refactor: WordPress.Security.EscapeOutput.OutputNotEscaped, WordPress.Security.EscapeOutput.ExceptionNotEscaped escaping

[mralaminahamed]

All Submissions:

• My code follows the WordPress' coding standards
• My code satisfies feature requirements
• My code is tested
• My code passes the PHPCS tests
• My code has proper inline documentation
• I've included related pull request(s) (optional)
• I've included developer documentation (optional)
• I've added proper labels to this pull request

Changes proposed in this Pull Request:

This PR addresses security issues identified in the Dokan plugin for WordPress. It implements necessary fixes and improvements to enhance the plugin's security and protect against potential vulnerabilities.

Related Pull Request(s)

• N/A

Closes

• Closes #

How to test the changes in this Pull Request:

1. Review the changes made to the codebase to address the security issues.
2. Perform thorough testing, including manual testing and automated testing, to ensure the plugin's functionality is not affected by the security fixes.
3. Perform security testing or engage with security experts to validate the effectiveness of the implemented security measures.

Changelog entry

improved: WordPress security issues
fix: The parameter "$drop_down_tags" at position #2 of get_terms() has been deprecated since WordPress version 4.5.0. Instead do not pass the parameter.

This update addresses several security issues identified in the Dokan plugin for WordPress. It implements necessary fixes and improvements to enhance the plugin's security and protect against potential vulnerabilities. The changes include sanitizing user inputs, validating data, escaping outputs, and implementing proper access controls and authentication mechanisms.

Before Changes

The Dokan plugin had security vulnerabilities that could potentially lead to security breaches, such as cross-site scripting (XSS), SQL injection, or unauthorized access to sensitive data or functionality.

After Changes

After the changes, the Dokan plugin has enhanced security measures in place, with user inputs sanitized, data validated, outputs escaped, and proper access controls and authentication mechanisms implemented. This significantly reduces the risk of security vulnerabilities and ensures a more secure environment for plugin users.

Feature Video (optional)

N/A

PR Self Review Checklist:

• Code is following code style guidelines
• Code has appropriate naming conventions
• Code follows the KISS principle
• Code follows the DRY principle
• Code is readable and self-explanatory
• Code has no performance issues
• Code has no grammar errors

FOR PR REVIEWER ONLY:

As a reviewer, your feedback should be focused on the idea, not the person. Seek to understand, be respectful, and focus on constructive dialog.

As a contributor, your responsibility is to learn from suggestions and iterate your pull request should it be needed based on feedback. Seek to collaborate and produce the best possible contribution to the greater whole.

• Correct — Does the change do what it's supposed to? ie: code 100% fulfilling the requirements?
• Secure — Would a nefarious party find some way to exploit this change? ie: everything is sanitized/escaped appropriately for any SQL or XSS injection possibilities?
• Readable — Will your future self be able to understand this change months down the road?
• Elegant — Does the change fit aesthetically within the overall style and architecture?

Summary by CodeRabbit

• Bug Fixes

  • Improved sanitization and security for help tips, vendor search, and withdrawal settings.
  • Enhanced data handling and output escaping across various forms and widgets.
  • Corrected variable assignments and output handling in widgets for better functionality.

• Security Enhancements

  • Added escaping for error messages and output in multiple components to ensure secure data handling.
  • Updated methods to use proper sanitization functions for user inputs.

• Refactor

  • Simplified script generation process in the PageViews class.
  • Updated parameter names and function calls for consistency and clarity in widgets.

[coderabbitai]

Walkthrough

The recent changes focus on enhancing security and data handling within the codebase. Key updates include sanitizing user inputs and outputs using functions like wp_kses, esc_html, sanitize_text_field, and ensuring proper escaping of variables. Additionally, some code refactoring and minor logic adjustments were made to improve readability and maintainability.

