Merge branch 'epic/campaigns' into feature/campaign-banner-GIVE-2312

give.php

@@ -6,7 +6,7 @@
  * Description: The most robust, flexible, and intuitive way to accept donations on WordPress.
  * Author: GiveWP
  * Author URI: https://givewp.com/
- * Version: 3.22.0
+ * Version: 3.22.1
  * Requires at least: 6.5
  * Requires PHP: 7.2
  * Text Domain: give
@@ -420,7 +420,7 @@ private function setup_constants()
     {
         // Plugin version.
         if (!defined('GIVE_VERSION')) {
-            define('GIVE_VERSION', '3.22.0');
+            define('GIVE_VERSION', '3.22.1');
         }
 
         // Plugin Root File.

includes/admin/reports/reports.php

@@ -298,10 +298,15 @@ function give_reports_gateways_table() {
 /**
  * Renders the Reports Earnings Graphs
  *
+ * @since 3.22.1 added permissions check
  * @since 1.0
  * @return void
  */
 function give_reports_earnings() {
+    if (!current_user_can('view_give_reports')){
+        wp_die(__('You do not have permission to access this report', 'give'), __('Error', 'give'), ['response' => 403]);
+    }
+
 	?>
 	<div class="tablenav top reports-table-nav">
 		<h2 class="reports-earnings-title screen-reader-text"><?php _e( 'Revenue Report', 'give' ); ?></h2>

readme.txt

@@ -5,7 +5,7 @@ Tags: donation, donate, recurring donations, fundraising, crowdfunding
 Requires at least: 6.5
 Tested up to: 6.7
 Requires PHP: 7.2
-Stable tag: 3.22.0
+Stable tag: 3.22.1
 License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
 
@@ -266,6 +266,9 @@ You can report security bugs through the Patchstack Vulnerability Disclosure Pro
 10. Use almost any payment gateway integration with GiveWP through our add-ons or by creating your own add-on.
 
 == Changelog ==
+= 3.22.1: March 7th, 2025 =
+* Security: Added a permission check to a GiveWP reporting request (CVE-2025-2025)
+
 = 3.22.0: February 26th, 2025 =
 * New: Added initial WPML and Polylang multilingual translation support to visual form builder forms that currently excludes custom fields
 * Fix: Resolved a validation issue with PayPal donations when using Akismet

src/Campaigns/Actions/CampaignPageTemplate.php

@@ -3,7 +3,6 @@
 namespace Give\Campaigns\Actions;
 
 use Give\Campaigns\Models\Campaign;
-use Give\Campaigns\ValueObjects\CampaignStatus;
 use Give\Framework\Views\View;
 
 /**
@@ -16,7 +15,7 @@ class CampaignPageTemplate
      */
     public function registerTemplate()
     {
-        if ( ! $this->canRegisterBlockTemplate()) {
+        if (!$this->canRegisterBlockTemplate()) {
             return;
         }
 
@@ -39,7 +38,7 @@ public function loadTemplate($template)
             'give_campaign_page' === get_query_var('post_type')
             && current_theme_supports('block-templates')
         ) {
-            if ( ! $this->isPageVisible()) {
+            if (!$this->isPageVisible()) {
                 status_header(404);
 
                 return get_404_template();
@@ -64,25 +63,33 @@ private function canRegisterBlockTemplate(): bool
     }
 
     /**
+     *
      * @unreleased
      */
     private function isPageVisible(): bool
     {
-        $campaign = Campaign::find(get_post_field('campaignId'));
+        $campaignId = get_post_field('campaignId');
 
-        if ( ! $campaign) {
+        if (!$campaignId) {
             return false;
         }
 
-        // Allow logged in admin users to preview the page
-        if (
-            ! current_user_can('manage_options')
-            && ! $campaign->enableCampaignPage
-            && $campaign->status->getValue() !== CampaignStatus::ACTIVE()
-        ) {
+        $campaign = Campaign::find($campaignId);
+
+        if (!$campaign) {
+            return false;
+        }
+
+        // if the campaign page is disabled, no one can see it
+        if (!$campaign->enableCampaignPage) {
             return false;
         }
 
-        return true;
+        // logged-in users can see the page if the campaign is active or draft
+        if (current_user_can('manage_options') && ($campaign->status->isActive() || $campaign->status->isDraft()) ) {
+            return true;
+        }
+
+        return $campaign->status->isActive();
     }
 }

src/Campaigns/Blocks/CampaignComments/block.json

@@ -85,9 +85,11 @@
             }
         }
     },
+    "example": {},
     "textdomain": "give",
     "render": "file:./render.php",
     "viewScript": "file:../../../../build/campaignCommentsBlockApp.js",
     "editorScript": "file:../../../../build/campaignBlocks.js",
-    "style": "file:../../../../build/campaignCommentsBlockApp.css"
+    "style": "file:../../../../build/campaignCommentsBlockApp.css",
+    "editorStyle": "file:../../../../assets/dist/css/design-system/foundation.css"
 }

