Fix PHPStan errors and phpunit CVE on main

classes/admin/class-page-settings.php

@@ -14,42 +14,6 @@
  */
 class Page_Settings {
 
-	/**
-	 * Constructor.
-	 */
-	public function __construct() {
-		// Add the admin menu page.
-		\add_action( 'admin_menu', [ $this, 'add_admin_menu_page' ] );
-
-		// Add AJAX hooks to save options.
-		\add_action( 'wp_ajax_prpl_settings_form', [ $this, 'store_settings_form_options' ] );
-	}
-
-	/**
-	 * Add admin-menu page, as a submenu in the progress-planner menu.
-	 *
-	 * @return void
-	 */
-	public function add_admin_menu_page() {
-		\add_submenu_page(
-			'progress-planner',
-			\esc_html__( 'Settings', 'progress-planner' ),
-			\esc_html__( 'Settings', 'progress-planner' ),
-			'manage_options',
-			'progress-planner-settings',
-			[ $this, 'add_admin_page_content' ]
-		);
-	}
-
-	/**
-	 * Add content to the admin page of the free plugin.
-	 *
-	 * @return void
-	 */
-	public function add_admin_page_content() {
-		require_once PROGRESS_PLANNER_DIR . '/views/admin-page-settings.php';
-	}
-
 	/**
 	 * Get an array of settings.
 	 *
@@ -58,27 +22,28 @@ public function add_admin_page_content() {
 	public function get_settings() {
 		$settings = [];
 		foreach ( \progress_planner()->get_page_types()->get_page_types() as $page_type ) {
-			if ( ! $this->should_show_setting( $page_type['slug'] ) ) {
+			$slug = (string) $page_type['slug']; // @phpstan-ignore offsetAccess.invalidOffset
+			if ( ! $this->should_show_setting( $slug ) ) {
 				continue;
 			}
 
-			$settings[ $page_type['slug'] ] = [
-				'id'          => $page_type['slug'],
+			$settings[ $slug ] = [
+				'id'          => $slug,
 				'value'       => '_no_page_needed',
 				'isset'       => 'no',
-				'title'       => $page_type['title'],
-				'description' => $page_type['description'] ?? '',
+				'title'       => $page_type['title'], // @phpstan-ignore offsetAccess.invalidOffset
+				'description' => $page_type['description'] ?? '', // @phpstan-ignore offsetAccess.invalidOffset
 				'type'        => 'page-select',
-				'page'        => $page_type['slug'],
+				'page'        => $slug,
 			];
 
-			if ( \progress_planner()->get_page_types()->is_page_needed( $page_type['slug'] ) ) {
-				$type_pages = \progress_planner()->get_page_types()->get_posts_by_type( 'any', $page_type['slug'] );
+			if ( \progress_planner()->get_page_types()->is_page_needed( $slug ) ) {
+				$type_pages = \progress_planner()->get_page_types()->get_posts_by_type( 'any', $slug );
 				if ( empty( $type_pages ) ) {
-					$settings[ $page_type['slug'] ]['value'] = \progress_planner()->get_page_types()->get_default_page_id_by_type( $page_type['slug'] );
+					$settings[ $slug ]['value'] = \progress_planner()->get_page_types()->get_default_page_id_by_type( $slug );
 				} else {
-					$settings[ $page_type['slug'] ]['value'] = $type_pages[0]->ID;
-					$settings[ $page_type['slug'] ]['isset'] = 'yes';
+					$settings[ $slug ]['value'] = $type_pages[0]->ID;
+					$settings[ $slug ]['isset'] = 'yes';
 
 					// If there is more than one page, we need to check if the page has a parent with the same page-type assigned.
 					if ( 1 < \count( $type_pages ) ) {
@@ -89,7 +54,7 @@ public function get_settings() {
 						foreach ( $type_pages as $type_page ) {
 							$parent = \get_post_field( 'post_parent', $type_page->ID );
 							if ( $parent && \in_array( (int) $parent, $type_pages_ids, true ) ) {
-								$settings[ $page_type['slug'] ]['value'] = $parent;
+								$settings[ $slug ]['value'] = $parent;
 								break;
 							}
 						}
@@ -123,95 +88,76 @@ public function should_show_setting( $page_type ) {
 	}
 
