Fix template switching showing too many templates and improve error handling #323
Conversation
- Add admin setting for minimum password strength (Medium, Strong, Super Strong) - Super Strong requires 12+ chars, uppercase, lowercase, numbers, and special characters - Integrate with WPMU DEV Defender Pro password rules when active - Add translatable strings using wp.i18n for password requirement hints - Create dedicated password.css with theme color fallbacks for page builders - Update password field templates to use new shared styles Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove wp.i18n dependency and helper method, read localized strings directly from settings.i18n object passed via wp_localize_script. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…UI improvements - Add Tracker class for anonymous usage data and error reporting (opt-in, disabled by default) - Update Logger to pass log level to wu_log_add action for better error filtering - Add WooCommerce Subscriptions compatibility to prevent staging mode on site duplication - Add Rating Notice Manager for user feedback collection - Add payment status polling and enhance integration JS files - Update setup wizard to show telemetry opt-in checkbox - Update readme.txt with usage tracking documentation - Various UI improvements to settings and thank-you pages Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add backslash to special character regex for Defender Pro compatibility - Add null guards for i18n object in password strength JS - Fix pre-commit hook to only show success when lint-staged runs - Fix plugin slug in rating notice manager review URL - Send JSON response unconditionally in publish_pending_site for non-fastcgi - Remove unused enhance-integration and payment-status-poll JS files - Update changelog and version to 2.4.10 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…andling
- Filter template selection to only show templates allowed by the customer's plan
- Fix type comparison issues when validating template IDs (int vs string)
- Add proper error handling in JavaScript to show errors to users instead of infinite loading
- Fix typo in error message ("allow" -> "allowed")
Fixes #322
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughAdds opt‑in telemetry/usage tracker, password-strength UI and styling, WooCommerce Subscriptions compatibility, expanded pre-commit JS/CSS checks (lint-staged), improved template-switch error handling, a 30-day rating notice, many model META_* constant standardizations, and assorted UI, localization, and hook refinements. Changes
Sequence Diagram(s)sequenceDiagram
participant Tracker as "Tracker (WP_Ultimo\\Tracker)" rect rgba(56,138,112,0.5)
participant DB as "WP Options / DB" rect rgba(66,133,244,0.5)
participant Cron as "WP‑Cron" rect rgba(219,68,55,0.5)
participant API as "Telemetry API" rect rgba(244,180,0,0.5)
Tracker->>DB: init() — register hooks, store opts
Tracker->>Cron: create_weekly_schedule()
Cron-->>Tracker: weekly event triggers maybe_send_tracking_data()
alt tracking enabled & interval elapsed
Tracker->>DB: gather tracking data (env, plugins, usage)
Tracker->>API: send_to_api_async(data, "track")
API-->>Tracker: async response
Tracker->>DB: update last-send timestamp
end
Note right of API: Error telemetry sent via send_to_api_async(...,"error")
Estimated code review effort🎯 5 (Critical) | ⏱️ ~120 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🔨 Build Complete - Ready for Testing!📦 Download Build Artifact (Recommended)Download the zip build, upload to WordPress and test:
🌐 Test in WordPress Playground (Very Experimental)Click the link below to instantly test this PR in your browser - no installation needed! Login credentials: |
🔨 Build Complete - Ready for Testing!📦 Download Build Artifact (Recommended)Download the zip build, upload to WordPress and test:
🌐 Test in WordPress Playground (Very Experimental)Click the link below to instantly test this PR in your browser - no installation needed! Login credentials: |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
ultimate-multisite.php (1)
7-33: Keep header and docblock versions in sync.
The header is 2.4.10 but the docblock still says 2.4.9, which can confuse tooling/readers.✅ Suggested fix
- * `@version` 2.4.9 + * `@version` 2.4.10
🤖 Fix all issues with AI agents
In `@inc/class-tracker.php`:
- Around line 654-657: The is_wp_error branch in the tracker (the block calling
Logger::add when is_wp_error($response)) can re-trigger telemetry via the
wu_log_add action and maybe_send_error; to fix add a guard to prevent recursion:
modify the error handling so that when Logger::add is called from the tracker
you either (a) call Logger::add with a non-telemetry level (e.g. 'warning'
instead of 'error') or (b) pass/implement a flag/parameter to Logger::add to
suppress firing the wu_log_add action, or (c) implement a static/in-class
reentrancy guard in maybe_send_error (e.g. a private static $sending flag
checked/set before sending) and return early if already sending; update the
is_wp_error($response) branch to use one of these approaches and ensure the
guard symbol (maybe_send_error, Logger::add) is referenced so the change avoids
recursive calls.
In `@inc/managers/class-rating-notice-manager.php`:
- Around line 123-134: The review URL in add_rating_notice uses the wrong slug;
update the $review_url value to use the correct plugin slug "ultimate-multisite"
instead of "developer" (locate the $review_url variable in the add_rating_notice
method and replace
'https://wordpress.org/support/plugin/developer/reviews/#new-post' with
'https://wordpress.org/support/plugin/ultimate-multisite/reviews/#new-post').
In `@inc/models/class-domain.php`:
- Around line 545-560: The hook wu_domain_became_primary currently fires
immediately after scheduling wu_async_remove_old_primary_domains which can leave
listeners seeing multiple primaries; update the do_action call to include the
$old_primary_domains array as an additional parameter
(do_action('wu_domain_became_primary', $this, $this->blog_id, $was_new,
$old_primary_domains)) and update the docblock for wu_domain_became_primary in
class-domain.php to state that removal is scheduled asynchronously and that
$old_primary_domains lists the previously primary domains; alternatively, if you
prefer listeners to only see a single primary, move firing of do_action to after
the async removal completes, but prefer adding the extra $old_primary_domains
parameter and docblock note for backward-compatible behavior.
