Skip to content

[5 / 7] - Unstuck / Scroll of Resurrection / RAF#202

Merged
Nyeriah merged 5 commits into
azerothcore:masterfrom
TheSCREWEDSoftware:5_user_miscmenus
Jul 5, 2026
Merged

[5 / 7] - Unstuck / Scroll of Resurrection / RAF#202
Nyeriah merged 5 commits into
azerothcore:masterfrom
TheSCREWEDSoftware:5_user_miscmenus

Conversation

@TheSCREWEDSoftware

@TheSCREWEDSoftware TheSCREWEDSoftware commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Split from the main PR: #197

Split by Claude

Unstuck restyled to the new rows; Scroll of Resurrection gets green/red/yellow status colours; RAF (recruit-a-friend) gets a CSRF nonce + validation. Minor shared-service tidy.

image image

Not testde the RAF page, as the changes were made by Rabbit's review.

Summary by CodeRabbit

  • New Features

    • Dark mode toggle in WordPress admin bar
    • Character order reset functionality in character management
    • Item quality indicators in mail and restoration displays
  • Improvements

    • Redesigned character management UI with card-based layout, icons, and metadata
    • Revamped mail return interface with character sidebar navigation
    • Reimagined item restoration page with card grid and improved organization
    • Enhanced security with nonce validation and permission checks across endpoints
    • Improved visual styling with expanded theme and dark mode CSS
  • Bug Fixes

    • Module availability validation for Resurrection Scroll feature

@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR adds a new AcoreCharColors utility class and uses it to unify character row rendering across Characters, Unstuck, Mail Return, and Item Restoration menus. It hardens item-restore REST endpoints with ownership validation, adds nonce checks to CharactersController and RafProgressPage, introduces a toggleable admin dark mode feature with dedicated CSS, and delivers a major overhaul of main.css, plus new dark-mode.css and theme.css stylesheets.

Changes

Character UI Overhaul and Security Hardening

Layer / File(s) Summary
AcoreCharColors utility and bootstrap wiring
src/.../Utils/AcoreCharColors.php, src/.../boot.php
New AcoreCharColors class provides class/race/faction constants, rowStyle, and expansion helpers. boot.php adds require_once for both AcoreCharColors and DarkMode.
Item restore security: ownership validation and route guards
src/.../Manager/ACoreServices.php, src/.../Components/Tools/ToolsApi.php
ACoreServices.getRestorableItemsByCharacter adds numeric/account/ownership validation and extends the recovery_item query with Count/DeleteDate. New currentAccountOwnsCharacterName method added. ToolsApi.ItemRestore adds filter_var integer check and character ownership guard returning WP_Error 400/403. Both REST routes gain is_user_logged_in permission callbacks.
Character order controller: nonce and reset order
src/.../CharactersMenu/CharactersController.php, src/.../CharactersMenu/CharactersView.php
loadHome adds check_admin_referer and branches on acore_reset_order. New resetCharacterOrder sets characters.order = NULL. View rewrites per-character rows using AcoreCharColors and adds a Reset Order button. Sortable JS handler refreshes position badges after drag.
Mail Return: sidebar UI, cod/quality fields, JS refactor
src/.../MailReturnMenu/MailReturnController.php, src/.../MailReturnMenu/MailReturnView.php, src/.../web/assets/mail-return/mail-return.js
Controller adds cod and item_quality to SQL projections. View switches to wp_localize_script and replaces <select> with a sidebar card list. JS changes trigger to delegated card click, adds client-side color helpers, rewrites mail entry DOM with quality icon grid and CoD label, and upgrades WoWhead icon URLs after render.
Item Restoration page UI rewrite
src/.../UserPanel/Pages/ItemRestorationPage.php
Replaces table-based UI with a sidebar character selector and card/grid layout. JS IIFE uses REST endpoints with wp_rest nonce, renders item cards with Wowhead links and deletion dates, posts JSON to restore, removes restored cards, and renumbers remaining cards.
Unstuck, RAF, ResurrectionScroll updates
src/.../UnstuckMenu/UnstuckView.php, src/.../UserPanel/Pages/RafProgressPage.php, src/.../ResurrectionScrollMenu/ResurrectionScrollMenu.php, src/.../ResurrectionScrollMenu/ResurrectionScrollView.php, src/.../Manager/Soap/SmartstoneService.php
UnstuckView adopts AcoreCharColors rows and wp_localize_script. RafProgressPage adds wp_nonce_field. ResurrectionScrollMenu adds isAvailable() checking acore_modules_csv. ResurrectionScrollView bumps CSS version and changes badge classes to bg-success/bg-danger.
main.css: character rows, mail/item-restore layouts
src/.../web/assets/css/main.css
Replaces old per-feature character styles with a unified acore-char-list/acore-char-row system. Adds grid-based mail-return layout with card border-left and icon quantity strip. Adds responsive profile sub-page layouts for Security, RAF, and Item Restoration including sidebar+content grid and WowHead icon overlay.