Changes

Files / Groups	Change Summary
includes/Admin/Hooks.php	Modified wc_help_tip to include wp_kses and esc_html__ for sanitization.
includes/Admin/SetupWizard.php	Updated printf to include esc_html and reordered assignment operations in dokan_setup_withdraw_save.
includes/Admin/SetupWizardNoWC.php	Replaced wc_clean with sanitize_text_field for various form fields.
includes/Admin/SetupWizardWCAdmin.php	Escaped output in data attributes for checkboxes and input fields.
includes/Ajax.php	Moved increment operators, added wp_kses_post to wpautop calls, and updated dokan_search_product_tags_for_vendor_products filter.
includes/Customizer/HeadingControl.php	Used wp_kses to sanitize the description before echoing it.
includes/Customizer/RadioImageControl.php	Added comment for escaping output in echo statement for $label['svg'].
includes/Order/Admin/Hooks.php	Used wp_kses_post to sanitize output before applying filters in shop_order_custom_columns.
includes/PageViews.php	Refactored load_scripts method to use dokan_get_template with updated parameters.
includes/REST/ProductController.php	Added esc_html() to escape error messages for image uploads and invalid image IDs.
includes/ReverseWithdrawal/ReverseWithdrawal.php	Added comments for escaping output in _doing_it_wrong function calls in __clone() and __wakeup().
includes/Traits/ChainableContainer.php	Updated error messages in __clone() and __wakeup() methods with backtrace and forbidden action message.
includes/Widgets/BestSellingProducts.php	Added WordPress.Security.EscapeOutput.OutputNotEscaped to echo statements for title rendering.
includes/Widgets/FilterByAttributes.php	Corrected variable assignments and added output escaping for security in widget and form functions.
includes/Widgets/ProductCategoryMenu.php	Updated parameter names in widget and update functions, and modified get_terms function call.
includes/Widgets/StoreCategoryMenu.php	Updated parameter names in widget and update functions.

Poem

In the code, a tale unfolds,
Where safety and clarity take hold.
With wp_kses and esc_html in play,
Data's secure, come what may.
A rabbit hops through lines of code,
Ensuring all's in safe mode.
Cheers to changes, neat and bright,
Making code secure and right! 🐇✨

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 15

Outside diff range and nitpick comments (7)

includes/Admin/Hooks.php (1)

Line range hint 168-168: Remove unused parameter $post from the method override_product_author_by_admin.

- public function override_product_author_by_admin( $product_id, $post ) {
+ public function override_product_author_by_admin( $product_id ) {

includes/Order/Admin/Hooks.php (1)

Line range hint 179-179: Avoid using reserved keywords as parameter names to ensure compatibility with future PHP versions.

- public function admin_shop_order_row_classes( $classes, $class, $post_id ) {
+ public function admin_shop_order_row_classes( $classes, $class_name, $post_id ) {

templates/settings/store-form.php (2)

65-65: Ensure alt text for images is descriptive and accurate.

Consider improving the alt text for the banner image to be more descriptive than just "banner". This can enhance accessibility and SEO.

---

105-105: Ensure alt text for images is descriptive and accurate.

The alt text for the gravatar image is misspelled as "gravtar". It should be corrected to "gravatar" to improve readability and professionalism.

includes/template-tags.php (1)

Line range hint 299-299: Address unused function parameters.

The parameter $title in the function dokan_store_category_menu is never used. Consider removing it if it's not planned for future use:

- function dokan_store_category_menu( $seller_id, $title = '' ) {
+ function dokan_store_category_menu( $seller_id ) {

includes/Ajax.php (1)

Line range hint 877-877: Consider renaming the parameter to avoid using reserved keywords.

- public function create_attachment_object( $cropped, $parent_attachment_id ) {
+ public function create_attachment_object( $cropped, $parent_attachment_id, $attachment_details ) {

Using "object" as a parameter name can lead to confusion and potential issues in PHP, as it is a reserved keyword. Consider renaming it to something more descriptive like attachment_details.

includes/REST/ProductController.php (1)

Line range hint 1205-1205: Avoid using reserved keywords as parameter names.

The parameter name $object in the method prepare_links is a reserved keyword in some contexts. Consider renaming it to avoid potential issues in future PHP versions.

- protected function prepare_links($object, $request) {
+ protected function prepare_links($product, $request) {

Review Details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 0c90ac8 and f336658.

