AT-1709 add property id validation

[JeDaVard]

No description provided.

[shftlvch]

Temporarily closing to retrigger newly-added pull_request_target workflow.

[shftlvch]

Temporarily closing to retrigger workflow after updating supported event type.

[opencode-agent]

1. 🚨 Critical

• No confirmed critical findings in the diff.

2. ⚠️ Major

• anytrack-for-woocommerce/trunk/modules/settings.php:20 and anytrack-for-woocommerce/trunk/modules/settings.php:55 make every settings save depend on a live wp_remote_get() to the AnyTrack endpoint before update_option() runs. That means admins can no longer save even purely local changes like event-name remaps when outbound HTTP is blocked, the host disallows external requests, or the AnyTrack service has a transient failure. Re-check this finding against the exact changed lines and fix it only if the issue is confirmed in the diff.

3. 💡 Minor

• anytrack-for-woocommerce/trunk/modules/settings.php:69 and anytrack-for-woocommerce/trunk/modules/settings.php:111 assume an invalid property ID will be exposed by a non-200 response, but the tracker endpoint can return HTTP 200 with a JS error body for nonexistent properties. In that case this code falls through to the WooCommerce-integration message, so users get the wrong remediation path for an actually invalid property ID. Re-check this finding against the exact changed lines and fix it only if the issue is confirmed in the diff.

opencode session  |  github run

[shftlvch]

/oc major issue is not relevant, is there an evidence about minor an why it's minor when it breaks the flow?

[opencode-agent]

Yes — there is direct evidence for the minor finding.

• In anytrack-for-woocommerce/trunk/modules/settings.php:69, invalid property IDs are only identified when the HTTP status is not 200.
• But the tracker endpoint returns 200 even for a nonexistent 12-char property. I checked https://t1.anytrack.io/assets/AAAAAAAAAAAA.js and got:

HTTP/2 200
content-type: application/javascript
...
console.error('Property "AAAAAAAAAAAA" not exists anymore, please visit https://anytrack.io for more details.')

• With that body, the parser in anytrack-for-woocommerce/trunk/modules/settings.php:75 and the fallback in anytrack-for-woocommerce/trunk/modules/settings.php:106 do not find ig / woocommerce, so execution falls through to anytrack-for-woocommerce/trunk/modules/settings.php:111.
• That means the user sees the WooCommerce integration error, even though the real problem is “property ID does not exist”.

Why it was marked minor:

• It does block the save flow, but it does not create a new class of failure beyond the intended validation gate; the save is already supposed to stop on invalid input.
• The bug is that the rejection reason is wrong, so the user gets the wrong remediation path.
• That is usually triaged as minor because it is an error-message / diagnosis bug, not silent corruption, not a security issue, and not a case where valid settings are rejected.

If you want, I can draft a tighter reviewer reply saying: the finding is valid, but its impact is misclassification of invalid property IDs rather than a broader functional regression.

opencode session  |  github run

[shftlvch]

/oc fix the validation

[shftlvch]

/oc review copy and improve if needed

[opencode-agent]

Updated the WooCommerce property validation so a 200 tracker response that contains an AnyTrack “property does not exist” JS error now fails as an invalid property ID instead of falling through to the WooCommerce integration error.

• Added a dedicated invalid-property message helper in anytrack-for-woocommerce/trunk/modules/settings.php:40.
• Added isInvalidPropertyIdResponse() in anytrack-for-woocommerce/trunk/modules/settings.php:44 to catch the JS error body returned for nonexistent properties even when the HTTP status is 200.
• Hooked that check into validateSave() before the WooCommerce integration parsing in anytrack-for-woocommerce/trunk/modules/settings.php:97, so the save flow returns the correct remediation path.
• Ran php -l on anytrack-for-woocommerce/trunk/modules/settings.php and anytrack-for-woocommerce/trunk/anytrack-for-woocommerce.php; both pass.

Natural next check:

1. Verify one nonexistent 12-char property ID now shows the invalid-property message, while a real property without WooCommerce still shows the integration message.

opencode session  |  github run

[opencode-agent]

User opencode-agent[bot] does not have write permissions

github run

[opencode-agent]

To https://github.com/anytrack/wordpress-plugins
! [rejected] AT-1709-add-AT-woo-int-validation -> AT-1709-add-AT-woo-int-validation (fetch first)
error: failed to push some refs to 'https://github.com/anytrack/wordpress-plugins'
hint: Updates were rejected because the remote contains work that you do not
hint: have locally. This is usually caused by another repository pushing to
hint: the same ref. If you want to integrate the remote changes, use
hint: 'git pull' before pushing again.
hint: See the 'Note about fast-forwards' in 'git push --help' for details.

opencode session  |  github run