Write: gate launch on email verification in the post-publish overlay#50207
Conversation
|
Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.
Interested in more tips and information?
|
|
Thank you for your PR! When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:
This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖 Follow this PR Review Process:
If you have questions about anything, reach out in #jetpack-developers for guidance! |
Code Coverage SummaryCoverage changed in 3 files.
Full summary · PHP report · JS report Coverage check overridden by
I don't care about code coverage for this PR
|
When a Write On author with an unverified email tries to launch from the post-publish overlay, the "confirm your email to launch" step now offers a working Resend verification email button and re-checks verification status before proceeding — so a verified user isn't trapped and an unverified one can't slip past to the launch flow. Both are backed by admin-ajax handlers wrapping the wpcom Email_Verification class (a Simple site serves no REST at its own host). The wpcom back-end gate remains the authoritative enforcement. READ-580 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_011fL6i4rHnciXKFR5bPmYAV
Phan flagged the new resend_verification_email() call as an undeclared static method (the wpcom stub only carried is_email_unverified) and the throwing wp_die handler in the test as a never-returning closure. Add the method to the wpcom stub to match the real class, and suppress the closure check since a `never` return type would break PHP 7.2 lint. READ-580 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_011fL6i4rHnciXKFR5bPmYAV
…ll site The wpcom stub is auto-generated and must not be hand-edited (flagged by the monorepo bot). Revert that change and instead suppress the PhanUndeclaredStaticMethod at the resend_verification_email() call site with a class_exists-guarded note, matching the package's existing convention for wpcom-only symbols. READ-580 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_011fL6i4rHnciXKFR5bPmYAV
3c2fb36 to
ac1eb0a
Compare
Fixes READ-580
Proposed changes
Follow-up to #49935. That PR added the post-publish overlay and a placeholder "confirm your email to launch" step whose Resend and re-check were deferred (they needed a transport that works on a Simple site's front end). This PR builds them.
admin-ajaxhandlers in the Write feature, each a thin wrapper around the wpcomEmail_Verificationclass, guarded byclass_existsso they fail safe off-wpcom:wpcom_write_resend_verification_email→Email_Verification::resend_verification_email()wpcom_write_check_email_verification→{ verified: ! Email_Verification::is_email_unverified() }ajaxUrl+ nonce and the new step strings.showVerifyStep()gains a Resend verification email button, and its confirm button now re-checks verification before proceeding: a verified author is sent to the launch flow, while a still-unverified one gets an inline "not confirmed yet" message and can't slip past. The wpcom back-end 403 gate remains the authoritative enforcement (defense-in-depth).admin-ajaxis the transport because a wpcom Simple site serves no REST API at its own hostname; the blocked state stays computed server-side and rendered into the page.All complexity stays in Write On-owned code — the shared Calypso
/start/launch-siteflow is untouched (the reason the Calypso approach in Automattic/wp-calypso#112239 was closed).Related product discussion/links
Does this pull request change what data or activity we track or use?
Adds front-end Tracks events for the verify step:
wpcom_write_post_publish_checklist_resend_click,_verify_recheck,_verify_confirmed, and_verify_still_blocked. These are UI-interaction events only; no new personal data is collected.Testing instructions
This gating only engages on a wpcom Simple site created via the Write On flow (
site_creation_flow = 'write-on') whose owner has an unverified email, since it depends on the wpcom-onlyEmail_Verificationclass. On such a site:Local verification (plain Jetpack dev env, where
Email_Verificationis absent) confirmed: the overlay renders with the new localized config (ajaxUrl, nonce, all step strings); bothadmin-ajaxactions are registered and reachable (valid nonce → theclass_existsguard'sunavailableresponse; bad nonce →-1/403); and all fourshowVerifyStep()branches behave correctly whenfetchis stubbed to simulate the wpcom responses (resend-sent message, still-unverified message with buttons re-enabled, and navigate-to-launch on verified). New PHPUnit coverage exercises both handlers via a mockedEmail_Verification.