Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions core/WP/Menu.php
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,12 @@ public static function admin_menu() {
$home = add_menu_page( __( 'Project Manager', 'wedevs-project-manager' ), __( 'Project Manager', 'wedevs-project-manager' ), self::$capability, $slug, array( new Output, 'home_page' ), self::pm_svg(), 3 );

// phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited -- Intentionally adding custom submenu items to WordPress admin menu
// 1. Projects
$submenu[$slug][] = [ __( 'Projects', 'wedevs-project-manager' ), self::$capability, "admin.php?page={$slug}#/" ];
// 1. Dashboard (landing page)
$submenu[$slug][] = [ __( 'Dashboard', 'wedevs-project-manager' ), self::$capability, "admin.php?page={$slug}#/dashboard" ];

// phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited -- Intentionally adding custom submenu items to WordPress admin menu
// 2. Projects
$submenu[$slug][] = [ __( 'Projects', 'wedevs-project-manager' ), self::$capability, "admin.php?page={$slug}#/projects" ];

// 2. My Tasks
$active_task = self::my_task_count();
Expand Down
1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@
"lucide-react": "^0.400.0",
"react": "^18.3.0",
"react-chartjs-2": "^5.2.0",
"react-day-picker": "9",
"react-dom": "^18.3.0",
"react-redux": "^9.1.0",
"react-router-dom": "^6.23.0",
Expand Down
38 changes: 38 additions & 0 deletions pnpm-lock.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 13 additions & 0 deletions routes/dashboard.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
<?php

use WeDevs\PM\Core\Router\Router;

$wedevs_pm_router = Router::singleton();

// GET /wp-json/pm/v2/dashboard — aggregated, role-scoped dashboard data.
$wedevs_pm_router->get( 'dashboard', 'WeDevs/PM/Dashboard/Controllers/Dashboard_Controller@index' )
->permission( ['WeDevs\PM\Core\Permissions\Authentic'] );

// GET /wp-json/pm/v2/dashboard/heatmap?year=YYYY — productivity heatmap (self-fetched by the card).
$wedevs_pm_router->get( 'dashboard/heatmap', 'WeDevs/PM/Dashboard/Controllers/Dashboard_Controller@heatmap_data' )
->permission( ['WeDevs\PM\Core\Permissions\Authentic'] );
Comment on lines +8 to +13

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Add validator and sanitizer to both dashboard endpoints.

Both routes are missing ->validator() and ->sanitizer(), which are mandatory for all REST endpoints in this codebase.

🔧 Proposed fix
 $wedevs_pm_router->get( 'dashboard', 'WeDevs/PM/Dashboard/Controllers/Dashboard_Controller@index' )
-    ->permission( ['WeDevs\PM\Core\Permissions\Authentic'] );
+    ->permission( ['WeDevs\PM\Core\Permissions\Authentic'] )
+    ->validator( ['WeDevs\PM\Dashboard\Validators\Dashboard_Validator'] )
+    ->sanitizer( ['WeDevs\PM\Dashboard\Sanitizers\Dashboard_Sanitizer'] );

 $wedevs_pm_router->get( 'dashboard/heatmap', 'WeDevs/PM/Dashboard/Controllers/Dashboard_Controller@heatmap_data' )
-    ->permission( ['WeDevs\PM\Core\Permissions\Authentic'] );
+    ->permission( ['WeDevs\PM\Core\Permissions\Authentic'] )
+    ->validator( ['WeDevs\PM\Dashboard\Validators\Dashboard_Heatmap_Validator'] )
+    ->sanitizer( ['WeDevs\PM\Dashboard\Sanitizers\Dashboard_Heatmap_Sanitizer'] );

As per coding guidelines, “Every REST endpoint must have a validator via ->validator() and sanitizer via ->sanitizer() methods.”

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@routes/dashboard.php` around lines 8 - 13, Both the 'dashboard' and
'dashboard/heatmap' routes in the router configuration are missing the required
validator and sanitizer method chains. Add ->validator() and ->sanitizer()
method calls to each route definition, chaining them after the existing
->permission() method. These methods are mandatory for all REST endpoints in the
codebase to ensure proper input validation and sanitization of request data.

Source: Coding guidelines

Loading