In `@readme.txt`:
- Line 243: Update the placeholder release date in the version header so it
contains the actual release date instead of "2026-01-XX"; locate the version
line containing "Version [2.4.10] - Released on 2026-01-XX" in readme.txt and
replace the "2026-01-XX" token with the real YYYY-MM-DD release date before
merging.
In `@views/settings/widget-settings-body.php`:
- Line 288: The external link using target="_blank" around the esc_html_e('Learn
more', 'ultimate-multisite') output must include rel="noopener noreferrer" to
prevent window.opener access; update the anchor element (the <a> tag that links
to https://developer.ultimatemultisite.com/privacy-policy/ and calls esc_html_e)
to add rel="noopener noreferrer" while keeping target="_blank".
🧹 Nitpick comments (10)
inc/class-addon-repository.php (2)
96-101: Good defensive check, butexpires_inis not validated.The guard for
access_tokenis a solid improvement. However,$response['expires_in']at line 99 is accessed without validation. If the API returns a malformed response withaccess_tokenbut missingexpires_in, this could trigger a PHP notice/warning.♻️ Suggested improvement
$response = json_decode($body, true); -if ( ! empty($response['access_token'])) { +if ( ! empty($response['access_token']) && isset($response['expires_in'])) { $access_token = $response['access_token']; set_transient('wu-access-token', $response['access_token'], $response['expires_in']); }Alternatively, provide a sensible default for
expires_in:$response = json_decode($body, true); if ( ! empty($response['access_token'])) { $access_token = $response['access_token']; - set_transient('wu-access-token', $response['access_token'], $response['expires_in']); + set_transient('wu-access-token', $response['access_token'], $response['expires_in'] ?? 3600); }
229-233: Inconsistent validation withget_access_token.The
save_access_tokenmethod directly accesses$response['access_token'],$response['expires_in'], and$response['refresh_token']without the same defensive checks added toget_access_token. A malformed API response could cause issues here as well.♻️ Suggested improvement
if (200 === absint($code) && 'OK' === $message) { $response = json_decode($body, true); - - set_transient('wu-access-token', $response['access_token'], $response['expires_in']); - wu_save_option('wu-refresh-token', $response['refresh_token']); + if ( ! empty($response['access_token']) && ! empty($response['refresh_token'])) { + set_transient('wu-access-token', $response['access_token'], $response['expires_in'] ?? 3600); + wu_save_option('wu-refresh-token', $response['refresh_token']); + } else { + wp_admin_notice( + __('Invalid response from UltimateMultisite.com.', 'ultimate-multisite'), + [ + 'type' => 'error', + 'dismissible' => true, + ] + ); + return; + } wp_admin_notice(views/dashboard-widgets/thank-you.php (1)
255-258: Use site-specific alt text for better accessibility.
Static alt text loses context when multiple sites are listed; consider including the site title.♻️ Proposed tweak
- alt="Thumbnail of Site" /> + alt="<?php echo esc_attr(sprintf(__('Thumbnail of %s', 'ultimate-multisite'), $site->get_title())); ?>" />inc/limits/class-site-template-limits.php (1)
180-182: Potential type mismatch in strictin_arraycomparison.The
$template_idis cast to(int)at line 164, but$available_templatesfromget_available_site_templates()may contain string values (array keys are typically strings). The strictin_array(..., true)comparison could fail due to type mismatch.Consider applying the same integer casting pattern used in
maybe_filter_template_selection_options:♻️ Suggested fix
} else { - $available_templates = $limits->site_templates->get_available_site_templates(); + $available_templates = array_map('intval', $limits->site_templates->get_available_site_templates()); return in_array($template_id, $available_templates, true); }inc/compat/class-woocommerce-subscriptions-compat.php (1)
62-75: Suppress or document unused parameters for hook signature compatibility.The
$domainand$was_newparameters are flagged as unused by static analysis, but they're required to match thewu_domain_became_primaryaction signature. Consider adding a suppression annotation or documenting the intent.📝 Suggested documentation
/** * Resets WooCommerce Subscriptions staging mode when a primary domain is set. * * `@since` 2.0.0 * - * `@param` \WP_Ultimo\Models\Domain $domain The domain that became primary. + * `@param` \WP_Ultimo\Models\Domain $domain The domain that became primary (unused, required for hook signature). * `@param` int $blog_id The blog ID of the affected site. - * `@param` bool $was_new Whether this is a newly created domain. + * `@param` bool $was_new Whether this is a newly created domain (unused, required for hook signature). * `@return` void + * + * `@SuppressWarnings`(PHPMD.UnusedFormalParameter) */ public function reset_staging_mode_on_primary_domain_change($domain, int $blog_id, bool $was_new): void {inc/admin-pages/class-email-template-customize-admin-page.php (1)
272-286: Consider adding hide_logo check to custom_logo visibility.The
custom_logofield's visibility condition (line 280) only checksuse_custom_logobut nothide_logo. If a user setsuse_custom_logo = true, then later setshide_logo = true, the custom logo selector would still be visible despite being irrelevant.♻️ Suggested enhancement
'custom_logo' => [ 'type' => 'image', 'stacked' => true, 'title' => __('Custom Logo', 'ultimate-multisite'), 'desc' => __('The custom logo is used in the email header, if HTML emails are used.', 'ultimate-multisite'), 'value' => $custom_logo, 'img' => $custom_logo_url, 'wrapper_html_attr' => [ - 'v-show' => 'require("tab", "header") && require("use_custom_logo", true)', + 'v-show' => 'require("tab", "header") && require("hide_logo", false) && require("use_custom_logo", true)', 'v-cloak' => 1, ],views/broadcast/emails/base.php (1)
17-21: Duplicate ABSPATH check.Line 17 already exits if
ABSPATHis not defined. The check at lines 19-21 is redundant and can be removed.🧹 Suggested fix
defined('ABSPATH') || exit; - -if ( ! defined('ABSPATH')) { - exit; // Exit if accessed directly -}inc/class-tracker.php (2)
607-625: Good PII sanitization, but consider additional patterns.The sanitization covers common PII (paths, URLs, emails, IPs). Consider whether database table names, usernames, or API keys might appear in error messages and need redaction.
