fix: remove the exclusion of NonceVerification in phpcs and fix the i…

…ssues (#67)

admin/class-openedx-commerce-admin.php

@@ -16,6 +16,7 @@
 use OpenedXCommerce\admin\views\Openedx_Commerce_Enrollment_Info_Form;
 use OpenedXCommerce\utils;
 
+
 /**
  * The admin-specific functionality of the plugin.
  *
@@ -231,6 +232,11 @@ public function add_openedx_course_product_type( $type_options ) {
 	 * @return void
 	 */
 	public function save_openedx_option( $post_id ) {
+		if ( ! isset( $_POST['openedx_commerce_custom_product_nonce'] ) ||
+			! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['openedx_commerce_custom_product_nonce'] ) ), 'openedx_commerce_custom_product_nonce' )
+		) {
+			return;
+		}
 		$openedx_course = isset( $_POST['is_openedx_course'] ) ? 'yes' : 'no';
 		update_post_meta( $post_id, 'is_openedx_course', $openedx_course );
 	}
@@ -244,8 +250,12 @@ public function add_custom_product_fields() {
 
 		global $post;
 
+		$nonce = wp_create_nonce( 'openedx_commerce_custom_product_nonce' );
+
 		echo '<div class="custom_options_group">';
 
+		echo '<input type="hidden" name="openedx_commerce_custom_product_nonce" value="' . esc_attr( $nonce ) . '">';
+
 		woocommerce_wp_text_input(
 			array(
 				'id'          => '_course_id',
@@ -303,6 +313,7 @@ public function add_admin_order_item_values( $product, $item, $item_id = null )
 
 		// Check if the product has a non-empty "_course_id" metadata.
 		$course_id = '';
+		$nonce     = wp_create_nonce( 'openedx_commerce_order_item_nonce' );
 
 		if ( $product ) {
 			$course_id    = get_post_meta( $product->get_id(), '_course_id', true );
@@ -316,6 +327,7 @@ public function add_admin_order_item_values( $product, $item, $item_id = null )
 			$order_url   = esc_url( admin_url( 'post.php?post=' . intval( $input_value ) . '&action=edit' ) );
 
 			$html_output  = '<td>';
+			$html_output .= '<input type="hidden" name="openedx_commerce_order_item_nonce"  value="' . esc_attr( $nonce ) . '">';
 			$html_output .= '<input style="height:30px;" type="text" name="openedx_order_id_input' . esc_attr( $item_id ) . '" value="' . esc_attr( $input_value ) . '" pattern="\d*" />';
 			$html_output .= '<a href="' . $order_url . '" class="button" style="margin-left: 5px; vertical-align: bottom;' . ( $input_value ? '' : 'pointer-events: none; opacity: 0.6;' ) . '">View Request</a>';
 			$html_output .= '</td>';
@@ -364,6 +376,12 @@ public function save_order_meta_data( $order_id ) {
 
 		$items = wc_get_order( $order_id )->get_items();
 
+		if ( ! isset( $_POST['openedx_commerce_order_item_nonce'] ) ||
+			! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['openedx_commerce_order_item_nonce'] ) ), 'openedx_commerce_order_item_nonce' )
+		) {
+			return;
+		}
+
 		foreach ( $items as $item_id => $item ) {
 			if ( isset( $_POST[ 'openedx_order_id_input' . $item_id ] ) ) {
 				$input_value = sanitize_text_field( wp_unslash( $_POST[ 'openedx_order_id_input' . $item_id ] ) );
@@ -380,6 +398,11 @@ public function save_order_meta_data( $order_id ) {
 	 * @since    1.1.1
 	 */
 	public function save_custom_product_fields( $post_id ) {
+		if ( ! isset( $_POST['openedx_commerce_custom_product_nonce'] ) ||
+			! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['openedx_commerce_custom_product_nonce'] ) ), 'openedx_commerce_custom_product_nonce' )
+		) {
+			return;
+		}
 		$course_id = isset( $_POST['_course_id'] ) ? sanitize_text_field( wp_unslash( $_POST['_course_id'] ) ) : '';
 		$mode      = isset( $_POST['_mode'] ) ? sanitize_text_field( wp_unslash( $_POST['_mode'] ) ) : '';
 

admin/views/class-openedx-commerce-enrollment-info-form.php

@@ -17,6 +17,7 @@
 	exit;
 }
 
+
 /**
  * The Enrollment Info Form code for the form.
  */
@@ -92,6 +93,8 @@ public function render_enrollment_info_form( $post ) {
 			$openedx_new_enrollment = true;
 		}
 
+		wp_nonce_field( 'openedx_commerce_enrollment_form', 'openedx_commerce_enrollment_form_nonce' );
+
 		?>
 		<div id="namediv" class="postbox">
 

admin/views/class-openedx-commerce-settings.php

@@ -14,6 +14,7 @@
 use DateTime;
 use DateInterval;
 
+
 /**
  * This class allows the user to configure the plugin settings
  * focusing on the connection between Open edX platform and the store.
@@ -148,6 +149,12 @@ public function openedx_settings_init() {
 			'sanitize_text_field'
 		);
 
+		if ( ! isset( $_POST['openedx_commerce_new_token_nonce'] ) ||
+			! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['openedx_commerce_new_token_nonce'] ) ), 'openedx_commerce_token' )
+		) {
+			return;
+		}
+
 		if ( isset( $_POST['generate_new_token'] ) ) {
 			$this->set_new_token();
 		}
@@ -187,7 +194,6 @@ public function set_new_token() {
 			$exp_date->add( new DateInterval( 'PT' . $exp_time . 'S' ) );
 			update_option( 'openedx-token-expiration-overlap', $exp_date );
 
-			$nonce = wp_create_nonce( 'token_generated_nonce' );
 			update_option( 'openedx-jwt-token', $response_data['access_token'] );
 
 			set_transient( 'openedx_success_message', 'Token generated', 10 );
@@ -284,6 +290,8 @@ public function openedx_jwt_token_callback() {
 			$masked_value = '';
 		}
 
+		wp_nonce_field( 'openedx_commerce_token', 'openedx_commerce_new_token_nonce' );
+
 		?>
 
 		<div class="openedx-jwt-token-wrapper">

composer.json

@@ -7,14 +7,14 @@
 		"ext-dom": "*",
 		"ext-json": "*",
 		"ext-sqlite3": "*",
-		"phpunit/phpunit": "9.*",
+		"phpunit/phpunit": "^9.6",
 		"dealerdirect/phpcodesniffer-composer-installer": "^0.7.2",
-    	"wp-coding-standards/wpcs": "3.0.0"
+    	"wp-coding-standards/wpcs": "^3.0"
 	},
 	"config": {
 	    "allow-plugins": {
-	      "dealerdirect/phpcodesniffer-composer-installer": true
-	    },
+			"dealerdirect/phpcodesniffer-composer-installer": true
+		},
 		"platform": {
 			"php": "8.0.7"
 		}
@@ -39,7 +39,6 @@
 		}
 	},
 	"require": {
-		"phpunit/phpunit": "9.*",
 		"guzzlehttp/guzzle": "^7.7"
 	}
 }