feat: Update to version 0.3.0 with security enhancements, breaking changes, and improved documentation

Author: novincode

CHANGELOG.md

@@ -9,6 +9,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [0.3.0] - 2026-02-20
+
+### Security
+- REST API `/search/users` and `/options/roles` endpoints now require `list_users` capability instead of `edit_posts`
+- Added `current_user_can( 'edit_term' )` capability check to taxonomy field save handler
+- All bare `echo` ternary output wrapped in `esc_attr()` for consistent escaping discipline
+
+### Changed
+- **BREAKING:** Plugin prefix renamed from `cof` (3 chars) to `cofld` (5 chars) per WordPress.org prefix length guidelines
+  - All PHP constants: `COF_*` → `COFLD_*`
+  - All PHP classes: `COF_*` → `COFLD_*`
+  - All PHP functions: `cof_*()` → `cofld_*()`
+  - All CSS classes: `.cof-*` → `.cofld-*`
+  - All JS variables: `cofConfig` → `cofldConfig`, `cofMetaBox` → `cofldMetaBox`, `openfieldsAdmin` → `cofldAdmin`
+  - Database tables: `cof_fieldsets` → `cofld_fieldsets`, `cof_fields` → `cofld_fields`, `cof_locations` → `cofld_locations`
+  - PHP file names: `class-cof-*.php` → `class-cofld-*.php`
+
+### Added
+- Source code & build instructions section in readme.txt for compressed JS/CSS assets
+- `check_list_users_permission()` REST API method for user-data endpoints
+
+---
+
 ## [0.2.0] - 2025-07-13
 
 ### Fixed

REVIEWER_REPLY.md

@@ -1,45 +1,53 @@
 # Reply to WordPress.org Plugin Review
 
 **To:** plugins@wordpress.org  
-**Subject:** Re: [WordPress Plugin Directory] Codeideal Open Fields - Review Response
+**Subject:** Re: [WordPress Plugin Directory] Codeideal Open Fields - Review Response (v0.3.0)
 
 ---
 
 Hi,
 
-Thank you for the review. I've addressed every item below.
+Thank you for the thorough review — I've gone through every point and addressed them all in this update (v0.3.0).
 
-**1. Plugin Name / Trademark**
+**1. Compressed/Generated Code — Source Documentation**
 
-The plugin has been rebranded to **"Codeideal Open Fields"** — prefixed with our brand name. All references to competitor trademarks (ACF, Advanced Custom Fields, Meta Box) have been removed from the plugin name, description, readme tags, FAQ, and all internal code comments throughout the entire codebase.
+Added a "Source Code & Build Instructions" section to `readme.txt`. The compiled admin JS (`assets/admin/js/admin.js`) is built from React/TypeScript source included in our public GitHub repository (`admin/src/`). Build steps and source file locations are now documented in the readme.
 
-**2. Slug**
+**2. REST API `permission_callback` Issues**
 
-The current slug is `codeideal-open-fields`, which matches our text domain and all internal references. Could you please confirm or assign this slug?
+- `/search/users` — now requires `list_users` instead of `edit_posts`
+- `/options/roles` — now requires `list_users` instead of `edit_posts`
+- Added a dedicated `check_list_users_permission()` method for these user-data endpoints
 
-**3. Contributor / Ownership**
+All other endpoints already used `check_admin_permission()` (`manage_options`) — no changes needed there.
 
-The readme.txt contributor has been corrected to `shayancode`, matching my WordPress.org username. I am the owner and sole developer of codeideal.com — you can verify this via the Author URI in the plugin header (`https://codeideal.com`).
+**3. Nonce & Capability Checks**
 
-**4. Code Quality Fixes**
+Added `current_user_can( 'edit_term', $term_id )` at the top of `save_taxonomy_fields()`. The post and user save handlers already had proper capability checks — I verified all three are now covered:
 
-- Replaced all `json_encode()` calls with `wp_json_encode()`
-- Added `phpcs:ignore` annotation with justification for the `$_GET['activate-multi']` check in the activation redirect (standard WordPress pattern, no data processing)
-- Fixed unescaped output variables in `repeater.php` field renderer
-- Fixed double-escaping in two field renderers (post-object, user)
-- Removed `Update URI` header (not allowed on wordpress.org-hosted plugins)
-- Fixed a bug in `uninstall.php` where meta cleanup queries used an incorrect prefix pattern
+- `save_post()` → `current_user_can( 'edit_post', $post_id )`
+- `save_taxonomy_fields()` → `current_user_can( 'edit_term', $term_id )` *(added)*
+- `save_user_fields()` → `current_user_can( 'edit_user', $user_id )`
 
-**5. Security**
+**4. Escaped Output**
 
-All `$_POST` data access is behind nonce verification (`wp_verify_nonce`), capability checks (`current_user_can`), and sanitized with `sanitize_text_field()`, `wp_unslash()`, `absint()`, or type-specific sanitization. The REST API uses `permission_callback` on every route with `manage_options` or `edit_posts` capability checks and `$wpdb->prepare()` for all queries.
+Wrapped all bare `echo` ternary expressions in `esc_attr()` across the field renderer templates (`image.php`, `file.php`, `gallery.php`, `repeater.php`, `taxonomy.php`). The `$data_string` and `$atts` echo patterns were already pre-escaped via `esc_attr()` during construction — each has a `phpcs:ignore` annotation with justification explaining so. I verified these are correct.
 