Files selected for processing (31)

• includes/Admin/Hooks.php (1 hunks)
• includes/Admin/SetupWizard.php (2 hunks)
• includes/Admin/SetupWizardNoWC.php (2 hunks)
• includes/Admin/SetupWizardWCAdmin.php (2 hunks)
• includes/Ajax.php (5 hunks)
• includes/Customizer/HeadingControl.php (1 hunks)
• includes/Customizer/RadioImageControl.php (1 hunks)
• includes/Order/Admin/Hooks.php (1 hunks)
• includes/PageViews.php (2 hunks)
• includes/REST/ProductController.php (3 hunks)
• includes/ReverseWithdrawal/ReverseWithdrawal.php (2 hunks)
• includes/Traits/ChainableContainer.php (2 hunks)
• includes/Widgets/BestSellingProducts.php (2 hunks)
• includes/Widgets/FilterByAttributes.php (4 hunks)
• includes/Widgets/ProductCategoryMenu.php (3 hunks)
• includes/Widgets/StoreCategoryMenu.php (4 hunks)
• includes/Widgets/StoreContactForm.php (5 hunks)
• includes/Widgets/StoreLocation.php (4 hunks)
• includes/Widgets/StoreOpenClose.php (5 hunks)
• includes/Widgets/TopratedProducts.php (3 hunks)
• includes/template-tags.php (3 hunks)
• phpcs.xml.dist (2 hunks)
• templates/page-views.php (1 hunks)
• templates/products/dokan-category-header-ui.php (2 hunks)
• templates/products/dokan-category-ui.php (1 hunks)
• templates/products/listing-status-filter.php (1 hunks)
• templates/products/new-product.php (1 hunks)
• templates/products/products-listing.php (2 hunks)
• templates/settings/bank-payment-method-settings.php (8 hunks)
• templates/settings/payment.php (2 hunks)
• templates/settings/store-form.php (3 hunks)

Files skipped from review due to trivial changes (12)

• includes/Admin/SetupWizardWCAdmin.php
• includes/Customizer/RadioImageControl.php
• includes/ReverseWithdrawal/ReverseWithdrawal.php
• includes/Traits/ChainableContainer.php
• includes/Widgets/StoreCategoryMenu.php
• includes/Widgets/StoreLocation.php
• templates/page-views.php
• templates/products/dokan-category-ui.php
• templates/products/new-product.php
• templates/products/products-listing.php
• templates/settings/bank-payment-method-settings.php
• templates/settings/payment.php

Additional Context Used

GitHub Check Runs (1)

Run PHPCS inspection success (11)

includes/Admin/Hooks.php: [warning] 168-168:
The method parameter $post is never used

---

includes/Ajax.php: [warning] 268-268:
Stand-alone post-increment statement found. Use pre-increment instead: ++$loop.

---

includes/Ajax.php: [warning] 269-269:
Stand-alone post-increment statement found. Use pre-increment instead: ++$file_count.

---

includes/Ajax.php: [warning] 877-877:
It is recommended not to use reserved keyword "object" as function parameter name. Found: $object

---

includes/Order/Admin/Hooks.php: [warning] 179-179:
It is recommended not to use reserved keyword "class" as function parameter name. Found: $class

---

includes/REST/ProductController.php: [warning] 1205-1205:
It is recommended not to use reserved keyword "object" as function parameter name. Found: $object

---

includes/template-tags.php: [warning] 299-299:
The method parameter $title is never used

Additional comments not posted (8)

includes/Customizer/HeadingControl.php (1)

31-33: Sanitization of the description using wp_kses enhances security by preventing potential XSS vulnerabilities.

includes/PageViews.php (1)

22-28: Refactoring to use dokan_get_template for script loading simplifies the code and potentially enhances security by including a nonce.

Verification successful

---

Nonce validation for 'dokan_pageview' is correctly implemented using check_ajax_referer in includes/PageViews.php.

• includes/PageViews.php: check_ajax_referer( 'dokan_pageview' );

Scripts Executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Description: Verify the usage of the nonce in the 'dokan_pageview' context to ensure it's properly validated.