463-467: Broad pattern match may capture unrelated errors.The check for
'wu-'in the file path is quite generic and could match files from unrelated plugins (e.g.,wu-something.phpin another plugin). Consider using a more specific pattern like checking for the plugin directory.🛡️ Suggested improvement
-if (strpos($error_file, 'ultimate-multisite') === false && - strpos($error_file, 'wp-multisite-waas') === false && - strpos($error_file, 'wu-') === false) { +$plugin_indicators = ['ultimate-multisite', 'wp-multisite-waas', 'wp-ultimo']; +$is_plugin_error = false; +foreach ($plugin_indicators as $indicator) { + if (strpos($error_file, $indicator) !== false) { + $is_plugin_error = true; + break; + } +} +if (!$is_plugin_error) { return $should_handle; }assets/css/password.css (1)
76-78: Consider documenting the!importantoverride rationale.The
!importantonpadding-rightis likely needed to override form framework styles that may set their own padding. Consider adding a brief comment explaining why this override is necessary for maintainability.Suggested comment
/** * Password input with space for toggle. + * + * Uses !important to ensure space for toggle button + * regardless of form framework padding rules. */ .wu-password-input { padding-right: 40px !important; }
| do_action('wu_async_remove_old_primary_domains', $old_primary_domains); | ||
|
|
||
| /** | ||
| * Fires when a domain becomes the primary domain for a site. | ||
| * | ||
| * This action is triggered when a domain's primary_domain flag is set to true, | ||
| * either when creating a new primary domain or when updating an existing domain | ||
| * to become primary. | ||
| * | ||
| * @since 2.0.0 | ||
| * | ||
| * @param \WP_Ultimo\Models\Domain $domain The domain that became primary. | ||
| * @param int $blog_id The blog ID of the affected site. | ||
| * @param bool $was_new Whether this is a newly created domain. | ||
| */ | ||
| do_action('wu_domain_became_primary', $this, $this->blog_id, $was_new); |
There was a problem hiding this comment.
Clarify hook timing vs. async removal of old primaries.
wu_domain_became_primary fires right after scheduling wu_async_remove_old_primary_domains, so listeners may still see multiple primaries. Either move the hook to after actual removal completes, or document that removal is pending (and/or pass $old_primary_domains).
📝 Suggested doc/param tweak
- /**
- * Fires when a domain becomes the primary domain for a site.
- *
- * This action is triggered when a domain's primary_domain flag is set to true,
- * either when creating a new primary domain or when updating an existing domain
- * to become primary.
- *
- * `@since` 2.0.0
- *
- * `@param` \WP_Ultimo\Models\Domain $domain The domain that became primary.
- * `@param` int $blog_id The blog ID of the affected site.
- * `@param` bool $was_new Whether this is a newly created domain.
- */
- do_action('wu_domain_became_primary', $this, $this->blog_id, $was_new);
+ /**
+ * Fires when a domain is marked as primary for a site.
+ *
+ * Note: old primary domains are scheduled for async removal and may still
+ * be present at this point.
+ *
+ * `@since` 2.0.0
+ *
+ * `@param` \WP_Ultimo\Models\Domain $domain The domain that became primary.
+ * `@param` int $blog_id The blog ID of the affected site.
+ * `@param` bool $was_new Whether this is a newly created domain.
+ * `@param` array $old_primary_domains IDs scheduled for removal.
+ */
+ do_action('wu_domain_became_primary', $this, $this->blog_id, $was_new, $old_primary_domains);📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| do_action('wu_async_remove_old_primary_domains', $old_primary_domains); | |
| /** | |
| * Fires when a domain becomes the primary domain for a site. | |
| * | |
| * This action is triggered when a domain's primary_domain flag is set to true, | |
| * either when creating a new primary domain or when updating an existing domain | |
| * to become primary. | |
| * | |
| * @since 2.0.0 | |
| * | |
| * @param \WP_Ultimo\Models\Domain $domain The domain that became primary. | |
| * @param int $blog_id The blog ID of the affected site. | |
| * @param bool $was_new Whether this is a newly created domain. | |
| */ | |
| do_action('wu_domain_became_primary', $this, $this->blog_id, $was_new); | |
| do_action('wu_async_remove_old_primary_domains', $old_primary_domains); | |
| /** | |
| * Fires when a domain is marked as primary for a site. | |
| * | |
| * Note: old primary domains are scheduled for async removal and may still | |
| * be present at this point. | |
| * | |
| * `@since` 2.0.0 | |
| * | |
| * `@param` \WP_Ultimo\Models\Domain $domain The domain that became primary. | |
| * `@param` int $blog_id The blog ID of the affected site. | |
| * `@param` bool $was_new Whether this is a newly created domain. | |
| * `@param` array $old_primary_domains IDs scheduled for removal. | |
| */ | |
| do_action('wu_domain_became_primary', $this, $this->blog_id, $was_new, $old_primary_domains); |
🤖 Prompt for AI Agents
In `@inc/models/class-domain.php` around lines 545 - 560, The hook
wu_domain_became_primary currently fires immediately after scheduling
wu_async_remove_old_primary_domains which can leave listeners seeing multiple
primaries; update the do_action call to include the $old_primary_domains array
as an additional parameter (do_action('wu_domain_became_primary', $this,
$this->blog_id, $was_new, $old_primary_domains)) and update the docblock for
wu_domain_became_primary in class-domain.php to state that removal is scheduled
asynchronously and that $old_primary_domains lists the previously primary
domains; alternatively, if you prefer listeners to only see a single primary,
move firing of do_action to after the async removal completes, but prefer adding
the extra $old_primary_domains parameter and docblock note for
backward-compatible behavior.
|
|
||
| == Changelog == | ||
|
|
||
| Version [2.4.10] - Released on 2026-01-XX |
There was a problem hiding this comment.
