buonzz / b2-private-files Goto Github PK

in https://github.com/buonzz/b2-private-files/blob/master/admin/private-files-table.php#L346
it only fetches the first page of files.
it needs to paginate through all of them
test with a huge list of files

In your readme, your 'Stable Tag' does not match the Plugin Version as indicated in your main plugin file.

Readme:

README.txt:7:Stable tag: 4.3

Plugin File:

b2-private-files.php:19: * Version: 1.0.0

Your Stable Tag is meant to be the stable version of your plugin, not of WordPress. For your plugin to be properly downloaded from WordPress.org, those values need to be the same. If they're out of sync, your users won't get the right version of your code.

We recommend you use Semantic Versioning (aka SemVer) for managing versions:

https://en.wikipedia.org/wiki/Software_versioning
https://semver.org/

Please note: While currently using the stable tag of trunk currently works in the Plugin Directory, it's not actually a supported or recommended method to indicate new versions and has been known to cause issues with automatic updates.

We ask you please properly use tags and increment them when you release new versions of your plugin, just like you update the plugin version in the main file. Having them match is the best way to be fully forward supporting.

we need to have a way to cache the result of https://github.com/buonzz/b2-private-files/blob/master/includes/class-b2-library.php#L205-L224
so that we dont pull the listing for every pagination visited in admin

When you include POST/GET/REQUEST/FILE calls in your plugin, it's important to sanitize, validate, and escape them. The goal here is to prevent a user from accidentally sending trash data through the system, as well as protecting them from potential security issues.

SANITIZE: Data that is input (either by a user or automatically) must be sanitized as soon as possible. This lessens the possibility of XSS vulnerabilities and MITM attacks where posted data is subverted.

VALIDATE: All data should be validated, no matter what. Even when you sanitize, remember that you don’t want someone putting in ‘dog’ when the only valid values are numbers.

ESCAPE: Data that is output must be escaped properly when it is echo'd, so it can't hijack admin screens. There are many esc_*() functions you can use to make sure you don't show people the wrong data.

To help you with this, WordPress comes with a number of sanitization and escaping functions. You can read about those here:

https://developer.wordpress.org/plugins/security/securing-input/
https://developer.wordpress.org/plugins/security/securing-output/

Remember: You must use the most appropriate functions for the context. If you’re sanitizing email, use sanitize_email(), if you’re outputting HTML, use wp_kses_post(), and so on.

An easy mantra here is this:

Sanitize early
Escape Late
Always Validate

Clean everything, check everything, escape everything, and never trust the users to always have input sane data. After all, users come from all walks of life.

Example(s) from your plugin:

admin/private-files-table.php:272: $orderby = (!empty($_REQUEST['orderby'])) ? $_REQUEST['orderby'] : 'fileName'; //If no sort, default to title
admin/private-files-table.php:273: $order = (!empty($_REQUEST['order'])) ? $_REQUEST['order'] : 'asc'; //If no order, default to asc
admin/partials/upload_page.php:5: <?php echo $_GET['message'];
admin/class-b2-private-files-admin.php:294: $fileId = $_GET['fileId'];
admin/class-b2-private-files-admin.php:295: $fileName = $_GET['fileName'];
admin/class-b2-private-files-admin.php:317: $fileName = $_GET['fileName'];
admin/class-b2-private-files-admin.php:361: $fileName = $_GET['fileName'];

https://www.backblaze.com/b2/docs/b2_download_file_by_name.html

https://www.sitepoint.com/wordpress-settings-api-build-custom-admin-page/

Media > Library (Private)
when an item is hovered, there should be a Get Shortcode link

Much related to sanitizing everything, all variables that are echoed need to be escaped when they're echoed, so it can't hijack users or (worse) admin screens. There are many esc_*() functions you can use to make sure you don't show people the wrong data, as well as some that will allow you to echo HTML safely.

At this time, we ask you escape all $-variables, options, and any sort of generated data when it is being echoed. That means you should not be escaping when you build a variable, but when you output it at the end. We call this 'escaping late.'

Besides protecting yourself from a possible XSS vulnerability, escaping late makes sure that you're keeping the future you safe. While today your code may be only outputted hardcoded content, that may not be true in the future. By taking the time to properly escape when you echo, you prevent a mistake in the future from becoming a critical security issue.