# Test: Search for nonce verification in AJAX handling. Expect: Proper nonce verification logic.
rg --type php 'check_ajax_referer.*dokan_pageview'

Length of output: 123

templates/products/listing-status-filter.php (1)

23-23: Using esc_html__ and number_format_i18n for the product count enhances security and supports internationalization.

templates/products/dokan-category-header-ui.php (1)

16-16: Setting a default category when none is selected and using Helper::get_ancestors_html for category display improves user experience and code clarity.

Also applies to: 30-32

includes/Admin/SetupWizardNoWC.php (2)

132-132: Properly escaped error message enhances security.

---

231-239: Sanitization of user inputs is correctly implemented.

includes/Order/Admin/Hooks.php (1)

161-161: Properly sanitized output enhances security.

includes/Admin/SetupWizard.php (1)

518-518: Ensure proper escaping of dynamic data in printf.

- printf( esc_html__( 'Enable %s for your vendor as a withdraw method', 'dokan-lite' ), esc_html( dokan_withdraw_get_method_title( $key ) ) );
+ printf( esc_html__( 'Enable %s for your vendor as a withdraw method', 'dokan-lite' ), esc_html( dokan_withdraw_get_method_title( esc_html( $key ) ) ) );

Likely invalid or redundant comment.

[coderabbitai]

Actionable comments posted: 0

Outside diff range and nitpick comments (5)

includes/functions.php (5)

Line range hint 303-303: Avoid directly inserting variables into SQL queries. Use $wpdb->prepare() for safe SQL queries.

- AND terms.slug NOT IN ({$exclude_product_types_text})
+ AND terms.slug NOT IN (%s)", $exclude_product_types_text)

---

Line range hint 867-867: The parameters $key and $array are declared but never used in the function dokan_posted_input. Consider removing or using these parameters.

---

Line range hint 1103-1103: The shorthand array syntax "[]" is not supported in PHP versions earlier than 5.4. Use array() instead for backward compatibility.

- $all_days = [
+ $all_days = array(

---

Line range hint 1202-1202: Ensure the $_SERVER['QUERY_STRING'] index is defined before using it and sanitize it properly to prevent security issues.

- return add_query_arg( $_SERVER['QUERY_STRING'], '', home_url( $wp->request ) );
+ $query_string = isset($_SERVER['QUERY_STRING']) ? sanitize_text_field(wp_unslash($_SERVER['QUERY_STRING'])) : '';
+ return add_query_arg( $query_string, '', home_url( $wp->request ) );

---

Line range hint 3989-3989: The shorthand array syntax "[]" is not supported in PHP versions earlier than 5.4. Use array() instead for backward compatibility.

- $map = [
+ $map = array(

Review Details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between f336658 and ca9c085.

Files selected for processing (2)

• includes/PageViews.php (2 hunks)
• includes/functions.php (1 hunks)

Files skipped from review as they are similar to previous changes (1)

• includes/PageViews.php

Additional Context Used

GitHub Check Runs (1)

Run PHPCS inspection failure (21)

includes/functions.php: [warning] 49-49:
Found unknown capability "vendor_staff" in function call to current_user_can(). Please check the spelling of the capability. If this is a custom capability, please verify the capability is registered with WordPress via a call to WP_Role(s)->add_cap().
Custom capabilities can be made known to this sniff by setting the "custom_capabilities" property in the PHPCS ruleset.

---

includes/functions.php: [failure] 303-303:
Use placeholders and $wpdb->prepare(); found interpolated variable {$exclude_product_types_text} at WHERE tt.taxonomy = 'product_type' AND t.slug NOT IN ({$exclude_product_types_text})

---

includes/functions.php: [warning] 867-867:
The method parameter $key is never used

---

includes/functions.php: [warning] 867-867:
The method parameter $array is never used

---

includes/functions.php: [failure] 1103-1103:
The shorthand list syntax "[]" to destructure arrays is not available in PHP 7.0 or earlier.

---

includes/functions.php: [failure] 1202-1202:
Detected usage of a possibly undefined superglobal array index: $_SERVER['QUERY_STRING']. Use isset() or empty() to check the index exists before using it

---

includes/functions.php: [failure] 1202-1202:
$_SERVER['QUERY_STRING'] not unslashed before sanitization. Use wp_unslash() or similar

---

includes/functions.php: [failure] 1202-1202:
Detected usage of a non-sanitized input variable: $_SERVER['QUERY_STRING']

---

includes/functions.php: [failure] 3989-3989:
The shorthand list syntax "[]" to destructure arrays is not available in PHP 7.0 or earlier.