src/Campaigns/Blocks/CampaignCover/block.json

@@ -45,6 +45,7 @@
         "anchor": true,
         "className": true
     },
+    "example":{},
     "textdomain": "give",
     "render": "file:./render.php",
     "style": "file:../../../../build/campaignCoverBlock.css"

src/Campaigns/Blocks/CampaignDonations/block.json

@@ -42,6 +42,7 @@
     "supports": {
         "className": true
     },
+    "example": {},
     "textdomain": "give",
     "render": "file:./render.php",
     "style": "file:../../../../build/campaignDonationsBlockApp.css"

src/Campaigns/Blocks/CampaignDonors/block.json

@@ -46,6 +46,7 @@
     "supports": {
         "className": true
     },
+    "example": {},
     "textdomain": "give",
     "render": "file:./render.php",
     "style": "file:../../../../build/campaignDonorsBlockApp.css"

src/Campaigns/Blocks/CampaignGoal/block.json

@@ -17,6 +17,7 @@
             "type": "number"
         }
     },
+    "example": {},
     "textdomain": "give",
     "viewScript": "file:../../../../build/campaignGoalBlockApp.js",
     "style": "file:../../../../build/campaignGoalBlockApp.css",

src/Campaigns/Blocks/CampaignGrid/block.json

@@ -65,6 +65,7 @@
             "default": true
         }
     },
+    "example": {},
     "textdomain": "give",
     "viewScript": "file:../../../../build/campaignGridApp.js",
     "viewStyle": "file:../../../../build/campaignGridApp.css",

src/Campaigns/Blocks/CampaignStats/block.json

@@ -64,6 +64,7 @@
             }
         }
     },
+    "example": {},
     "textdomain": "give",
     "render": "file:./render.php",
     "viewScript": "file:../../../../build/campaignStatsBlockApp.js",

src/Campaigns/Blocks/CampaignTitle/block.json

@@ -63,6 +63,11 @@
             }
         }
     },
+    "example": {
+        "attributes": {
+            "textAlign": "center"
+        }
+    },
     "textdomain": "give",
     "editorStyle": "file:../../../../build/campaignTitleBlock.css",
     "render": "file:./render.php"

src/Campaigns/Blocks/DonateButton/block.json

@@ -28,6 +28,7 @@
             "default": "Donate now"
         }
     },
+    "example": {},
     "textdomain": "give",
     "render": "file:./render.php"
 }

src/Campaigns/Factories/CampaignFactory.php

@@ -2,9 +2,11 @@
 
 namespace Give\Campaigns\Factories;
 
+use Exception;
 use Give\Campaigns\ValueObjects\CampaignGoalType;
 use Give\Campaigns\ValueObjects\CampaignStatus;
 use Give\Campaigns\ValueObjects\CampaignType;
+use Give\DonationForms\Models\DonationForm;
 use Give\Framework\Models\Factories\ModelFactory;
 use Give\Framework\Support\Facades\DateTime\Temporal;
 
@@ -15,10 +17,12 @@ class CampaignFactory extends ModelFactory
 {
     /**
      * @inheritDoc
+     * @throws Exception
      */
     public function definition(): array
     {
         $currentDate = Temporal::getCurrentDateTime();
+        $createdAt = Temporal::withoutMicroseconds($currentDate);
 
         return [
             'type' => CampaignType::CORE(),
@@ -27,16 +31,16 @@ public function definition(): array
             'title' => __('GiveWP Campaign', 'give'),
             'shortDescription' => __('Campaign short description', 'give'),
             'longDescription' => __('Campaign long description', 'give'),
-            'goal' => 10000000,
+            'goal' => 5000,
             'goalType' => CampaignGoalType::AMOUNT(),
             'status' => CampaignStatus::ACTIVE(),
             'logo' => '',
             'image' => '',
             'primaryColor' => '#28C77B',
             'secondaryColor' => '#FFA200',
-            'createdAt' => Temporal::withoutMicroseconds($currentDate),
-            'startDate' => Temporal::withoutMicroseconds($currentDate),
-            'endDate' => Temporal::withoutMicroseconds($currentDate->modify('+1 day')),
+            'createdAt' => $createdAt,
+            'startDate' => $createdAt,
+            'endDate' => null,
         ];
     }
 }

src/Campaigns/Repositories/CampaignRepository.php

@@ -36,10 +36,21 @@ class CampaignRepository
      * @unreleased
      */
     public function getById(int $id)
+    {
+        return $this->queryById($id)->get();
+    }
+
+    /**
+     * @unreleased
+     *
+     * Query Campaign by ID
+     *
+     * @unreleased
+     */
+    public function queryById(int $id): ModelQueryBuilder
     {
         return $this->prepareQuery()
-            ->where('id', $id)
-            ->get();
+            ->where('id', $id);
     }
 
     /**

src/Campaigns/Routes/GetCampaignsListTable.php

@@ -169,7 +169,11 @@ private function getWhereConditions(QueryBuilder $query): QueryBuilder
             }
         }
 