 	/**
-	 * Store the settings form options.
+	 * Set the page value.
+	 *
+	 * @param array $pages The pages.
 	 *
 	 * @return void
 	 */
-	public function store_settings_form_options() {
+	public function set_page_values( $pages ) {
 
-		if ( ! \current_user_can( 'manage_options' ) ) {
-			\wp_send_json_error( [ 'message' => \esc_html__( 'You do not have permission to update settings.', 'progress-planner' ) ] );
+		if ( empty( $pages ) ) {
+			return;
 		}
 
-		// Use check_ajax_referer instead of check_admin_referer for AJAX handlers.
-		// check_admin_referer is designed for form submissions, not AJAX requests.
-		if ( ! \check_ajax_referer( 'progress_planner', 'nonce', false ) ) {
-			\wp_send_json_error( [ 'message' => \esc_html__( 'Invalid nonce.', 'progress-planner' ) ] );
-		}
-
-		if ( isset( $_POST['pages'] ) ) {
-			// Sanitize the pages array at point of reception.
-			$pages = \map_deep( \wp_unslash( $_POST['pages'] ), 'sanitize_text_field' ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
-
-			foreach ( $pages as $type => $page_args ) {
-				$need_page = isset( $page_args['have_page'] ) ? $page_args['have_page'] : '';
+		foreach ( $pages as $type => $page_args ) {
+			$need_page = isset( $page_args['have_page'] ) ? $page_args['have_page'] : '';
 
-				\progress_planner()->get_page_types()->set_no_page_needed(
-					$type,
-					'not-applicable' === $need_page
-				);
-
-				// Remove the post-meta from the existing posts.
-				$existing_posts = \progress_planner()->get_page_types()->get_posts_by_type( 'any', $type );
-				foreach ( $existing_posts as $post ) {
-					if ( $post->ID === (int) $page_args['id'] && 'no' !== $page_args['have_page'] ) {
-						continue;
-					}
+			\progress_planner()->get_page_types()->set_no_page_needed(
+				$type,
+				'not-applicable' === $need_page
+			);
 
-					// Get the term-ID for the type.
-					$term = \get_term_by( 'slug', $type, Page_Types::TAXONOMY_NAME );
-					if ( ! $term instanceof \WP_Term ) {
-						continue;
-					}
-
-					// Remove the assigned terms from the `progress_planner_page_types` taxonomy.
-					\wp_remove_object_terms( $post->ID, $term->term_id, Page_Types::TAXONOMY_NAME );
+			// Remove the post-meta from the existing posts.
+			$existing_posts = \progress_planner()->get_page_types()->get_posts_by_type( 'any', $type );
+			foreach ( $existing_posts as $post ) {
+				if ( $post->ID === (int) $page_args['id'] && 'no' !== $page_args['have_page'] ) {
+					continue;
 				}
 
-				// Skip if the ID is not set.
-				if ( ! isset( $page_args['id'] ) || 1 > (int) $page_args['id'] ) {
+				// Get the term-ID for the type.
+				$term = \get_term_by( 'slug', $type, Page_Types::TAXONOMY_NAME );
+				if ( ! $term instanceof \WP_Term ) {
 					continue;
 				}
 
-				if ( 'no' !== $page_args['have_page'] ) {
-					// Add the term to the `progress_planner_page_types` taxonomy.
-					\progress_planner()->get_page_types()->set_page_type_by_id( (int) $page_args['id'], $type );
-				}
+				// Remove the assigned terms from the `progress_planner_page_types` taxonomy.
+				\wp_remove_object_terms( $post->ID, $term->term_id, Page_Types::TAXONOMY_NAME );
 			}
-		}
-
-		$this->save_settings();
-		$this->save_post_types();
 
-		\do_action( 'progress_planner_settings_form_options_stored' );
+			// Skip if the ID is not set.
+			if ( ! isset( $page_args['id'] ) || 1 > (int) $page_args['id'] ) {
+				continue;
+			}
 
-		\wp_send_json_success( \esc_html__( 'Options stored successfully', 'progress-planner' ) );
+			if ( 'no' !== $page_args['have_page'] ) {
+				// Add the term to the `progress_planner_page_types` taxonomy.
+				\progress_planner()->get_page_types()->set_page_type_by_id( (int) $page_args['id'], $type );
+			}
+		}
 	}
 