This remains true of options you've saved to the database. Even if you've properly sanitized when you saved, the tools for sanitizing and escaping aren't interchangeable. Sanitizing makes sure it's safe for processing and storing in the database. Escaping makes it safe to output.

Also keep in mind that sometimes a function is echoing when it should really be returning content instead. This is a common mistake when it comes to returning JSON encoded content. Very rarely is that actually something you should be echoing at all. Echoing is because it needs to be on the screen, read by a human. Returning (which is what you would do with an API) can be json encoded, though remember to sanitize when you save to that json object!

There are a number of options to secure all types of content (html, email, etc). Yes, even HTML needs to be properly escaped.

https://developer.wordpress.org/plugins/security/securing-output/

Remember: You must use the most appropriate functions for the context. There is pretty much an option for everything you could echo. Even echoing HTML safely.

Example(s) from your plugin:

admin/class-b2-private-files-admin.php:151: <input type='text' name='b2_private_files_settings[b2_private_files_account_id]' value='<?php echo $options['b2_private_files_account_id']; '/>
admin/class-b2-private-files-admin.php:158: <input type='text' name='b2_private_files_settings[b2_private_files_application_key]' value='<?php echo $options['b2_private_files_application_key']; '/>
admin/class-b2-private-files-admin.php:165: <input type='text' name='b2_private_files_settings[b2_private_files_bucket_id]' value='<?php echo $options['b2_private_files_bucket_id']; '/>
admin/class-b2-private-files-admin.php:172: <input type='text' name='b2_private_files_settings[b2_private_files_bucket_name]' value='<?php echo $options['b2_private_files_bucket_name']; '/>

on Media > Library (Private)
instead of just simply showing the filename, display a thumbnail (if its an image)

Media > Library (Private)
when user choose "Bulk Actions > Delete"
when they click apply, it should delete all checked items

in Media menu, add a new item "Private Files"
this will allow the user to upload a new file similar to Library UI
when user uploaded a file in here, it will be uploaded to backblaze bucket

The tested up to value in your plugin is not set to the current version of WordPress. This means your plugin will not show up in searches, as we require plugins to be compatible and documented as tested up to the most recent version of WordPress.

Please update your readme to show that it is tested up to the most recent version of WordPress. You cannot set it beyond the current version, as that will similarly cause your plugin not to be available on searches.

Example(s) from your plugin:

README.txt:6:Tested up to: 3.4

when grabbing the shortcode, display a field to allow user to customize these values

• label
• expire_after
• id
• target
• class

WordPress comes with an extensive HTTP API that should be used instead of creating your own curl calls. It’s both faster and more extensive. It’ll fall back to curl if it has to, but it’ll use a lot of WordPress’ native functionality first.

https://developer.wordpress.org/plugins/http-api/

Please note: If you're using CURL in 3rd party vendor libraries, that's permitted. It's in your own code unique to this plugin (or any dedicated WordPress libraries) that we need it corrected.

Example(s) from your plugin:

includes/class-b2-library.php:18: $server_output = curl_exec($session);
includes/class-b2-library.php:39: $server_output = curl_exec($session); // Let's do this!
includes/class-b2-library.php:70: $server_output = curl_exec($session); // Let's do this!
includes/class-b2-library.php:162: $server_output = curl_exec($session); // Let's do this!
includes/class-b2-library.php:221: $server_output = curl_exec($session); // Let's do this!
includes/class-b2-library.php:252: $server_output = curl_exec($session); // Let's do this!

in Media > Library (Private)
we need a searchbox here that allow us to search files by filename

When a shortcode is used like this

[b2-private-file-button filename="my-installer.zip"]

we would like to have another parameter called expire_after on which the value is number of seconds before the authorization token have expired.

this should be mapped to validDurationInSeconds of https://www.backblaze.com/b2/docs/b2_get_download_authorization.html

pull data via https://www.backblaze.com/b2/docs/b2_list_file_names.html
then list it as wordpress table
https://www.smashingmagazine.com/2011/11/native-admin-tables-wordpress/

when using block editor, there should be a way to insert download link using blocks, instead of shortcode