-        if ($status && 'any' !== $status) {
+        if ($status === 'any') {
+            $query->whereNotLike('status', 'archived');
+        } elseif ($status === 'inactive') {
+            $query->where('status', 'archived');
+        } elseif ($status) {
             $query->where('status', $status);
         }
 

src/Donations/DataTransferObjects/DonationQueryData.php

@@ -129,10 +129,15 @@ final class DonationQueryData
      * @var string|null
      */
     public $honorific;
+    /**
+     * @var int
+     */
+    public $campaignId;
 
     /**
      * Convert data from object to Donation
      *
+     * @unreleased Added campaignId property
      * @since 3.9.0 Add support for "phone" property
      * @since 3.2.0 add fallback for donation mode
      * @since 2.23.0 remove parentId property
@@ -191,6 +196,7 @@ public static function fromObject($donationQueryObject): self
             ->getKeyAsCamelCase()};
         $self->comment = $donationQueryObject->{DonationMetaKeys::COMMENT()
             ->getKeyAsCamelCase()};
+        $self->campaignId = (int)$donationQueryObject->{DonationMetaKeys::CAMPAIGN_ID()->getKeyAsCamelCase()};
 
         if (!empty($donationQueryObject->{DonationMetaKeys::SUBSCRIPTION_INITIAL_DONATION()->getKeyAsCamelCase()})) {
             $self->type = DonationType::SUBSCRIPTION();

src/Donations/Factories/DonationFactory.php

@@ -3,6 +3,7 @@
 namespace Give\Donations\Factories;
 
 use Exception;
+use Give\Campaigns\Models\Campaign;
 use Give\Donations\ValueObjects\DonationMode;
 use Give\Donations\ValueObjects\DonationStatus;
 use Give\Donations\ValueObjects\DonationType;
@@ -15,6 +16,7 @@ class DonationFactory extends ModelFactory
 {
 
     /**
+     * @unreleased added campaignId
      * @since 2.22.0 add optional support for anonymous and company properties
      * @since 2.20.0 update default donorId to create factory
      * @since 2.19.6
@@ -33,6 +35,7 @@ public function definition(): array
             'firstName' => $this->faker->firstName,
             'lastName' => $this->faker->lastName,
             'email' => $this->faker->email,
+            'campaignId' => 1,
             'formId' => 1,
             'formTitle' => 'Form Title',
             'anonymous' => $this->faker->optional(0.5, false)->boolean(true),

src/Donations/Models/Donation.php

@@ -31,6 +31,7 @@
  * @since 2.19.6
  *
  * @property int $id
+ * @property int $campaignId
  * @property int $formId
  * @property string $formTitle
  * @property DateTime $createdAt
@@ -69,6 +70,7 @@ class Donation extends Model implements ModelCrud, ModelHasFactory
      */
     protected $properties = [
         'id' => 'int',
+        'campaignId' => 'int',
         'formId' => 'int',
         'formTitle' => 'string',
         'purchaseKey' => 'string',
@@ -194,7 +196,7 @@ public function subscription(): ModelQueryBuilder
      */
     public function campaign(): ModelQueryBuilder
     {
-        return give()->campaigns->queryByFormId($this->formId);
+        return give()->campaigns->queryById($this->campaignId);
     }
 
     /**

src/Donations/Repositories/DonationRepository.php

@@ -320,6 +320,7 @@ public function delete(Donation $donation): bool
     }
 
     /**
+     * @unreleased added campaignId
      * @since 3.9.0 Added meta for phone property
      * @since 3.2.0 added meta for honorific property
      * @since 2.20.0 update amount to use new type, and add currency and exchange rate
@@ -352,10 +353,12 @@ private function getCoreDonationMetaForDatabase(Donation $donation): array
                 ),
             DonationMetaKeys::DONOR_IP => $donation->donorIp ?? give_get_ip(),
             DonationMetaKeys::LEVEL_ID => $donation->levelId,
-            DonationMetaKeys::ANONYMOUS => (int)$donation->anonymous
+            DonationMetaKeys::ANONYMOUS => (int)$donation->anonymous,
+            DonationMetaKeys::CAMPAIGN_ID => $donation->campaignId,
         ];
 
-        if ($campaign = $donation->campaign) {
+        // If the donation is not associated with a campaign, try to find the campaign ID by the form ID
+        if (!$donation->campaignId && $campaign = give()->campaigns->getByFormId($donation->formId)) {
             $meta[DonationMetaKeys::CAMPAIGN_ID] = $campaign->id;
         }
 

tests/Unit/Campaigns/Actions/AssignDuplicatedFormToCampaignTest.php

@@ -21,10 +21,9 @@ final class AssignDuplicatedFormToCampaignTest extends TestCase
     public function testDuplicatedFormIsAssignedToCampaign()
     {
         $campaign = Campaign::factory()->create();
-        $form = DonationForm::factory()->create();
+        $form = DonationForm::find($campaign->defaultFormId);
 
         $db = DB::table('give_campaign_forms');
-        $db->insert(['form_id' => $form->id, 'campaign_id' => $campaign->id]);
 
         // See give/src/DonationForms/V2/Endpoints/FormActions.php:131
         require_once(GIVE_PLUGIN_DIR . '/includes/admin/forms/class-give-form-duplicator.php');