Dark Mode Feature

Layer / File(s) Summary
DarkMode.php: admin-bar toggle, AJAX endpoint, WP2FA wizard integration
src/.../Hooks/Various/DarkMode.php
Registers admin-bar node with sun/moon icon from acore_dark_mode user meta and appends acore-dark-mode body class. Enqueues dark-mode.css and theme.css. Injects late-priority inline styles for WP2FA modal sizing and conditional dark-mode overrides. AJAX toggle flips user meta with nonce guard. Inline JS generator updates body class/icon/tooltip on click. Conditionally injects theme.css into the WP2FA setup wizard head.
dark-mode.css: full dark-mode overrides
src/.../web/assets/css/dark-mode.css
New stylesheet adds dark-mode rules for item restoration tables, character rows, expansion selector UI, admin bar toggle, Bootstrap variable overrides, postboxes, cards, form inputs, mail entries, WP tables, buttons, notices, myCred widgets, Scroll of Resurrection, expansion level badges, and Mail Return page.
theme.css: central light/dark palette and component theming
src/.../web/assets/css/theme.css
New stylesheet defines CSS custom property palettes for light/dark modes. Covers item quality color tokens, item restore card borders, danger buttons, security page readability, mail return surfaces, WP 2FA modal/wizard, myCRED admin/history, connection table theming, admin bar toggle, card form controls, and primary/secondary button theming.

Sequence Diagram(s)

sequenceDiagram
  rect rgba(30, 100, 200, 0.5)
    Note over Browser,WP_REST: Item Restoration Flow
  end
  participant Browser
  participant ItemRestorationPage
  participant WP_REST
  participant ToolsApi
  participant ACoreServices
  participant DB

  Browser->>ItemRestorationPage: click character row
  ItemRestorationPage->>WP_REST: GET /v1/item-restore/list/{guid} (nonce header)
  WP_REST->>ToolsApi: ItemRestoreList (is_user_logged_in check)
  ToolsApi->>ACoreServices: getRestorableItemsByCharacter(guid)
  ACoreServices->>DB: verify ownership + query recovery_item
  DB-->>ACoreServices: items with Count, DeleteDate
  ACoreServices-->>ToolsApi: item rows
  ToolsApi-->>Browser: JSON items
  ItemRestorationPage->>Browser: render item cards with Wowhead icons

  Browser->>WP_REST: POST /v1/item-restore {item, cname} (nonce header)
  WP_REST->>ToolsApi: ItemRestore (is_user_logged_in check)
  ToolsApi->>ToolsApi: filter_var validate item >= 1
  ToolsApi->>ACoreServices: currentAccountOwnsCharacterName(cname)
  ACoreServices->>DB: SELECT characters WHERE name+account+deleteDate IS NULL
  DB-->>ACoreServices: owned?
  ToolsApi->>ToolsApi: SOAP restore command
  ToolsApi-->>Browser: success
  ItemRestorationPage->>Browser: remove restored card, renumber remaining
Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Poem

🐰 Hoppity-hop through the code I go,
Dark mode blooms where bright pixels glow,
Characters sorted, mail returns agleam,
Nonces guard every restorer's dream.
AcoreCharColors paints the race and class —
A rainbow of factions, a fast new pass! 🌙

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title "[5 / 7] - Unstuck / Scroll of Resurrection / RAF" lists three specific features being modified, which aligns with the actual changes across UnstuckView, ResurrectionScrollMenu/View, and RafProgressPage, making it clear and specific.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/acore-wp-plugin/src/Components/CharactersMenu/CharactersController.php`:
- Line 26: There is a typo in the success notice message within the div with
class "updated" in the CharactersController.php file. The word "succesfully" is
misspelled and should be corrected to "successfully". Locate the success message
text "Character settings succesfully saved." and fix the spelling of the word to
display the correct message to users.