Placeholder date should be updated before release.
The version date 2026-01-XX contains a placeholder. Ensure this is updated to the actual release date before merging to main.
🤖 Prompt for AI Agents
In `@readme.txt` at line 243, Update the placeholder release date in the version
header so it contains the actual release date instead of "2026-01-XX"; locate
the version line containing "Version [2.4.10] - Released on 2026-01-XX" in
readme.txt and replace the "2026-01-XX" token with the real YYYY-MM-DD release
date before merging.
| manually report anything. No sensitive data gets collected, only environmental stuff (e.g. if this is | ||
| this is a subdomain network, etc). | ||
| <?php esc_html_e('Allow Ultimate Multisite to collect anonymous usage data and error reports to help us improve the plugin. We collect: PHP version, WordPress version, plugin version, network type, aggregate counts, active gateways, and error logs. We never collect personal data, customer information, or domain names.', 'ultimate-multisite'); ?> | ||
| <a href="https://developer.ultimatemultisite.com/privacy-policy/" target="_blank"><?php esc_html_e('Learn more', 'ultimate-multisite'); ?></a>. |
There was a problem hiding this comment.
Add rel="noopener noreferrer" to external link for security.
External links with target="_blank" should include rel="noopener noreferrer" to prevent the opened page from accessing window.opener.
Proposed fix
- <a href="https://developer.ultimatemultisite.com/privacy-policy/" target="_blank"><?php esc_html_e('Learn more', 'ultimate-multisite'); ?></a>.
+ <a href="https://developer.ultimatemultisite.com/privacy-policy/" target="_blank" rel="noopener noreferrer"><?php esc_html_e('Learn more', 'ultimate-multisite'); ?></a>.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| <a href="https://developer.ultimatemultisite.com/privacy-policy/" target="_blank"><?php esc_html_e('Learn more', 'ultimate-multisite'); ?></a>. | |
| <a href="https://developer.ultimatemultisite.com/privacy-policy/" target="_blank" rel="noopener noreferrer"><?php esc_html_e('Learn more', 'ultimate-multisite'); ?></a>. |
🤖 Prompt for AI Agents
In `@views/settings/widget-settings-body.php` at line 288, The external link using
target="_blank" around the esc_html_e('Learn more', 'ultimate-multisite') output
must include rel="noopener noreferrer" to prevent window.opener access; update
the anchor element (the <a> tag that links to
https://developer.ultimatemultisite.com/privacy-policy/ and calls esc_html_e) to
add rel="noopener noreferrer" while keeping target="_blank".
The previous commit replaced the PHP quality checks (PHPCS, PHPStan) with JS/CSS linting instead of adding to them. This restores the original PHP checks and properly integrates the new lint-staged functionality. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
🔨 Build Complete - Ready for Testing!📦 Download Build Artifact (Recommended)Download the zip build, upload to WordPress and test:
🌐 Test in WordPress Playground (Very Experimental)Click the link below to instantly test this PR in your browser - no installation needed! Login credentials: |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In @.githooks/pre-commit:
- Around line 23-25: The for-loops iterate unquoted STAGED_PHP_FILES and
STAGED_JS_CSS_FILES, causing word-splitting on filenames with whitespace;
replace the current pipeline with NUL-delimited output (use git diff --name-only
--diff-filter=ACM -z) and populate bash arrays (e.g., readarray -d ''
STAGED_PHP_FILES_ARRAY or while IFS= read -r -d '' f; do ...; done) then iterate
using quoted array expansion (for f in "${STAGED_PHP_FILES_ARRAY[@]}"; do ...)
and ensure all expansions of these variables are quoted to safely handle
filenames with spaces or special characters.
| # Get list of staged PHP files | ||
| STAGED_PHP_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep '\.php$' | grep -v '^vendor/' | grep -v '^tests/' || true) | ||
|
|
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .githooks/pre-commitRepository: Multisite-Ultimate/ultimate-multisite
Length of output: 6114
🏁 Script executed:
git ls-files | awk '/[[:space:]]/'Repository: Multisite-Ultimate/ultimate-multisite
Length of output: 63
Use quoted variable expansion and bash arrays for safer filename handling.
The unquoted $STAGED_PHP_FILES and $STAGED_JS_CSS_FILES variables in for loops (lines 40, 54, 73, 88, 95) will split on whitespace. While your repository currently has no tracked files with whitespace, this remains a best practice issue for robustness. Consider using NUL-delimited lists with arrays as shown in the proposed fix to handle any filenames safely.
🤖 Prompt for AI Agents
In @.githooks/pre-commit around lines 23 - 25, The for-loops iterate unquoted
STAGED_PHP_FILES and STAGED_JS_CSS_FILES, causing word-splitting on filenames
with whitespace; replace the current pipeline with NUL-delimited output (use git
diff --name-only --diff-filter=ACM -z) and populate bash arrays (e.g., readarray
-d '' STAGED_PHP_FILES_ARRAY or while IFS= read -r -d '' f; do ...; done) then
iterate using quoted array expansion (for f in "${STAGED_PHP_FILES_ARRAY[@]}";
do ...) and ensure all expansions of these variables are quoted to safely handle
filenames with spaces or special characters.