Additional comments not posted (1)

includes/functions.php (1)

Line range hint 49-49: Consider verifying the custom capability 'vendor_staff' used in current_user_can(). If it's a custom capability, ensure it's registered properly with WordPress.

[coderabbitai]

Actionable comments posted: 0

Outside diff range and nitpick comments (1)

includes/Ajax.php (1)

Line range hint 877-877: Avoid using reserved keywords as function parameter names.

- final public function create_attachment_object( $cropped, $parent_attachment_id ) {
+ final public function create_attachment_object( $cropped, $parent_attachment_id ) {

Consider renaming the $object parameter to avoid potential issues with PHP reserved keywords.

Review Details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between ca9c085 and 941271a.

Files selected for processing (2)

• includes/Ajax.php (5 hunks)
• templates/settings/store-form.php (3 hunks)

Files skipped from review as they are similar to previous changes (1)

• templates/settings/store-form.php

Additional Context Used

GitHub Check Runs (1)

Run PHPCS inspection failure (21)

includes/Ajax.php: [warning] 877-877:
It is recommended not to use reserved keyword "object" as function parameter name. Found: $object

Additional comments not posted (2)

includes/Ajax.php (2)

268-269: Optimize increment operations for clarity and performance.

This change uses pre-increment operators which are generally more performant in PHP, especially within loops.

---

Line range hint 695-705: Ensure correct usage of get_terms function.

Verification successful

---

The output from the shell scripts shows the usage of the get_terms function in various files. Let's analyze each instance to ensure the correct usage of the function.

1. includes/functions.php:

   • The get_terms function is not directly used here. The context provided is related to a different function, dokan_get_terms_condition_url.

2. includes/Ajax.php:

   • The get_terms function is used with the variable $drop_down_tags as its parameter. This appears to be correctly formatted.

3. includes/Widgets/ProductCategoryMenu.php:

   • The get_terms function is used with the variable $term_args as its parameter. This appears to be correctly formatted.

4. includes/Upgrade/Upgrades/V_2_6_9.php:

   • The get_terms function is used as $the_query->get_terms(). This is a method call on a WP_Term_Query object, which is correct.

5. includes/Product/ProductAttribute.php:

   • The get_terms function is used with two parameters: $taxonomy and an array of arguments. This appears to be correctly formatted.

6. templates/account/vendor-registration.php:

   • The get_terms function is not directly used here. The context provided is related to a different function, dokan_get_terms_condition_url.

7. templates/global/seller-registration-form.php:

   • The get_terms function is not directly used here. The context provided is related to a different function, dokan_get_terms_condition_url.

Based on the analysis, the usage of the get_terms function in the relevant files appears to be correct. Therefore, the review comment regarding the correct usage of the get_terms function can be verified as accurate.

Scripts Executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Description: Verify the correct usage of `get_terms` function across the codebase.

# Test: Search for the function usage. Expect: Only occurances with correct parameters.
rg --type php $'get_terms'

Length of output: 818

---

---

Script:

#!/bin/bash
# Extract lines where `get_terms` is used in each relevant file.

# Extract usage in includes/functions.php
rg --type php --context 5 'get_terms' includes/functions.php

# Extract usage in includes/Ajax.php
rg --type php --context 5 'get_terms' includes/Ajax.php

# Extract usage in includes/Widgets/ProductCategoryMenu.php
rg --type php --context 5 'get_terms' includes/Widgets/ProductCategoryMenu.php

# Extract usage in includes/Upgrade/Upgrades/V_2_6_9.php
rg --type php --context 5 'get_terms' includes/Upgrade/Upgrades/V_2_6_9.php

# Extract usage in includes/Product/ProductAttribute.php
rg --type php --context 5 'get_terms' includes/Product/ProductAttribute.php

# Extract usage in templates/account/vendor-registration.php
rg --type php --context 5 'get_terms' templates/account/vendor-registration.php

# Extract usage in templates/global/seller-registration-form.php
rg --type php --context 5 'get_terms' templates/global/seller-registration-form.php

Length of output: 3783

[coderabbitai]

Actionable comments posted: 0

Outside diff range and nitpick comments (9)

includes/functions.php (9)

Line range hint 303-303: Consider using placeholders and $wpdb->prepare() for SQL queries to prevent SQL injection vulnerabilities. Found interpolated variable {$exclude_product_types_text} in the SQL query.