 	/**
-	 * Save the settings.
+	 * Save the redirect on login setting.
+	 *
+	 * @param bool $redirect_on_login Whether to redirect on login.
 	 *
 	 * @return void
 	 */
-	public function save_settings() {
-		// Nonce is already checked in store_settings_form_options() which calls this method.
-		$redirect_on_login = isset( $_POST['prpl-redirect-on-login'] ) // phpcs:ignore WordPress.Security.NonceVerification.Missing
-			? \sanitize_text_field( \wp_unslash( $_POST['prpl-redirect-on-login'] ) ) // phpcs:ignore WordPress.Security.NonceVerification.Missing
-			: false;
-
-		\update_user_meta( \get_current_user_id(), 'prpl_redirect_on_login', (bool) $redirect_on_login );
+	public function save_redirect_on_login( $redirect_on_login = false ) {
+		\update_user_meta( \get_current_user_id(), 'prpl_redirect_on_login', $redirect_on_login );
 	}
 
 	/**
 	 * Save the post types.
 	 *
+	 * @param array $post_types The post types.
+	 *
 	 * @return void
 	 */
-	public function save_post_types() {
-		// Nonce is already checked in store_settings_form_options() which calls this method.
-		$include_post_types = isset( $_POST['prpl-post-types-include'] ) // phpcs:ignore WordPress.Security.NonceVerification.Missing
-			? \array_map( 'sanitize_text_field', \wp_unslash( $_POST['prpl-post-types-include'] ) ) // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Missing
-			// If no post types are selected, use the default post types (post and page can be deregistered).
+	public function save_post_types( $post_types = [] ) {
+		$include_post_types = ! empty( $post_types )
+			? $post_types
 			: \array_intersect( [ 'post', 'page' ], \progress_planner()->get_settings()->get_public_post_types() );
 
 		\progress_planner()->get_settings()->set( 'include_post_types', $include_post_types );

classes/admin/widgets/class-activity-scores.php

@@ -98,7 +98,8 @@ public function get_checklist_results() {
 		$items   = $this->get_checklist();
 		$results = [];
 		foreach ( $items as $item ) {
-			$results[ $item['label'] ] = $item['callback']();
+			$label             = (string) $item['label']; // @phpstan-ignore offsetAccess.invalidOffset
+			$results[ $label ] = $item['callback'](); // @phpstan-ignore offsetAccess.invalidOffset
 		}
 		return $results;
 	}

classes/class-base.php

@@ -86,10 +86,12 @@ class Base {
 	 */
 	public function init() {
 		if ( ! \function_exists( 'current_user_can' ) ) {
-			require_once ABSPATH . 'wp-includes/capabilities.php'; // @phpstan-ignore requireOnce.fileNotFound
+			// @phpstan-ignore-next-line requireOnce.fileNotFound
+			require_once ABSPATH . 'wp-includes/capabilities.php';
 		}
 		if ( ! \function_exists( 'wp_get_current_user' ) ) {
-			require_once ABSPATH . 'wp-includes/pluggable.php'; // @phpstan-ignore requireOnce.fileNotFound
+			// @phpstan-ignore-next-line requireOnce.fileNotFound
+			require_once ABSPATH . 'wp-includes/pluggable.php';
 		}
 
 		if ( \defined( '\IS_PLAYGROUND_PREVIEW' ) && \constant( '\IS_PLAYGROUND_PREVIEW' ) === true ) {
@@ -380,7 +382,8 @@ public function get_file_version( $file ) {
 
 		// Otherwise, use the plugin header.
 		if ( ! \function_exists( 'get_file_data' ) ) {
-			require_once ABSPATH . 'wp-includes/functions.php'; // @phpstan-ignore requireOnce.fileNotFound
+			// @phpstan-ignore-next-line requireOnce.fileNotFound
+			require_once ABSPATH . 'wp-includes/functions.php';
 		}
 
 		if ( ! self::$plugin_version ) {

classes/class-suggested-tasks.php

@@ -479,6 +479,7 @@ public function rest_api_tax_query( $args, $request ) {
 
 		// Handle sorting parameters.
 		if ( isset( $request['filter']['orderby'] ) ) {
+			// @phpstan-ignore-next-line argument.templateType
 			$args['orderby'] = \sanitize_sql_orderby( $request['filter']['orderby'] );
 		}
 		if ( isset( $request['filter']['order'] ) ) {

classes/suggested-tasks/class-task.php

@@ -183,12 +183,14 @@ public function get_rest_formatted_data( $post_id = null ): array {
 