Replace string literal meta keys with class constants across all model classes. This prevents bugs like the broken 'wu_available_addons' key that was accidentally split across lines, causing product addon saving to fail. Models updated: Product, Customer, Membership, Site, Payment, Discount_Code, Checkout_Form, Broadcast, Email Also fixes empty available_addons handling in Product edit admin page. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
🔨 Build Complete - Ready for Testing!📦 Download Build Artifact (Recommended)Download the zip build, upload to WordPress and test:
🌐 Test in WordPress Playground (Very Experimental)Click the link below to instantly test this PR in your browser - no installation needed! Login credentials: |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@inc/debug/class-debug.php`:
- Around line 71-78: The anchor for "Pages" uses
wu_network_admin_url('wp-ultimo-debug-pages') but fails to echo and escape it,
leaving href empty; update the anchor in class-debug.php to echo esc_url(
wu_network_admin_url('wp-ultimo-debug-pages') ) so the returned URL is printed
and properly escaped (match the pattern used for the other links in this
method).
🧹 Nitpick comments (1)
inc/managers/class-rating-notice-manager.php (1)
77-88: Consider explicit integer cast for timestamp calculation.The
$installation_timestampretrieved from the network option might be stored as a string. While this works due to PHP's type juggling, an explicit cast improves clarity and robustness.♻️ Suggested improvement
protected function should_show_notice(): bool { $installation_timestamp = get_network_option(null, \WP_Ultimo::NETWORK_OPTION_SETUP_FINISHED); if (empty($installation_timestamp)) { return false; } - $days_since_installation = (time() - $installation_timestamp) / DAY_IN_SECONDS; + $days_since_installation = (time() - (int) $installation_timestamp) / DAY_IN_SECONDS; return $days_since_installation >= self::DAYS_BEFORE_NOTICE; }
| <a | ||
| href="<?php wu_network_admin_url('wp-ultimo-debug-pages'); ?>" | ||
| class="wu-ml-2 wu-no-underline wu-text-gray-600" | ||
| title="<?php esc_html_e('Pages', 'ultimate-multisite'); ?>" | ||
| > | ||
| <span class="dashicons-wu-documents"></span> | ||
| <?php esc_html_e('Pages', 'ultimate-multisite'); ?> | ||
| </a> |
There was a problem hiding this comment.
Missing echo causes empty href attribute.
wu_network_admin_url() returns a URL string but it's not being echoed. This will result in a broken link with an empty href. Also missing esc_url() for proper output escaping, unlike the other links in this method.
🐛 Proposed fix
<a
- href="<?php wu_network_admin_url('wp-ultimo-debug-pages'); ?>"
+ href="<?php echo esc_url(wu_network_admin_url('wp-ultimo-debug-pages')); ?>"
class="wu-ml-2 wu-no-underline wu-text-gray-600"
title="<?php esc_html_e('Pages', 'ultimate-multisite'); ?>"
>📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| <a | |
| href="<?php wu_network_admin_url('wp-ultimo-debug-pages'); ?>" | |
| class="wu-ml-2 wu-no-underline wu-text-gray-600" | |
| title="<?php esc_html_e('Pages', 'ultimate-multisite'); ?>" | |
| > | |
| <span class="dashicons-wu-documents"></span> | |
| <?php esc_html_e('Pages', 'ultimate-multisite'); ?> | |
| </a> | |
| <a | |
| href="<?php echo esc_url(wu_network_admin_url('wp-ultimo-debug-pages')); ?>" | |
| class="wu-ml-2 wu-no-underline wu-text-gray-600" | |
| title="<?php esc_html_e('Pages', 'ultimate-multisite'); ?>" | |
| > | |
| <span class="dashicons-wu-documents"></span> | |
| <?php esc_html_e('Pages', 'ultimate-multisite'); ?> | |
| </a> |
🤖 Prompt for AI Agents
In `@inc/debug/class-debug.php` around lines 71 - 78, The anchor for "Pages" uses
wu_network_admin_url('wp-ultimo-debug-pages') but fails to echo and escape it,
leaving href empty; update the anchor in class-debug.php to echo esc_url(
wu_network_admin_url('wp-ultimo-debug-pages') ) so the returned URL is printed
and properly escaped (match the pattern used for the other links in this
method).
🔨 Build Complete - Ready for Testing!📦 Download Build Artifact (Recommended)Download the zip build, upload to WordPress and test:
🌐 Test in WordPress Playground (Very Experimental)Click the link below to instantly test this PR in your browser - no installation needed! Login credentials: |
🔨 Build Complete - Ready for Testing!📦 Download Build Artifact (Recommended)Download the zip build, upload to WordPress and test:
🌐 Test in WordPress Playground (Very Experimental)Click the link below to instantly test this PR in your browser - no installation needed! Login credentials: |
🔨 Build Complete - Ready for Testing!📦 Download Build Artifact (Recommended)Download the zip build, upload to WordPress and test:
🌐 Test in WordPress Playground (Very Experimental)Click the link below to instantly test this PR in your browser - no installation needed! Login credentials: |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Fix all issues with AI agents
In `@inc/class-tracker.php`:
- Around line 468-519: The local variable $error_message in
customize_fatal_error_message is assigned but never used; remove the unused
assignment to eliminate the PHPMD warning (delete the sprintf(...) assignment
that creates $error_message inside customize_fatal_error_message) and keep the
subsequent prepare_error_data(...) and send_to_api(...) calls unchanged so
behavior is preserved.
In `@inc/tax/class-tax.php`:
- Around line 35-39: The admin page is always registered but the AJAX handlers
for wp_ajax_wu_get_tax_rates and wp_ajax_wu_save_tax_rates are only added when
$this->is_enabled(), causing the UI to break when taxes are disabled; fix by
registering the AJAX handlers unconditionally (move the add_action calls for the
handlers out of the is_enabled() branch) so the methods that serve GET and SAVE
(e.g., serve_taxes_rates_via_ajax and the method bound to
wp_ajax_wu_save_tax_rates) are always hooked, or alternatively add UI gating in
tax-rates.js to disable/avoid AJAX calls when $this->is_enabled() is false.
