fix(content-gate): prevent metering from bypassing account verification requirement

[miguelpeixe]

All Submissions:

• Have you followed the Newspack Contributing guideline?
• Does your code follow the WordPress' coding standards and VIP Go coding standards?
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?

Changes proposed in this Pull Request:

The logged-in metering strategy only checks whether the user is logged in to implement its logic, which can bypass the gate's verification requirement.

This PR adds a check to bail out metering when the gate requires verification, and the reader is not verified.

Also introduces unit tests to metering.

How to test the changes in this Pull Request:

1. While on trunk, create a gate with:
   1. "Registered Access" without metering and require account verification
   2. "Paid Access" with metering
2. In an anonymous session, navigate to a restricted article
3. Register via the gate and confirm you unlock the article on refresh (paid access metering)
4. Checkout this branch, refresh, and confirm the article remains gated
5. Verify your account and confirm logged-in metering works

Other information:

• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes, as applicable?
• Have you successfully ran tests with your changes locally?

[Copilot]

Pull request overview

This PR fixes a security issue where logged-in metering would bypass the account verification requirement. The fix adds a check to prevent metering from allowing access when the gate requires account verification but the reader has not verified their account.

Changes:

• Added a new requires_account_verification() method to check if a gate requires account verification
• Added a verification check in the metering logic to bail out when verification is required but not completed
• Removed unused code (priority variable and comment)

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
includes/content-gate/class-content-gate.php	Adds a helper method to check if account verification is required for a gate
includes/content-gate/class-metering.php	Implements the verification check in logged-in metering logic and removes unused code

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[dkoo]

Works! Tests look good too.

[github-actions]

Hey @miguelpeixe, good job getting this PR merged! 🎉

Now, the needs-changelog label has been added to it.

Please check if this PR needs to be included in the "Upcoming Changes" and "Release Notes" doc. If it doesn't, simply remove the label.

If it does, please add an entry to our shared document, with screenshots and testing instructions if applicable, then remove the label.

Thank you! ❤️