Cutmap Editorial Workflow

گزارش تغییرات

1.4.6

• Security: Removed hardcoded sample-user password (Workflow@123). Each new sample user now receives a unique password generated via wp_generate_password(16, true), displayed once in the admin notice and never stored in source.
• Security: Added rest_pre_insert_{post_type} enforcement to block unauthorized publish attempts via the REST API. Admin-role REST tokens can no longer bypass the editorial workflow when a post has an active assignment.
• Bug fix: reject() no longer overwrites the approved content snapshot with the rejected draft. Visitors continue seeing the last explicitly approved version while the creator revises and re-submits.
• Performance: dbDelta() schema checks in CUTMAP_DB and CUTMAP_WNS are now guarded by a version option (cew_db_version, cew_wns_version). The expensive schema introspection runs only on activation/upgrade, not on every page load.
• Cleanup: uninstall.php now deletes all _cew_* post meta rows and removes plugin version options, leaving no orphaned data after deletion.
• Reliability: The ALTER TABLE … DROP INDEX migration for the audit-log unique key now runs reliably on every upgrade because the schema version option is cleared on activation.

1.4.5

• Resolved remaining critical security checklist issues including strict nonce validation across all forms/actions.
• Sanitized remaining raw $_POST and $_GET superglobal accesses and strictly avoided empty() checks for them.
• Re-audited output escaping inside admin tables and guaranteed all display logic passes through esc_html() and esc_url().
• Ensured every single admin_post action starts with a firm current_user_can() capability check followed by wp_die().

1.4.4

• Hardened admin actions with strict current_user_can() capability checks.
• Improved security by ensuring complete table cleanup on uninstall.
• Verified input sanitization and output escaping across the plugin.

1.4.3

• Removed UTF-8 Byte Order Marks (BOM) from PHP files to satisfy automated checks.

1.4.2

• Fixed unescaped translatable label strings in the frontend shortcode output by using esc_html__.

1.4.1

• Fixed the_title escaping context from wp_kses_post to esc_html.
• Fixed stale admin hook slug to ensure assets enqueue correctly.

1.4.0

• Fixed wp_enqueue issues by converting raw script/style tags.
• Added rigorous escaping output (wp_kses_post) to all filter callbacks.
• Cleaned up unclosed ob_start buffers to ensure safe hook flows.
• Changed short prefixes to longer CUTMAP_ prefixes.

1.3.0

• Fixed plugin header metadata parsing issues for strict WordPress.org compatibility.

1.2.0

• Renamed plugin to Cutmap Editorial Workflow.
• Enhanced security: Enqueued all inline scripts and styles using WP core APIs.
• Refactored prefixes to comply with WordPress official plugin guidelines.
• Improved dashboard UI and workflow assignment screen.

1.1.0

• Hardened security and addressed plugin review feedback.
• Refined capabilities and user role checks.
• Removed redundant database tables for improved performance.

1.0.0

• Initial release.
• Added Creator and Approver roles.
• Added assignment tracking for posts and pages.
• Added email notification system.