In `@views/taxes/list.php`:
- Line 9: The view is directly calling wu_get_setting('enable_taxes') which
bypasses the wu_enable_taxes filter used by WP_Ultimo\Tax\Tax::is_enabled(), so
update the logic that sets $taxes_enabled to use the same enablement check as
the runtime (either call Tax::is_enabled() or apply the wu_enable_taxes filter
around the setting) to ensure the UI notice in views/taxes/list.php reflects
actual Tax::is_enabled() behavior.
| public function customize_fatal_error_message(string $message, array $error): string { | ||
|
|
||
| // Only customize for errors related to Ultimate Multisite | ||
| $error_file = $error['file'] ?? ''; | ||
|
|
||
| if (strpos($error_file, 'ultimate-multisite') === false && | ||
| strpos($error_file, 'wp-multisite-waas') === false) { | ||
| return $message; | ||
| } | ||
|
|
||
| $custom_message = __('There has been a critical error on this site.', 'ultimate-multisite'); | ||
|
|
||
| if (is_multisite()) { | ||
| $custom_message .= ' ' . __('Please contact your network administrator for assistance.', 'ultimate-multisite'); | ||
| } | ||
|
|
||
| // Get network admin email if available | ||
| $admin_email = wu_get_setting('company_email', get_site_option('admin_email', '')); | ||
|
|
||
| if ($admin_email && is_multisite()) { | ||
| $custom_message .= ' ' . sprintf( | ||
| /* translators: %s is the admin email address */ | ||
| __('You can reach them at %s.', 'ultimate-multisite'), | ||
| '<a href="mailto:' . esc_attr($admin_email) . '">' . esc_html($admin_email) . '</a>' | ||
| ); | ||
| } | ||
|
|
||
| $error_details = $this->build_error_details($error); | ||
|
|
||
| // Link to support for super admins, main site for regular users | ||
| if (is_super_admin()) { | ||
| $support_url = $this->build_support_url($error_details, $admin_email); | ||
| $message = $this->build_admin_error_message($custom_message, $error_details, $support_url); | ||
| } else { | ||
| $home_url = network_home_url('/'); | ||
| $message = $this->build_user_error_message($custom_message, $home_url); | ||
| } | ||
|
|
||
| if ($this->is_tracking_enabled() && str_contains($error_file, 'ultimate-multisite')) { | ||
| $error_message = sprintf( | ||
| '[PHP %s] %s in %s on line %d', | ||
| $this->get_error_type_name($error['type'] ?? 0), | ||
| $error['message'] ?? 'Unknown error', | ||
| $error['file'] ?? 'unknown', | ||
| $error['line'] ?? 0 | ||
| ); | ||
|
|
||
| $error_data = $this->prepare_error_data('fatal', $error_details['full'], \Psr\Log\LogLevel::CRITICAL); | ||
|
|
||
| // Send synchronously since we're about to die | ||
| $this->send_to_api($error_data, 'error'); | ||
| } |
There was a problem hiding this comment.
Remove unused $error_message variable.
Line 507 defines $error_message but it’s never used (also flagged by PHPMD).
🧹 Proposed fix
- $error_message = sprintf(
- '[PHP %s] %s in %s on line %d',
- $this->get_error_type_name($error['type'] ?? 0),
- $error['message'] ?? 'Unknown error',
- $error['file'] ?? 'unknown',
- $error['line'] ?? 0
- );
-
$error_data = $this->prepare_error_data('fatal', $error_details['full'], \Psr\Log\LogLevel::CRITICAL);📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| public function customize_fatal_error_message(string $message, array $error): string { | |
| // Only customize for errors related to Ultimate Multisite | |
| $error_file = $error['file'] ?? ''; | |
| if (strpos($error_file, 'ultimate-multisite') === false && | |
| strpos($error_file, 'wp-multisite-waas') === false) { | |
| return $message; | |
| } | |
| $custom_message = __('There has been a critical error on this site.', 'ultimate-multisite'); | |
| if (is_multisite()) { | |
| $custom_message .= ' ' . __('Please contact your network administrator for assistance.', 'ultimate-multisite'); | |
| } | |
| // Get network admin email if available | |
| $admin_email = wu_get_setting('company_email', get_site_option('admin_email', '')); | |
| if ($admin_email && is_multisite()) { | |
| $custom_message .= ' ' . sprintf( | |
| /* translators: %s is the admin email address */ | |
| __('You can reach them at %s.', 'ultimate-multisite'), | |
| '<a href="mailto:' . esc_attr($admin_email) . '">' . esc_html($admin_email) . '</a>' | |
| ); | |
| } | |
| $error_details = $this->build_error_details($error); | |
| // Link to support for super admins, main site for regular users | |
| if (is_super_admin()) { | |
| $support_url = $this->build_support_url($error_details, $admin_email); | |
| $message = $this->build_admin_error_message($custom_message, $error_details, $support_url); | |
| } else { | |
| $home_url = network_home_url('/'); | |
| $message = $this->build_user_error_message($custom_message, $home_url); | |
| } | |
| if ($this->is_tracking_enabled() && str_contains($error_file, 'ultimate-multisite')) { | |
| $error_message = sprintf( | |
| '[PHP %s] %s in %s on line %d', | |
| $this->get_error_type_name($error['type'] ?? 0), | |
| $error['message'] ?? 'Unknown error', | |
| $error['file'] ?? 'unknown', | |
| $error['line'] ?? 0 | |
| ); | |
| $error_data = $this->prepare_error_data('fatal', $error_details['full'], \Psr\Log\LogLevel::CRITICAL); | |
| // Send synchronously since we're about to die | |
| $this->send_to_api($error_data, 'error'); | |
| } | |
| public function customize_fatal_error_message(string $message, array $error): string { | |
| // Only customize for errors related to Ultimate Multisite | |
| $error_file = $error['file'] ?? ''; | |
| if (strpos($error_file, 'ultimate-multisite') === false && | |
