Improve settings field sanitization and add tests

colinmurphy · colinmurphy · commit 810a5ac53f51 · 2025-08-20T17:41:34.000+01:00
Refactored Select_Field sanitization to handle non-string values and filter out invalid options. Removed redundant is_admin() check in Settings_Page::init. Added comprehensive unit tests for Settings_Page to verify initialization, hook registration, tab selection, and asset loading behaviors.
diff --git a/plugins/wpgraphql-logging/src/Admin/Settings/Fields/Field/Select_Field.php b/plugins/wpgraphql-logging/src/Admin/Settings/Fields/Field/Select_Field.php
@@ -100,8 +100,8 @@ public function sanitize_field( $value ): mixed {
 	 *
 	 * @return string The sanitized value.
 	 */
-	protected function sanitize_single_value( string $value ): string {
-		$sanitized_value = sanitize_text_field( $value );
+	protected function sanitize_single_value( $value ): string {
+		$sanitized_value = sanitize_text_field( (string) $value );
 		return array_key_exists( $sanitized_value, $this->options ) ? $sanitized_value : '';
 	}
 
@@ -115,7 +115,10 @@ protected function sanitize_single_value( string $value ): string {
 	protected function sanitize_multiple_value( array $values ): array {
 		$sanitized = [];
 		foreach ( $values as $value ) {
-			$sanitized[] = $this->sanitize_single_value( $value );
+			$single = $this->sanitize_single_value( $value );
+			if ( '' !== $single ) {
+				$sanitized[] = $single;
+			}
 		}
 		return $sanitized;
 	}
diff --git a/plugins/wpgraphql-logging/src/Admin/Settings_Page.php b/plugins/wpgraphql-logging/src/Admin/Settings_Page.php
@@ -42,7 +42,7 @@ class Settings_Page {
 	 * Initializes the settings page.
 	 */
 	public static function init(): ?Settings_Page {
-		if ( ! current_user_can( 'manage_options' ) || ! is_admin() ) {
+		if ( ! current_user_can( 'manage_options' ) ) {
 			return null;
 		}
 
diff --git a/plugins/wpgraphql-logging/src/Events/QueryEventLifecycle.php b/plugins/wpgraphql-logging/src/Events/QueryEventLifecycle.php
@@ -133,8 +133,6 @@ public function log_graphql_before_execute(Request $request ): void {
 		}
 	}
 