 		// Make sure WP_REST_Posts_Controller is loaded.
 		if ( ! \class_exists( 'WP_REST_Posts_Controller' ) ) {
-			require_once ABSPATH . 'wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php'; // @phpstan-ignore requireOnce.fileNotFound
+			// @phpstan-ignore-next-line requireOnce.fileNotFound
+			require_once ABSPATH . 'wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php';
 		}
 
 		// Make sure WP_REST_Request is loaded.
 		if ( ! \class_exists( 'WP_REST_Request' ) ) {
-			require_once ABSPATH . 'wp-includes/rest-api/class-wp-rest-request.php'; // @phpstan-ignore requireOnce.fileNotFound
+			// @phpstan-ignore-next-line requireOnce.fileNotFound
+			require_once ABSPATH . 'wp-includes/rest-api/class-wp-rest-request.php';
 		}
 
 		// Use the appropriate controller for the post type.

classes/suggested-tasks/data-collector/class-inactive-plugins.php

@@ -47,7 +47,8 @@ public function update_inactive_plugins_cache() {
 	 */
 	protected function calculate_data() {
 		if ( ! \function_exists( 'get_plugins' ) ) {
-			require_once ABSPATH . 'wp-admin/includes/plugin.php'; // @phpstan-ignore requireOnce.fileNotFound
+			// @phpstan-ignore-next-line requireOnce.fileNotFound
+			require_once ABSPATH . 'wp-admin/includes/plugin.php';
 		}
 
 		// Clear the plugins cache, so get_plugins() returns the latest plugins.

classes/suggested-tasks/providers/class-core-update.php

@@ -107,7 +107,8 @@ public function add_core_update_link( $update_actions ) {
 	public function should_add_task() {
 		// Without this \wp_get_update_data() might not return correct data for the core updates (depending on the timing).
 		if ( ! \function_exists( 'get_core_updates' ) ) {
-			require_once ABSPATH . 'wp-admin/includes/update.php'; // @phpstan-ignore requireOnce.fileNotFound
+			// @phpstan-ignore-next-line requireOnce.fileNotFound
+			require_once ABSPATH . 'wp-admin/includes/update.php';
 		}
 
 		// For wp_get_update_data() to return correct data it needs to be called after the 'admin_init' action (with priority 10).

classes/suggested-tasks/providers/class-fewer-tags.php

@@ -154,7 +154,8 @@ public function is_task_completed( $task_id = '' ) {
 	protected function is_plugin_active() {
 		if ( null === $this->is_plugin_active ) {
 			if ( ! \function_exists( 'get_plugins' ) ) {
-				require_once ABSPATH . 'wp-admin/includes/plugin.php'; // @phpstan-ignore requireOnce.fileNotFound
+				// @phpstan-ignore-next-line requireOnce.fileNotFound
+				require_once ABSPATH . 'wp-admin/includes/plugin.php';
 			}
 
 			$plugins                = \get_plugins();

classes/suggested-tasks/providers/class-select-locale.php

@@ -205,7 +205,8 @@ public function print_popover_instructions() {
 	public function print_popover_form_contents() {
 
 		if ( ! \function_exists( 'wp_get_available_translations' ) ) {
-			require_once ABSPATH . 'wp-admin/includes/translation-install.php'; // @phpstan-ignore requireOnce.fileNotFound
+			// @phpstan-ignore-next-line requireOnce.fileNotFound
+			require_once ABSPATH . 'wp-admin/includes/translation-install.php';
 		}
 
 		$languages    = \get_available_languages();
@@ -277,7 +278,8 @@ public function handle_interactive_task_specific_submit() {
 
 		// Handle translation installation.
 		if ( \current_user_can( 'install_languages' ) ) {
-			require_once ABSPATH . 'wp-admin/includes/translation-install.php'; // @phpstan-ignore requireOnce.fileNotFound
+			// @phpstan-ignore-next-line requireOnce.fileNotFound
+			require_once ABSPATH . 'wp-admin/includes/translation-install.php';
 
 			if ( \wp_can_install_language_pack() ) {
 				$language = \wp_download_language_pack( $language_for_update );