Skip to content

Fix course structure API exposing the lesson AI generated bootstrap text#7869

Merged
m1r0 merged 2 commits intotrunkfrom
fix/course-structure-exposing-lesson-initial-content
Dec 2, 2025
Merged

Fix course structure API exposing the lesson AI generated bootstrap text#7869
m1r0 merged 2 commits intotrunkfrom
fix/course-structure-exposing-lesson-initial-content

Conversation

@m1r0
Copy link
Member

@m1r0 m1r0 commented Dec 2, 2025

Resolves SEN-28

Proposed Changes

The course structure API returns the lesson AI-generated text (the _initial_content post meta) to unauthorized users. This text is generated when using Sensei Pro to generate the course and lesson content. Note that the meta is never updated with the real lesson content, so this is not a security issue.

Testing Instructions

  1. Have Sensei LMS and Sensei Pro.
  2. Generate a course using the AI feature.
  3. Run curl https://sensei.test/wp-json/sensei-internal/v1/course-structure/[COURSE POST ID]?context=view
  4. Make sure the initialContent from the response is empty.

Pre-Merge Checklist

  • PR title and description contain sufficient detail and accurately describe the changes
  • Adheres to coding standards (PHP, JavaScript, CSS, HTML)
  • All strings are translatable (without concatenation, handles plurals)
  • Follows our naming conventions (P6rkRX-4oA-p2)
  • Hooks (p6rkRX-1uS-p2) and functions are documented
  • New UIs are responsive and use a mobile-first approach
  • Code is tested on the minimum supported PHP and WordPress versions

@m1r0 m1r0 self-assigned this Dec 2, 2025
Copilot AI review requested due to automatic review settings December 2, 2025 13:38
@m1r0 m1r0 added this to the 4.25.2 milestone Dec 2, 2025
Copilot AI reviewed Dec 2, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment
edited by m1r0
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes an issue where the course structure API was exposing lesson AI-generated bootstrap text (_initial_content post meta) to unauthorized users. The fix adds a capability check to ensure only users with edit_lesson permission can see this content.

Key Changes:

  • Added capability check in prepare_lesson() to restrict initialContent visibility to authorized users
  • Updated PHPCS configuration to whitelist edit_lesson and edit_lessons capabilities

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
includes/class-sensei-course-structure.php Added current_user_can('edit_lesson') check before returning initialContent to prevent unauthorized access
phpcs.xml.dist Whitelisted edit_lesson and edit_lessons capabilities for PHPCS validation
changelog/fix-course-structure-exposing-lesson-initial-content Added changelog entry documenting the fix

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@m1r0 m1r0 merged commit c5c0b8a into trunk Dec 2, 2025
28 of 29 checks passed
@m1r0 m1r0 deleted the fix/course-structure-exposing-lesson-initial-content branch December 2, 2025 13:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@m1r0 m1r0

Labels

None yet

Projects

None yet

Milestone

4.25.2

Development

Successfully merging this pull request may close these issues.

2 participants

@m1r0