magdev/wp-bnb
1
Fork 0
Code Issues Pull Requests Actions Releases 21 Activity

Security audit and bug fixes (v0.12.0)
All checks were successful
Create Release Package / build-release (push) Successful in 1m37s
Details

Browse Source 
- Complete security audit for WordPress best practices, OWASP Top 10
- Fix Calculator static method calls in API controllers
- Fix EmailNotifier method names in BookingsController
- Fix guest_id type casting in EmailNotifier

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Marco Grätsch
2026-02-04 09:44:23 +01:00
parent a8e0df99d1
commit dbd0f3f788
8 changed files with 117 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/Api/Controllers/BookingsController.php
View File

@@ -338,9 +338,9 @@ final class BookingsController extends AbstractController {
$guest_id = $this->find_or_create_guest( $guest );
// Calculate price.
$price = Calculator::calculate( $room_id, $check_in, $check_out );
$services = $request->get_param( 'services' ) ?? array();
$room_price = $price['price'] ?? 0;
$calculator = new Calculator( $room_id, $check_in, $check_out );
$room_price = $calculator->calculate();
$services = $request->get_param( 'services' ) ?? array();
// Calculate services total.
$services_total = 0;
@@ -410,7 +410,7 @@ final class BookingsController extends AbstractController {
// Send notification email.
if ( class_exists( EmailNotifier::class ) ) {
EmailNotifier::send_admin_notification( $post_id );
EmailNotifier::send_admin_new_booking( $post_id );
}
// Prepare response.
@@ -532,7 +532,7 @@ final class BookingsController extends AbstractController {
// Send cancellation email.
if ( class_exists( EmailNotifier::class ) ) {
EmailNotifier::send_cancellation_email( $id );
EmailNotifier::send_cancellation( $id );
}
return $this->formatter->no_content();
@@ -607,7 +607,7 @@ final class BookingsController extends AbstractController {
if ( 'confirmed' === $new_status ) {
update_post_meta( $id, '_bnb_booking_confirmed_at', current_time( 'mysql' ) );
if ( class_exists( EmailNotifier::class ) ) {
EmailNotifier::send_confirmation_email( $id );
EmailNotifier::send_guest_confirmation( $id );
}
}

6
src/Api/Controllers/PricingController.php
View File

@@ -136,9 +136,9 @@ final class PricingController extends AbstractController {
$nights = (int) $check_in_date->diff( $check_out_date )->days;
// Calculate room price.
$price = Calculator::calculate( $room_id, $check_in, $check_out );
$room_total = $price['price'] ?? 0;
$breakdown = $price['breakdown'] ?? array();
$calculator = new Calculator( $room_id, $check_in, $check_out );
$room_total = $calculator->calculate();
$breakdown = $calculator->getBreakdown();
$currency = get_option( 'wp_bnb_currency', 'CHF' );
// Build night-by-night breakdown.

14
src/Api/Controllers/RoomsController.php
View File

@@ -400,14 +400,16 @@ final class RoomsController extends AbstractController {
if ( $is_available ) {
// Calculate pricing.
$price = Calculator::calculate( $room_id, $check_in, $check_out );
$calculator = new Calculator( $room_id, $check_in, $check_out );
$price = $calculator->calculate();
$breakdown = $calculator->getBreakdown();
$data['pricing'] = array(
'tier' => $price['breakdown']['tier']->value ?? 'short_term',
'base_rate' => $price['breakdown']['base_price_per_night'] ?? 0,
'total' => $price['price'] ?? 0,
'formatted' => $price['price_formatted'] ?? '',
'tier' => $breakdown['tier']->value ?? 'short_term',
'base_rate' => $breakdown['base_price_per_night'] ?? 0,
'total' => $price,
'formatted' => Calculator::formatPrice( $price ),
'currency' => get_option( 'wp_bnb_currency', 'CHF' ),
'breakdown' => $price['breakdown'] ?? array(),
'breakdown' => $breakdown,
);
} else {
// Get conflicts.