| strpos($error_file, 'wp-multisite-waas') === false) { | |
| return $message; | |
| } | |
| $custom_message = __('There has been a critical error on this site.', 'ultimate-multisite'); | |
| if (is_multisite()) { | |
| $custom_message .= ' ' . __('Please contact your network administrator for assistance.', 'ultimate-multisite'); | |
| } | |
| // Get network admin email if available | |
| $admin_email = wu_get_setting('company_email', get_site_option('admin_email', '')); | |
| if ($admin_email && is_multisite()) { | |
| $custom_message .= ' ' . sprintf( | |
| /* translators: %s is the admin email address */ | |
| __('You can reach them at %s.', 'ultimate-multisite'), | |
| '<a href="mailto:' . esc_attr($admin_email) . '">' . esc_html($admin_email) . '</a>' | |
| ); | |
| } | |
| $error_details = $this->build_error_details($error); | |
| // Link to support for super admins, main site for regular users | |
| if (is_super_admin()) { | |
| $support_url = $this->build_support_url($error_details, $admin_email); | |
| $message = $this->build_admin_error_message($custom_message, $error_details, $support_url); | |
| } else { | |
| $home_url = network_home_url('/'); | |
| $message = $this->build_user_error_message($custom_message, $home_url); | |
| } | |
| if ($this->is_tracking_enabled() && str_contains($error_file, 'ultimate-multisite')) { | |
| $error_data = $this->prepare_error_data('fatal', $error_details['full'], \Psr\Log\LogLevel::CRITICAL); | |
| // Send synchronously since we're about to die | |
| $this->send_to_api($error_data, 'error'); | |
| } |
🧰 Tools
🪛 PHPMD (2.15.0)
507-507: Avoid unused local variables such as '$error_message'. (undefined)
(UnusedLocalVariable)
🤖 Prompt for AI Agents
In `@inc/class-tracker.php` around lines 468 - 519, The local variable
$error_message in customize_fatal_error_message is assigned but never used;
remove the unused assignment to eliminate the PHPMD warning (delete the
sprintf(...) assignment that creates $error_message inside
customize_fatal_error_message) and keep the subsequent prepare_error_data(...)
and send_to_api(...) calls unchanged so behavior is preserved.
| // Always register the Tax Rates admin page so users can manage rates even when taxes are disabled. | ||
| add_action('wp_ultimo_admin_pages', [$this, 'add_admin_page']); | ||
|
|
||
| if ($this->is_enabled()) { | ||
| add_action('wp_ajax_wu_get_tax_rates', [$this, 'serve_taxes_rates_via_ajax']); |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# First, locate and examine the tax class file
find . -name "class-tax.php" -path "*/tax/*" | head -5Repository: Multisite-Ultimate/ultimate-multisite
Length of output: 104
🏁 Script executed:
# Once found, let's read the relevant section
cat -n inc/tax/class-tax.php | head -80Repository: Multisite-Ultimate/ultimate-multisite
Length of output: 2438
🏁 Script executed:
# Search for wp_ajax_wu_save_tax_rates to find if it's conditionally registered elsewhere
rg "wp_ajax_wu_save_tax_rates|wp_ajax_wu_get_tax_rates" --type php -B 2 -A 2Repository: Multisite-Ultimate/ultimate-multisite
Length of output: 436
🏁 Script executed:
# Find the admin page implementation to understand if it uses AJAX
fd -e php -path "*/tax/*" | xargs rg "add_admin_page|serve_taxes_rates_via_ajax|save_taxes_rates" -lRepository: Multisite-Ultimate/ultimate-multisite
Length of output: 288
🏁 Script executed:
# Find the add_admin_page method in the Tax class
rg "public function add_admin_page" -A 30 inc/tax/class-tax.phpRepository: Multisite-Ultimate/ultimate-multisite
Length of output: 650
🏁 Script executed:
# Search for tax rates admin page files in common locations
find . -name "*tax*" -name "*.php" | grep -E "(admin|page)" | head -20Repository: Multisite-Ultimate/ultimate-multisite
Length of output: 129
🏁 Script executed:
# Search for references to wp_ajax_wu_get_tax_rates and wp_ajax_wu_save_tax_rates in the codebase
rg "wp_ajax_wu_get_tax_rates|wp_ajax_wu_save_tax_rates" --type php -B 3 -A 3Repository: Multisite-Ultimate/ultimate-multisite
Length of output: 577
🏁 Script executed:
# Examine the Tax Rates admin page implementation
cat -n inc/admin-pages/class-tax-rates-admin-page.php | head -150Repository: Multisite-Ultimate/ultimate-multisite
Length of output: 4757
🏁 Script executed:
# Search for AJAX calls within the admin page file
rg "wp_ajax_wu_get_tax_rates|wp_ajax_wu_save_tax_rates|fetch|ajax" inc/admin-pages/class-tax-rates-admin-page.php -iRepository: Multisite-Ultimate/ultimate-multisite
Length of output: 63
🏁 Script executed:
# Find the tax-rates.js file
find . -name "tax-rates.js" -o -name "*tax*rates*.js"Repository: Multisite-Ultimate/ultimate-multisite
Length of output: 134
🏁 Script executed:
# Look for the asset file, check wu_get_asset function
rg "tax-rates.js|function wu_get_asset" --type php -B 2 -A 5 | head -50Repository: Multisite-Ultimate/ultimate-multisite
Length of output: 1179
🏁 Script executed:
# Search for where assets are typically stored
find . -type d -name "js" -o -type d -name "assets" -o -type d -name "dist" | head -10Repository: Multisite-Ultimate/ultimate-multisite
Length of output: 214
🏁 Script executed:
# Read the tax-rates.js file to see if it calls the AJAX endpoints
cat -n assets/js/tax-rates.jsRepository: Multisite-Ultimate/ultimate-multisite
Length of output: 11191
🏁 Script executed:
# Also check the minified version for completeness
wc -l assets/js/tax-rates.js assets/js/tax-rates.min.jsRepository: Multisite-Ultimate/ultimate-multisite
Length of output: 154
Admin page always registered, but AJAX handlers remain gated by is_enabled().