-
-
 	/**
 	 * Before the GraphQL response is returned to the client.
 	 *
diff --git a/plugins/wpgraphql-logging/tests/wpunit/Admin/Settings/Fields/Field/CheckboxFieldTest.php b/plugins/wpgraphql-logging/tests/wpunit/Admin/Settings/Fields/Field/CheckboxFieldTest.php
@@ -0,0 +1,69 @@
+<?php
+
+declare(strict_types=1);
+
+namespace WPGraphQL\Logging\wpunit\Admin\Settings\Fields\Field;
+
+use WPGraphQL\Logging\Admin\Settings\Fields\Field\Checkbox_Field;
+use WPGraphQL\Logging\Admin\Settings\Fields\Settings_Field_Interface;
+use lucatume\WPBrowser\TestCase\WPTestCase;
+
+class CheckboxFieldTest extends WPTestCase {
+
+	protected ?Checkbox_Field $field = null;
+
+	protected function setUp(): void {
+		parent::setUp();
+		$this->field = new Checkbox_Field(
+			'enable_logging',
+			'basic_configuration',
+			'Enable Logging',
+			'custom-css-class',
+			'Enable or disable query logging for WPGraphQL requests.'
+		);
+	}
+
+	public function test_basic_field_properties(): void {
+		$field = $this->field;
+		$this->assertEquals( 'enable_logging', $field->get_id() );
+		$this->assertTrue( $field->should_render_for_tab( 'basic_configuration' ) );
+		$this->assertFalse( $field->should_render_for_tab( 'other_tab' ) );
+	}
+
+	public function test_sanitize_field(): void {
+		$field = $this->field;
+		$this->assertTrue( $field->sanitize_field( true ) );
+		$this->assertTrue( $field->sanitize_field( 1 ) );
+		$this->assertFalse( $field->sanitize_field( false ) );
+		$this->assertFalse( $field->sanitize_field( 0 ) );
+		$this->assertFalse( $field->sanitize_field( null ) );
+	}
+
+	public function test_render_field(): void {
+		$field = $this->field;
+		$option_value = [];
+		$setting_key = 'wpgraphql_logging_settings';
+		$tab_key = 'basic_configuration';
+		$args = [
+			'tab_key' => $tab_key,
+			'settings_key' => $setting_key,
+		];
+
+		ob_start();
+		$field->render_field_callback( $args );
+		$rendered_output = ob_get_contents();
+		ob_end_clean();
+
+		$expected_output = <<<HTML
+<span class="wpgraphql-logging-tooltip">
+								<span class="dashicons dashicons-editor-help"></span>
+								<span id="wpgraphql_logging_settings[basic_configuration][enable_logging]-tooltip" class="tooltip-text description">Enable or disable query logging for WPGraphQL requests.</span>
+						</span><input type="checkbox" name="wpgraphql_logging_settings[basic_configuration][enable_logging]" aria-labelledby="wpgraphql_logging_settings[basic_configuration][enable_logging]-tooltip" value="1"  class="custom-css-class" />
+HTML;
+		$this->assertEquals(
+			preg_replace('/[\s\t\r\n]+/', '', $expected_output),
+			preg_replace('/[\s\t\r\n]+/', '', $rendered_output)
+		);
+
+	}
+}
diff --git a/plugins/wpgraphql-logging/tests/wpunit/Admin/Settings/Fields/Field/SelectFieldTest.php b/plugins/wpgraphql-logging/tests/wpunit/Admin/Settings/Fields/Field/SelectFieldTest.php
@@ -0,0 +1,109 @@
+<?php
+
+declare(strict_types=1);
+
+namespace WPGraphQL\Logging\wpunit\Admin\Settings\Fields\Field;
+
+use WPGraphQL\Logging\Admin\Settings\Fields\Field\Select_Field;
+use WPGraphQL\Logging\Admin\Settings\Fields\Settings_Field_Interface;
+use lucatume\WPBrowser\TestCase\WPTestCase;
+
+class SelectFieldTest extends WPTestCase {
+
+	protected ?Select_Field $field = null;
+	protected ?Select_Field $multipleField = null;
+
+	protected function setUp(): void {
+		parent::setUp();
+		$this->field = new Select_Field(
+			'log_level',
+			'basic_configuration',
+			'Log Level',
+			[
+				'debug' => 'Debug',
+				'info' => 'Info',
+				'warning' => 'Warning',
+				'error' => 'Error',
+			],
+			'custom-css-class',
+			'Select the minimum log level for WPGraphQL queries.',
+			false
+		);
+
+		$this->multipleField = new Select_Field(
+			'query_types',
+			'basic_configuration',
+			'Query Types',
+			[
+				'query' => 'Query',
+				'mutation' => 'Mutation',
+				'subscription' => 'Subscription',
+			],
+			'multiple-select-class',
+			'Select which query types to log.',
+			true
+		);
+	}
+
+	public function test_basic_field_properties(): void {
+		$field = $this->field;
+		$this->assertEquals( 'log_level', $field->get_id() );
+		$this->assertTrue( $field->should_render_for_tab( 'basic_configuration' ) );
+		$this->assertFalse( $field->should_render_for_tab( 'other_tab' ) );
+	}
+
+	public function test_multiple_field_properties(): void {
+		$field = $this->multipleField;
+		$this->assertEquals( 'query_types', $field->get_id() );
+	}
+
+	public function test_sanitize_field_single_select(): void {
+		$field = $this->field;
+
+		$this->assertEquals( 'debug', $field->sanitize_field( 'debug' ) );
+		$this->assertEquals( 'info', $field->sanitize_field( 'info' ) );
+		$this->assertEquals( 'warning', $field->sanitize_field( 'warning' ) );
+		$this->assertEquals( 'error', $field->sanitize_field( 'error' ) );
+		$this->assertEquals( '', $field->sanitize_field( 'invalid' ) );
+		$this->assertEquals( '', $field->sanitize_field( 'critical' ) );
+		$this->assertEquals( '', $field->sanitize_field( '' ) );
+		$this->assertEquals( '', $field->sanitize_field( '<script>alert("xss")</script>' ) );
+		$this->assertEquals( 'debug', $field->sanitize_field( '<b>debug</b>' ) );
+		$this->assertEquals( '', $field->sanitize_field( 123 ) );
+		$this->assertEquals( '', $field->sanitize_field( true ) );
+		$this->assertEquals( '', $field->sanitize_field( false ) );
+	}
+
+	public function test_sanitize_field_multiple_select(): void {
+		$field = $this->multipleField;
+
+		$this->assertEquals( ['query'], $field->sanitize_field( ['query'] ) );
+		$this->assertEquals( ['query', 'mutation'], $field->sanitize_field( ['query', 'mutation'] ) );
+		$this->assertEquals( ['query', 'mutation', 'subscription'], $field->sanitize_field( ['query', 'mutation', 'subscription'] ) );
+		$this->assertEquals( [], $field->sanitize_field( ['invalid', 'another_invalid'] ) );
+		$this->assertEquals( ['query'], $field->sanitize_field( 'query' ) );
+		$this->assertEquals( [], $field->sanitize_field( 'invalid' ) );
+	}
+
+	public function test_render_field_callback(): void {
+		$field = $this->field;
+		$option_value = [];
+		$setting_key = 'wpgraphql_logging_settings';
+		$tab_key = 'basic_configuration';
+		$args = [
+			'tab_key' => $tab_key,
+			'settings_key' => $setting_key,
+		];
+
+		// Capture the echoed output using output buffering
+		ob_start();
+		$field->render_field_callback( $args );
+		$rendered_output = ob_get_contents();
+		ob_end_clean();
+
+		$this->assertStringContainsString( 'name="wpgraphql_logging_settings[basic_configuration][log_level]"', $rendered_output );
+		$this->assertStringContainsString( 'id="log_level"', $rendered_output );
+		$this->assertStringContainsString( 'class="custom-css-class"', $rendered_output );
+		$this->assertStringContainsString( 'Select the minimum log level for WPGraphQL queries.', $rendered_output );
+	}
+}
diff --git a/plugins/wpgraphql-logging/tests/wpunit/Admin/Settings/Fields/Field/TextInputFieldTest.php b/plugins/wpgraphql-logging/tests/wpunit/Admin/Settings/Fields/Field/TextInputFieldTest.php
diff --git a/plugins/wpgraphql-logging/tests/wpunit/Admin/Settings_Page_Test.php b/plugins/wpgraphql-logging/tests/wpunit/Admin/Settings_Page_Test.php