-**6. load_plugin_textdomain**
+**5. Prefix Length**
 
-Not called — the plugin relies on WordPress 4.6+ automatic translation loading from translate.wordpress.org, as recommended.
+Renamed the entire prefix from `cof` (3 chars) to `cofld` (5 chars). This touched every PHP file, CSS file, JS file, and the React source:
 
-Please let me know if anything else is needed.
+- Constants: `COF_*` → `COFLD_*`
+- Classes: `COF_*` → `COFLD_*`
+- Functions: `cof_*()` → `cofld_*()`
+- CSS classes: `.cof-*` → `.cofld-*`
+- JS variables: `cofConfig` → `cofldConfig`, `cofMetaBox` → `cofldMetaBox`, etc.
+- DB tables: `cof_fieldsets` → `cofld_fieldsets`, `cof_fields` → `cofld_fields`, `cof_locations` → `cofld_locations`
+- File names: `class-cof-*.php` → `class-cofld-*.php`
 
-Best regards,  
-Shayan Moradi  
-https://codeideal.com
+Ran a final automated grep across the entire built ZIP — zero remaining old-prefix references.
+
+Please let me know if anything else needs attention.
+
+Best regards
+Shayan

package.json

@@ -1,6 +1,6 @@
 {
   "name": "openfields",
-  "version": "0.2",
+  "version": "0.3.0",
   "type": "module",
   "description": "Modern custom fields builder for WordPress. Create and manage custom field groups with an intuitive interface.",
   "author": "Codeideal",

plugin/codeideal-open-fields.php

@@ -3,7 +3,7 @@
  * Plugin Name: Codeideal Open Fields
  * Plugin URI: https://openfields.codeideal.com
  * Description: Modern custom fields builder for WordPress. Create and manage custom field groups with an intuitive interface.
- * Version: 0.2.1
+ * Version: 0.3.0
  * Requires at least: 6.0
  * Requires PHP: 7.4
  * Author: Codeideal
@@ -22,7 +22,7 @@
 }
 
 // Define plugin constants.
-define( 'COFLD_VERSION', '0.2' );
+define( 'COFLD_VERSION', '0.3.0' );
 define( 'COFLD_PLUGIN_FILE', __FILE__ );
 define( 'COFLD_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
 define( 'COFLD_PLUGIN_URL', plugin_dir_url( __FILE__ ) );

plugin/readme.txt

@@ -4,7 +4,7 @@ Donate link: https://codeideal.com
 Tags: custom fields, meta fields, field builder, post meta, custom meta
 Requires at least: 6.0
 Tested up to: 6.9
-Stable tag: 0.2.1
+Stable tag: 0.3.0
 Requires PHP: 7.4
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -100,6 +100,15 @@ Use the standard WordPress functions like `get_post_meta()` or the helper functi
 
 == Changelog ==
 
+= 0.3.0 =
+* Security: REST API `/search/users` and `/options/roles` endpoints now require `list_users` capability instead of `edit_posts`
+* Security: Added `current_user_can( 'edit_term' )` capability check to taxonomy field save handler
+* Security: All bare `echo` output now wrapped in proper escaping functions (`esc_attr`, `esc_html`)
+* Changed: Plugin prefix renamed from `cof` (3 chars) to `cofld` (5 chars) to comply with WordPress.org prefix length requirements — affects all constants, functions, CSS classes, JS variables, database table names, hooks, and file names
+* Added: Source code documentation section in readme explaining where to find uncompressed source for built JS/CSS assets
+* Developer note: Database table names changed from `cof_fieldsets`, `cof_fields`, `cof_locations` to `cofld_fieldsets`, `cofld_fields`, `cofld_locations`
+* Developer note: All public API functions renamed (e.g. `cof_get_field` → `cofld_get_field`)
+
 = 0.2 =
 * Fixed: Page templates not fetched dynamically — now scans all public post types and block theme templates
 * Fixed: Template matching failure when default template is selected (value mismatch between WordPress API and stored rules)

scripts/build.sh

@@ -31,7 +31,7 @@ update_plugin_version() {
 
     # macOS compatible sed (using .bak for backup, then deleting it)
     sed -i.bak "s/\* Version: .*/\* Version: $version/" "$PLUGIN_FILE"
-    sed -i.bak "s/define( 'COF_VERSION', .*/define( 'COF_VERSION', '$version' );/" "$PLUGIN_FILE"
+    sed -i.bak "s/define( 'COFLD_VERSION', .*/define( 'COFLD_VERSION', '$version' );/" "$PLUGIN_FILE"
     rm -f "${PLUGIN_FILE}.bak"
 }