The Tax Rates page now loads when taxes are disabled, but the JavaScript calls wp_ajax_wu_get_tax_rates (line 226 of tax-rates.js) and wp_ajax_wu_save_tax_rates (line 340 of tax-rates.js), which are only registered when is_enabled() is true. This will cause the UI to fail when loading or saving rates while taxes are disabled. If the intent is to allow rate management when disabled, register those AJAX handlers unconditionally or gate the UI to prevent interaction.
🤖 Prompt for AI Agents
In `@inc/tax/class-tax.php` around lines 35 - 39, The admin page is always
registered but the AJAX handlers for wp_ajax_wu_get_tax_rates and
wp_ajax_wu_save_tax_rates are only added when $this->is_enabled(), causing the
UI to break when taxes are disabled; fix by registering the AJAX handlers
unconditionally (move the add_action calls for the handlers out of the
is_enabled() branch) so the methods that serve GET and SAVE (e.g.,
serve_taxes_rates_via_ajax and the method bound to wp_ajax_wu_save_tax_rates)
are always hooked, or alternatively add UI gating in tax-rates.js to
disable/avoid AJAX calls when $this->is_enabled() is false.
| */ | ||
| defined('ABSPATH') || exit; | ||
|
|
||
| $taxes_enabled = wu_get_setting('enable_taxes', false); |
There was a problem hiding this comment.
Use the same enablement logic as Tax::is_enabled().
wu_get_setting('enable_taxes') bypasses the wu_enable_taxes filter used in WP_Ultimo\Tax\Tax::is_enabled(), so the notice can disagree with actual runtime enablement. Consider applying the filter (or calling the helper) to keep UI and behavior aligned. (Line 9)
🔧 Suggested tweak
-$taxes_enabled = wu_get_setting('enable_taxes', false);
+$taxes_enabled = apply_filters('wu_enable_taxes', wu_get_setting('enable_taxes', false));📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| $taxes_enabled = wu_get_setting('enable_taxes', false); | |
| $taxes_enabled = apply_filters('wu_enable_taxes', wu_get_setting('enable_taxes', false)); |
🤖 Prompt for AI Agents
In `@views/taxes/list.php` at line 9, The view is directly calling
wu_get_setting('enable_taxes') which bypasses the wu_enable_taxes filter used by
WP_Ultimo\Tax\Tax::is_enabled(), so update the logic that sets $taxes_enabled to
use the same enablement check as the runtime (either call Tax::is_enabled() or
apply the wu_enable_taxes filter around the setting) to ensure the UI notice in
views/taxes/list.php reflects actual Tax::is_enabled() behavior.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@readme.txt`:
- Around line 243-251: Update the Version [2.4.10] changelog entry in readme.txt
to reflect PR `#323` and fixes `#322`: replace the unrelated
password/telemetry/WooCommerce items with concise bullets describing the actual
fixes — e.g., "Fixed: template filtering by plan", "Fixed: type comparison for
template IDs", "Fixed: JavaScript error handling during template switching", and
"Fixed: typo in [relevant identifier]" — and replace the placeholder release
date `2026-01-XX` with the actual release date before merging.
| Version [2.4.10] - Released on 2026-01-XX | ||
| - New: Configurable minimum password strength setting with Medium, Strong, and Super Strong options. | ||
| - New: Super Strong password requirements include 12+ characters, uppercase, lowercase, numbers, and special characters - compatible with WPMU DEV Defender Pro rules. | ||
| - New: Real-time password requirement hints during checkout with translatable strings. | ||
| - New: Themed password field styling with visibility toggle and color fallbacks for page builders (Elementor, Kadence, Beaver Builder). | ||
| - New: Opt-in anonymous usage tracking to help improve the plugin. | ||
| - New: Rating reminder notice after 30 days of installation. | ||
| - New: WooCommerce Subscriptions compatibility layer for site duplication. | ||
| - Improved: JSON response handling for pending site creation in non-FastCGI environments. |
There was a problem hiding this comment.
Critical inconsistency: Changelog doesn't match PR objectives.
This PR (#323) is intended to fix template switching issues (fixes #322), but the changelog entries describe completely different features:
- PR fixes: Template filtering by plan, type comparison for template IDs, JavaScript error handling, and a typo
- Changelog describes: Password strength settings, telemetry, rating notices, WooCommerce compatibility
The changelog appears to document a different set of changes that aren't part of this PR. Ensure the changelog accurately reflects the template switching fixes and error handling improvements mentioned in the PR objectives.
Note: The placeholder date 2026-01-XX on line 243 should also be updated before release, as previously flagged.
🤖 Prompt for AI Agents
In `@readme.txt` around lines 243 - 251, Update the Version [2.4.10] changelog
entry in readme.txt to reflect PR `#323` and fixes `#322`: replace the unrelated
password/telemetry/WooCommerce items with concise bullets describing the actual
fixes — e.g., "Fixed: template filtering by plan", "Fixed: type comparison for
template IDs", "Fixed: JavaScript error handling during template switching", and
"Fixed: typo in [relevant identifier]" — and replace the placeholder release
date `2026-01-XX` with the actual release date before merging.
🔨 Build Complete - Ready for Testing!📦 Download Build Artifact (Recommended)Download the zip build, upload to WordPress and test:
🌐 Test in WordPress Playground (Very Experimental)Click the link below to instantly test this PR in your browser - no installation needed! Login credentials: |
Summary
Test plan
Fixes #322
🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Improvements
Settings
✏️ Tip: You can customize this high-level summary in your review settings.