In `@src/acore-wp-plugin/src/Components/MailReturnMenu/MailReturnView.php`:
- Around line 58-59: The src attributes of the race-icon and class-icon img
elements are outputting dynamically constructed URLs without proper escaping.
While the alt and title attributes are correctly using esc_attr() for escaping,
the src attributes need to be wrapped with esc_url() to properly escape the
generated file paths. Apply esc_url() around the concatenated path expressions
in both the race icon src (constructed with ACORE_URL_PLG,
intval($char['race']), gender condition, and '.webp') and the class icon src
(constructed with ACORE_URL_PLG, intval($char['class']), and '.webp') to harden
the URL output.

In `@src/acore-wp-plugin/src/Components/Tools/ToolsApi.php`:
- Around line 19-22: The ItemRestore method in ToolsApi.php only validates that
the character name belongs to the current user, but does not verify that the
recovery_item itself is associated with that character and account. To fix this,
create a new service method in ACoreServices (similar to the example provided in
the comment) that validates both the recovery_item and character together by
querying the recovery_item table joined with the characters table, ensuring the
item ID matches a valid recovery for the given account and character name. Then
update the ItemRestore method to call this new validation method before
executing the SOAP command. Additionally, update the WooCommerce fulfillment
caller that invokes ItemRestore to pass the purchaser's account ID explicitly
instead of relying on the current WordPress session context.

In `@src/acore-wp-plugin/src/Components/UserPanel/Pages/ItemRestorationPage.php`:
- Around line 217-235: The success condition in the ItemRestorationPage.php file
incorrectly gates on checking if the response data contains the substring
'mail'. Since parseJsonResponse() already guarantees HTTP-success for responses
that reach this point, remove the data.toLowerCase().includes('mail') check from
the if statement. The entire block containing
cardEl.parentElement.removeChild(), successBox updates, card renumbering logic,
and the remaining.length check should execute unconditionally for all successful
HTTP responses, not just those with 'mail' in the payload.

In `@src/acore-wp-plugin/src/Components/UserPanel/Pages/RafProgressPage.php`:
- Line 35: The UserController::showRafProgress() method is missing server-side
nonce verification for the CSRF protection token generated by wp_nonce_field().
Add a nonce verification call using wp_verify_nonce() immediately after checking
if the request method is POST and before processing any data from the
$_POST["recruited"] variable. The nonce verification should use the action
'acore_raf_recruit' and the nonce field name 'acore_raf_nonce' that match the
wp_nonce_field() call on line 35. If verification fails, the request should be
rejected to prevent CSRF attacks.

In `@src/acore-wp-plugin/web/assets/css/main.css`:
- Around line 555-557: The selector body.profile-php `#wpbody-content` > .wrap
applies the max-width: 900px rule too broadly, and its higher specificity
overrides the later full-width rules for `#acore-mail-return-page` and
`#acore-item-restoration-page`. Scope the max-width rule more specifically by
adding an additional selector constraint that excludes or targets only the pages
that should have the 900px constraint, while allowing `#acore-mail-return-page`
and `#acore-item-restoration-page` to maintain their full-width behavior. This may
involve using a more specific child or descendant selector, or creating a
separate rule that explicitly targets only non-full-width profile pages.

In `@src/acore-wp-plugin/web/assets/css/theme.css`:
- Around line 600-616: The CSS selectors for dark mode styling of `.subsubsub`
links, checkboxes, and `.btn` elements are scoped too broadly under `#wpcontent
`#wpbody-content``, causing these styles to apply across all admin pages when dark
mode is active. Scope these selectors to only apply within myCRED pages by
adding `#myCRED-wrap` (or `.mycred-log-page`) as a parent selector in the chain
for all the rules between lines 600-616. This ensures the color overrides for
subsubsub links, input checkboxes, and button styling only affect the myCRED
plugin pages and do not bleed into unrelated admin screens.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 6b0d0c4f-157d-420d-8a34-b862b03ab056

📥 Commits

Reviewing files that changed from the base of the PR and between 94af292 and 3fb9994.