Original file line number	Diff line number	Diff line change
`@@ -100,8 +100,8 @@ public function sanitize_field( $value ): mixed {`
`100`	`100`	`*`
`101`	`101`	`* @return string The sanitized value.`
`102`	`102`	`*/`
`103`		`- protected function sanitize_single_value( string $value ): string {`
`104`		`- $sanitized_value = sanitize_text_field( $value );`
	`103`	`+ protected function sanitize_single_value( $value ): string {`
	`104`	`+ $sanitized_value = sanitize_text_field( (string) $value );`
`105`	`105`	`return array_key_exists( $sanitized_value, $this->options ) ? $sanitized_value : '';`
`106`	`106`	`}`
`107`	`107`
`@@ -115,7 +115,10 @@ protected function sanitize_single_value( string $value ): string {`
`115`	`115`	`protected function sanitize_multiple_value( array $values ): array {`
`116`	`116`	`$sanitized = [];`
`117`	`117`	`foreach ( $values as $value ) {`
`118`		`- $sanitized[] = $this->sanitize_single_value( $value );`
	`118`	`+ $single = $this->sanitize_single_value( $value );`
	`119`	`+ if ( '' !== $single ) {`
	`120`	`+ $sanitized[] = $single;`
	`121`	`+ }`
`119`	`122`	`}`
`120`	`123`	`return $sanitized;`
`121`	`124`	`}`
Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ class Settings_Page {`
`42`	`42`	`* Initializes the settings page.`
`43`	`43`	`*/`
`44`	`44`	`public static function init(): ?Settings_Page {`
`45`		`- if ( ! current_user_can( 'manage_options' ) \|\| ! is_admin() ) {`
	`45`	`+ if ( ! current_user_can( 'manage_options' ) ) {`
`46`	`46`	`return null;`
`47`	`47`	`}`
`48`	`48`
Original file line number	Diff line number	Diff line change
`@@ -133,8 +133,6 @@ public function log_graphql_before_execute(Request $request ): void {`
`133`	`133`	`}`
`134`	`134`	`}`
`135`	`135`
`136`		`-`
`137`		`-`
`138`	`136`	`/**`
`139`	`137`	`* Before the GraphQL response is returned to the client.`
`140`	`138`	`*`