- AND t.slug NOT IN ({$exclude_product_types_text})
+ AND t.slug NOT IN (%s)", $exclude_product_types_text)

---

Line range hint 867-867: The method parameter $key is never used in the function dokan_posted_input. Consider removing it if it's not necessary.

---

Line range hint 867-867: The method parameter $array is never used in the function dokan_posted_input. Consider removing it if it's not necessary.

---

Line range hint 867-867: It is recommended not to use reserved keyword "array" as a function parameter name. Found: $array in the function dokan_posted_input.

---

Line range hint 880-880: The method parameter $key is never used in the function dokan_posted_textarea. Consider removing it if it's not necessary.

---

Line range hint 977-977: The method parameter $pro is never used in the function dokan_locate_template. Consider removing it if it's not necessary.

---

Line range hint 2009-2009: The method parameter $args is never used in the function dokan_product_listing_filter. Consider removing it if it's not necessary.

---

Line range hint 2734-2734: The method parameter $seller_id is never used in the function dokan_get_seller_address. Consider removing it if it's not necessary.

---

Line range hint 3344-3344: It is recommended not to use reserved keyword "return" as a function parameter name. Found: $return in the function dokan_privacy_policy_text.

Review Details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 941271a and 1a3496b.

Files selected for processing (14)

• includes/Admin/SetupWizard.php (2 hunks)
• includes/Order/Admin/Hooks.php (2 hunks)
• includes/REST/ProductController.php (6 hunks)
• includes/Widgets/BestSellingProducts.php (2 hunks)
• includes/Widgets/FilterByAttributes.php (4 hunks)
• includes/Widgets/ProductCategoryMenu.php (3 hunks)
• includes/Widgets/StoreCategoryMenu.php (4 hunks)
• includes/Widgets/StoreContactForm.php (5 hunks)
• includes/Widgets/StoreLocation.php (4 hunks)
• includes/Widgets/StoreOpenClose.php (5 hunks)
• includes/Widgets/TopratedProducts.php (3 hunks)
• includes/functions.php (6 hunks)
• includes/template-tags.php (4 hunks)
• phpcs.xml.dist (2 hunks)

Files skipped from review as they are similar to previous changes (12)

• includes/Admin/SetupWizard.php
• includes/Order/Admin/Hooks.php
• includes/REST/ProductController.php
• includes/Widgets/BestSellingProducts.php
• includes/Widgets/FilterByAttributes.php
• includes/Widgets/ProductCategoryMenu.php
• includes/Widgets/StoreCategoryMenu.php
• includes/Widgets/StoreContactForm.php
• includes/Widgets/StoreLocation.php
• includes/Widgets/StoreOpenClose.php
• includes/Widgets/TopratedProducts.php
• includes/template-tags.php

Additional Context Used

GitHub Check Runs (1)

Run PHPCS inspection failure (12)

includes/functions.php: [failure] 303-303:
Use placeholders and $wpdb->prepare(); found interpolated variable {$exclude_product_types_text} at WHERE tt.taxonomy = 'product_type' AND t.slug NOT IN ({$exclude_product_types_text})

---

includes/functions.php: [warning] 867-867:
The method parameter $key is never used

---

includes/functions.php: [warning] 867-867:
The method parameter $array is never used

---

includes/functions.php: [warning] 867-867:
It is recommended not to use reserved keyword "array" as function parameter name. Found: $array

---

includes/functions.php: [warning] 880-880:
The method parameter $key is never used

---

includes/functions.php: [warning] 977-977:
The method parameter $pro is never used

---

includes/functions.php: [warning] 2009-2009:
The method parameter $args is never used

---

includes/functions.php: [warning] 2734-2734:
The method parameter $seller_id is never used

---

includes/functions.php: [warning] 3344-3344:
It is recommended not to use reserved keyword "return" as function parameter name. Found: $return

Additional comments not posted (2)

phpcs.xml.dist (2)

131-131: The addition of wc_esc_json and dokan_sanitize_phone_number to custom sanitizing functions is a good enhancement for security.

---

205-205: Addition of the vendor_staff capability is noted. Please ensure that this new capability is integrated and tested across the plugin to verify that it functions as intended.

Verification successful

---

The vendor_staff capability is integrated across the plugin in various contexts, including user roles, permissions, and access control. This confirms that the capability is properly integrated and utilized within the plugin.

• uninstall.php: The role is removed during uninstallation.
• includes/functions.php: The capability is checked for current user permissions and role assignments.
• includes/Rewrites.php: The capability is checked for user permissions.
• includes/Core.php: The capability is checked for user role validation.
• includes/Dashboard/Templates/Orders.php: The capability is checked for order export permissions.

Scripts Executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Description: Verify integration of the `vendor_staff` capability across the plugin.

# Test: Search for usage of the `vendor_staff` capability. Expect: Integration points across the plugin.
rg --type php $'vendor_staff'

Length of output: 709

[coderabbitai]

Actionable comments posted: 0

Outside diff range and nitpick comments (8)

includes/functions.php (8)

Line range hint 861-861: Consider removing or using the unused parameter $key in the function dokan_array_after.

---

Line range hint 861-861: Avoid using reserved keywords like array as parameter names to prevent potential conflicts in PHP. Consider renaming the parameter $array.

- function dokan_array_after( $array, $position, $new_array ) {
+ function dokan_array_after( $data_array, $position, $new_array ) {

---

Line range hint 874-874: The parameter $key is declared but not used within the function dokan_array_insert_after. Consider removing it if it's not necessary.

---

Line range hint 971-971: The parameter $pro is declared but not used within the function dokan_locate_template. Consider removing it if it's not necessary.

---

Line range hint 2003-2003: The parameter $args is declared but not used within the function dokan_product_listing_filter. Consider removing it if it's not necessary.

---

Line range hint 2728-2728: The parameter $seller_id is declared but not used within the function dokan_get_seller_status_count. Consider removing it if it's not necessary.

---

Line range hint 3338-3338: Avoid using reserved keywords like return as parameter names to prevent potential conflicts in PHP. Consider renaming the parameter $return.

- function dokan_privacy_policy_text( $return = false ) {
+ function dokan_privacy_policy_text( $should_return = false ) {

---

Line range hint 3382-3382: Avoid using reserved keywords like echo as parameter names to prevent potential conflicts in PHP. Consider renaming the parameter $echo.

- function dokan_login_form( $args = [], $echo = false ) {
+ function dokan_login_form( $args = [], $should_echo = false ) {

Review Details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 1a3496b and 4c3f4b6.

Files selected for processing (3)

• includes/Admin/Hooks.php (2 hunks)
• includes/Admin/SetupWizardNoWC.php (1 hunks)
• includes/functions.php (12 hunks)

Files skipped from review as they are similar to previous changes (2)

• includes/Admin/Hooks.php
• includes/Admin/SetupWizardNoWC.php

Additional Context Used

GitHub Check Runs (1)

Run PHPCS inspection success (10)

includes/functions.php: [warning] 861-861:
The method parameter $key is never used

---

includes/functions.php: [warning] 861-861:
The method parameter $array is never used

---

includes/functions.php: [warning] 861-861:
It is recommended not to use reserved keyword "array" as function parameter name. Found: $array

---

includes/functions.php: [warning] 874-874:
The method parameter $key is never used

---

includes/functions.php: [warning] 971-971:
The method parameter $pro is never used

---

includes/functions.php: [warning] 2003-2003:
The method parameter $args is never used

---

includes/functions.php: [warning] 2728-2728:
The method parameter $seller_id is never used

---

includes/functions.php: [warning] 3338-3338:
It is recommended not to use reserved keyword "return" as function parameter name. Found: $return

---

includes/functions.php: [warning] 3382-3382:
It is recommended not to use reserved keyword "echo" as function parameter name. Found: $echo