📒 Files selected for processing (19)
  • src/acore-wp-plugin/src/Components/CharactersMenu/CharactersController.php
  • src/acore-wp-plugin/src/Components/CharactersMenu/CharactersView.php
  • src/acore-wp-plugin/src/Components/MailReturnMenu/MailReturnController.php
  • src/acore-wp-plugin/src/Components/MailReturnMenu/MailReturnView.php
  • src/acore-wp-plugin/src/Components/ResurrectionScrollMenu/ResurrectionScrollMenu.php
  • src/acore-wp-plugin/src/Components/ResurrectionScrollMenu/ResurrectionScrollView.php
  • src/acore-wp-plugin/src/Components/Tools/ToolsApi.php
  • src/acore-wp-plugin/src/Components/UnstuckMenu/UnstuckView.php
  • src/acore-wp-plugin/src/Components/UserPanel/Pages/ItemRestorationPage.php
  • src/acore-wp-plugin/src/Components/UserPanel/Pages/RafProgressPage.php
  • src/acore-wp-plugin/src/Hooks/Various/DarkMode.php
  • src/acore-wp-plugin/src/Manager/ACoreServices.php
  • src/acore-wp-plugin/src/Manager/Soap/SmartstoneService.php
  • src/acore-wp-plugin/src/Utils/AcoreCharColors.php
  • src/acore-wp-plugin/src/boot.php
  • src/acore-wp-plugin/web/assets/css/dark-mode.css
  • src/acore-wp-plugin/web/assets/css/main.css
  • src/acore-wp-plugin/web/assets/css/theme.css
  • src/acore-wp-plugin/web/assets/mail-return/mail-return.js

Comment thread src/acore-wp-plugin/src/Components/Tools/ToolsApi.php
Comment thread src/acore-wp-plugin/web/assets/css/main.css
Comment thread src/acore-wp-plugin/web/assets/css/theme.css
TheSCREWEDSoftware added a commit to TheSCREWEDSoftware/acore-cms that referenced this pull request Jun 24, 2026
(Resume generated by Claude)

**PR azerothcore#199 — Characters Menu**
- Fixed typo: "succesfully" → "successfully" in save confirmation
- Fixed broken sentence in the Order Character Screen description
- Extended `user-select: none` to cover all `.acore-char-row` elements, not just `button`

**PR azerothcore#200 — Mail Return**
- *(issues covered by later PRs — no unique fixes)*

**PR azerothcore#201 — Item Restoration**
- Added `alt=` attributes to race/class icons in `CharactersView.php`
- `ToolsApi`: `ItemRestoreList` now catches exceptions and returns a 403 instead of a 500
- `ToolsApi` + `ACoreServices`: **Security fix** — `ItemRestore` now verifies the recovery item belongs to the character, not just that the user owns the character name (IDOR vulnerability)

**PR azerothcore#202 — Unstuck / Scroll / RAF**
- `ItemRestorationPage`: removed brittle `data.includes('mail')` success check — any HTTP success now triggers the success path

**PR azerothcore#203 — Security Tab**
- `CharactersController`: `resetCharacterOrder()` now guards against invalid/null account ID before running UPDATE
- `Tools.php`: added `esc_attr()` on banned-names table input (XSS fix)
- `Tools.php`: added `is_array()` guard on thresholds `foreach`
- `Tools.php` + `SettingsController`: added sentinel input so deleting all thresholds actually clears them in the DB
- `Tools.php`: GeoIP hidden fallback `value="0"` is now always rendered, not conditionally

**PR azerothcore#204 — Admin Settings / CSRF**
- `AcoreCharColors`: removed unused `$fDark`, unknown race IDs now get a neutral color instead of Horde red
- `MailReturnView`: added `esc_url()` on race/class icon `src` attributes
- `DarkMode`: added `dmToggleInFlight` flag to prevent overlapping AJAX requests on rapid dark mode clicks
@TheSCREWEDSoftware

Copy link
Copy Markdown
Contributor Author

The reviews are valid for this, but the are fixed in the on the way to latest PR and including he last PR #205

PR #202 — Unstuck / Scroll / RAF

  • ItemRestorationPage: removed brittle data.includes('mail') success check — any HTTP success now triggers the success path

@Nyeriah Nyeriah merged commit 45c4ee6 into azerothcore:master Jul 5, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants