Release v4.0.0 – WordPress.org Plugins official listing and hosting

[MichelleBlanchette]

Issue: Database tables are being queried before installation

This is because Automations tries to register events, but this happens before the plugin has installed the database tables:

WordPress database error: [Table 'wordpress.$automations_table' doesn't exist]
SELECT COUNT(actions.ID) FROM `wp_ptc_completionist_automation_actions` actions JOIN $automations_table automations ON automations.ID = actions.automation_id AND automations.hook_name = 'user_register'

WordPress database error: [Table 'wordpress.$automations_table' doesn't exist]
SELECT COUNT(actions.ID) FROM `wp_ptc_completionist_automation_actions` actions JOIN $automations_table automations ON automations.ID = actions.automation_id AND automations.hook_name = 'profile_update'

WordPress database error: [Table 'wordpress.$automations_table' doesn't exist]
SELECT COUNT(actions.ID) FROM `wp_ptc_completionist_automation_actions` actions JOIN $automations_table automations ON automations.ID = actions.automation_id AND automations.hook_name = 'delete_user'

WordPress database error: [Table 'wordpress.$automations_table' doesn't exist]
SELECT COUNT(actions.ID) FROM `wp_ptc_completionist_automation_actions` actions JOIN $automations_table automations ON automations.ID = actions.automation_id AND automations.hook_name = 'wp_insert_post'

WordPress database error: [Table 'wordpress.$automations_table' doesn't exist]
SELECT COUNT(actions.ID) FROM `wp_ptc_completionist_automation_actions` actions JOIN $automations_table automations ON automations.ID = actions.automation_id AND automations.hook_name = 'post_updated'

WordPress database error: [Table 'wordpress.$automations_table' doesn't exist]
SELECT COUNT(actions.ID) FROM `wp_ptc_completionist_automation_actions` actions JOIN $automations_table automations ON automations.ID = actions.automation_id AND automations.hook_name = 'trash_post'

[MichelleBlanchette]

RC.3 has been sent to the Plugin Review Team for second review. 🎉

[MichelleBlanchette]

Ah! I missed one of the review items from last time about properly sanitizing nonces before validation:

Note: When checking a nonce using wp_verify_nonce you will need to sanitize the input using wp_unslash AND sanitize_text_field, [this is because this function is pluggable, and extenders should not trust its input values](https://developer.wordpress.org/news/2023/08/understand-and-use-wordpress-nonces-properly/#verifying-the-nonce).

Example:
if ( ! isset( $_POST['prefix_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash ( $_POST['prefix_nonce'] ) ) , 'prefix_nonce' ) )

Example(s) from your plugin:

completionist/src/admin/class-admin-pages.php:849 && wp_verify_nonce( $_POST['asana_connect_nonce'], 'connect_asana' ) !== false
completionist/src/admin/class-admin-pages.php:885 && wp_verify_nonce( $_POST['asana_disconnect_nonce'], 'disconnect_asana' ) !== false
completionist/src/admin/class-admin-pages.php:911 && wp_verify_nonce( $_POST['asana_frontend_user_save_nonce'], 'asana_frontend_user_save' ) !== false
completionist/src/admin/class-admin-pages.php:992 && wp_verify_nonce( $_POST['asana_workspace_save_nonce'], 'asana_workspace_save' ) !== false//phpcs:ignore WordPress.Security.ValidatedSanitizedInput
completionist/src/admin/class-admin-pages.php:940 && wp_verify_nonce( $_POST['asana_cache_ttl_save_nonce'], 'asana_cache_ttl_save' ) !== false

... out of a total of 6 coincidences.

Also, I asked for more clarification on the other two notes they had and they confirmed those were false positives. This means sanitizing the nonces should be the last bit to fix before we can get this approved. Woohoo! 🙌

[MichelleBlanchette]

I've sent v4.0.0-rc.4 for final review. 🙂