case 'disabled':
wp_safe_redirect(home_url('/trainer/account-disabled/'));
exit;
default:
// Generic access denied
wp_die(__('You do not have permission to access this page.', 'hvac-community-events'));
break;
}
}
// Generic access denied
wp_die(__('Access denied.', 'hvac-community-events'));
}
/**
* Validate nonce for form submissions
*
* @param string $action
* @param string $nonce_field
* @return bool
*/
public static function validate_nonce($action, $nonce_field = '_wpnonce') {
return wp_verify_nonce($_POST[$nonce_field] ?? $_GET[$nonce_field] ?? '', $action);
}
/**
* Check if current user can edit a specific trainer profile
*
* @param int $trainer_id
* @return bool
*/
public static function can_edit_trainer_profile($trainer_id) {
$current_user_id = get_current_user_id();
// Own profile
if ($current_user_id == $trainer_id) {
return true;
}
// Master trainers can edit other profiles
$user = wp_get_current_user();
if (in_array('hvac_master_trainer', $user->roles)) {
return true;
}
// Administrators can edit all profiles
if (current_user_can('manage_options')) {
return true;
}
return false;
}
/**
* Sanitize and validate user input
*
* @param mixed $input
* @param string $type
* @return mixed
*/
public static function sanitize_input($input, $type = 'text') {
switch ($type) {
case 'email':
return sanitize_email($input);
case 'url':
return esc_url_raw($input);
case 'int':
return intval($input);
case 'float':
return floatval($input);
case 'textarea':
return sanitize_textarea_field($input);
case 'html':
return wp_kses_post($input);
case 'text':
default:
return sanitize_text_field($input);
}
}
}
Reference in a new issue View git blame Copy permalink