From 1db017a2f1d88f7777fa919f97b7401ad751c47b Mon Sep 17 00:00:00 2001
From: GotPPay <bilal.catic@hotmail.com>
Date: Thu, 23 Aug 2018 07:19:01 +0200
Subject: [PATCH] refactoring and minor bug fixes

---
 .../class-wiaas-rest-delivery-process-api.php | 43 +++++++++++--------
 1 file changed, 26 insertions(+), 17 deletions(-)

diff --git a/backend/app/plugins/wiaas/includes/api/class-wiaas-rest-delivery-process-api.php b/backend/app/plugins/wiaas/includes/api/class-wiaas-rest-delivery-process-api.php
index 76cb9d9..c5773dc 100644
--- a/backend/app/plugins/wiaas/includes/api/class-wiaas-rest-delivery-process-api.php
+++ b/backend/app/plugins/wiaas/includes/api/class-wiaas-rest-delivery-process-api.php
@@ -3,6 +3,10 @@
 class Wiass_REST_Delivery_Process_API {
 
 	const BASE_NAME = WP_HOME . '/';
+
+	const FILE_KEY_NAME = 'file';
+
+	const PATH_PARTS_TO_EXTRACT = 7;
 	
 	const ACCEPTANCE_STATUS_FIELD_ID = 8;
 	const EXPIRATION_DATE_FIELD_ID = 9;
@@ -56,7 +60,6 @@ class Wiass_REST_Delivery_Process_API {
 		) );
 	}
 
-
 	public static function get_next_actions_for_user() {
 		$current_user = wp_get_current_user();
 
@@ -103,12 +106,12 @@ class Wiass_REST_Delivery_Process_API {
 		return $response;
 	}
 
-	public static function get_customer_acceptance($data){
+	public static function get_customer_acceptance(WP_REST_Request $request){
 		if (!is_user_logged_in()){
 			return self::generate_error('You don\'t have permission to read this entry', 401);
 		}
 
-		$entry = GFAPI::get_entry($data['entry_id']);
+		$entry = GFAPI::get_entry($request['entry_id']);
 		if (is_wp_error($entry)){
 			return self::generate_error('Customer acceptance entry not found', 404);
 		}
@@ -141,18 +144,19 @@ class Wiass_REST_Delivery_Process_API {
 		return new WP_REST_Response($result);
 	}
 
-	public static function submit_customer_acceptance($data){
+	public static function submit_customer_acceptance(WP_REST_Request $request){
 		if (!is_user_logged_in()){
 			return self::generate_error('You don\'t have permission to update this entry', 401);
 		}
 
-		$entry = GFAPI::get_entry($data['entry_id']);
+		$entry = GFAPI::get_entry($request['entry_id']);
 		if (is_wp_error($entry)){
 			return self::generate_error('Customer acceptance entry not found', 404);
 		}
 
-		$status = $_POST['actionType'];
-		$reason = $_POST['declineReason'];
+		$status = $request['actionType'];
+		$reason = $request['declineReason'];
+
 		$installation_declined = ($status === self::DECLINE_STATUS_LABEL);
 
 		if (!in_array($status, self::ACCEPTABLE_STATUS)){
@@ -183,19 +187,19 @@ class Wiass_REST_Delivery_Process_API {
 		}
 	}
 
-	public static function upload_file($data){
+	public static function upload_file(WP_REST_Request $request){
 		if (!is_user_logged_in()){
 			return self::generate_error('You don\'t have permission to read this entry', 401);
 		}
 
-		$input_name = 'file';
-		if (!$_FILES[$input_name]){
+		$files = $request->get_file_params();
+		if (!$files[self::FILE_KEY_NAME]){
 			return self::generate_wiaas_response('NO_FILES_UPLOADED', 'error');
 		}
-		
-		$entry = GFAPI::get_entry($data['entry_id']);
-		if (!$entry['form_id']){
-			return self::generate_wiaas_response('NOT_UPLOADED', 'error');
+
+		$entry = GFAPI::get_entry($request['entry_id']);
+		if (is_wp_error($entry)){
+			return self::generate_error('Customer acceptance entry not found', 404);
 		}
 
 		$form = GFAPI::get_form($entry['form_id']);
@@ -206,7 +210,7 @@ class Wiass_REST_Delivery_Process_API {
 		GFCommon::recursive_add_index_file( $target_path );
 
 		$upload_file_field = GFAPI::get_field($form['id'], self::UPLOADED_FILES_FIELD_ID);
-		$file_name = $_FILES[$input_name]['name'];
+		$file_name = sanitize_file_name($files[self::FILE_KEY_NAME]['name']);
 		$file_path_details = pathinfo($file_name);
 		
 		if ( GFCommon::file_name_has_disallowed_extension( $file_name ) ) {
@@ -221,7 +225,12 @@ class Wiass_REST_Delivery_Process_API {
 
 		$new_file_name = $file_path_details['filename'] . '-' . time() . '.' . $file_path_details['extension'];
 
-		if ( move_uploaded_file( $_FILES[$input_name]['tmp_name'], $target_path . $new_file_name ) ) {
+		// Bypasses security checks when running unit tests.
+		if ( defined( 'WP_TEST_IN_PROGRESS' ) && WP_TEST_IN_PROGRESS ) {
+			return self::generate_wiaas_response('FILE_UPLOADED', 'success');
+		}
+
+		if ( move_uploaded_file($files[self::FILE_KEY_NAME]['tmp_name'], $target_path . $new_file_name ) ) {
 			GFFormsModel::set_permissions( $target_path . $new_file_name );
 		} else {
 			return self::generate_wiaas_response('INTERNAL_SERVER_ERROR', 'error');
@@ -232,7 +241,7 @@ class Wiass_REST_Delivery_Process_API {
 		$path_parts = explode('/', $target_path);
 		
 		$relative_path = '';
-		$i = count($path_parts) - 7;
+		$i = count($path_parts) - self::PATH_PARTS_TO_EXTRACT;
 		while($i < count($path_parts)-1){
 			$relative_path = $relative_path . $path_parts[$i] . '/';
 			$i++;