From 6e902c7c758a9cb73761bfe22b622b26a4401a66 Mon Sep 17 00:00:00 2001
From: Paul Kilmurray <paul@kilbot.com>
Date: Sat, 29 Jun 2024 14:37:05 +0100
Subject: [PATCH] Fix: Critical error preventing bulk update of products

---
 includes/Admin/Products/List_Products.php  | 10 +++++++---
 includes/Admin/Products/Single_Product.php |  8 ++++++--
 includes/Services/Settings.php             | 12 ++++++++++++
 readme.txt                                 |  5 ++++-
 woocommerce-pos.php                        |  4 ++--
 5 files changed, 31 insertions(+), 8 deletions(-)

diff --git a/includes/Admin/Products/List_Products.php b/includes/Admin/Products/List_Products.php
index 1746b12..ca40eb1 100644
--- a/includes/Admin/Products/List_Products.php
+++ b/includes/Admin/Products/List_Products.php
@@ -258,7 +258,9 @@ public function quick_edit( $column_name, $post_type ): void {
 	 * @return void
 	 */
 	public static function quick_edit_save( WC_Product $product ): void {
-		if ( isset( $_POST['_pos_visibility'] ) ) {
+		$valid_options = array( 'pos_only', 'online_only', '' );
+
+		if ( isset( $_POST['_pos_visibility'] ) && in_array( $_POST['_pos_visibility'], $valid_options, true ) ) {
 			$settings_instance = Settings::instance();
 			$args = array(
 				'post_type' => 'products',
@@ -275,11 +277,13 @@ public static function quick_edit_save( WC_Product $product ): void {
 	 * @return void
 	 */
 	public function bulk_edit_save( WC_Product $product ): void {
-		if ( isset( $_GET['_pos_visibility'] ) ) {
+		$valid_options = array( 'pos_only', 'online_only', '' );
+
+		if ( isset( $_GET['_pos_visibility'] ) && in_array( $_GET['_pos_visibility'], $valid_options, true ) ) {
 			$settings_instance = Settings::instance();
 			$args = array(
 				'post_type' => 'products',
-				'visibility' => sanitize_text_field( $_GET['_pos_visibility'] ),
+				'visibility' => $_GET['_pos_visibility'],
 				'ids' => array( $product->get_id() ),
 			);
 			$settings_instance->update_visibility_settings( $args );
diff --git a/includes/Admin/Products/Single_Product.php b/includes/Admin/Products/Single_Product.php
index 7be5ef9..762c168 100644
--- a/includes/Admin/Products/Single_Product.php
+++ b/includes/Admin/Products/Single_Product.php
@@ -198,7 +198,9 @@ public function save_post( $post_id, $post ): void {
 		}
 
 		// Get the product and save.
-		if ( isset( $_POST['_pos_visibility'] ) ) {
+		$valid_options = array( 'pos_only', 'online_only', '' );
+
+		if ( isset( $_POST['_pos_visibility'] ) && in_array( $_POST['_pos_visibility'], $valid_options, true ) ) {
 			$settings_instance = Settings::instance();
 			$args = array(
 				'post_type' => 'products',
@@ -267,7 +269,9 @@ public function after_variable_attributes_pos_only_products( $loop, $variation_d
 	 * @param $variation_id
 	 */
 	public function save_product_variation_pos_only_products( $variation_id ): void {
-		if ( isset( $_POST['variable_pos_visibility'][ $variation_id ] ) ) {
+		$valid_options = array( 'pos_only', 'online_only', '' );
+
+		if ( isset( $_POST['variable_pos_visibility'][ $variation_id ] ) && in_array( $_POST['variable_pos_visibility'][ $variation_id ], $valid_options, true ) ) {
 			$settings_instance = Settings::instance();
 			$args = array(
 				'post_type' => 'variations',
diff --git a/includes/Services/Settings.php b/includes/Services/Settings.php
index 8ecc8af..bd8acdb 100644
--- a/includes/Services/Settings.php
+++ b/includes/Services/Settings.php
@@ -493,6 +493,18 @@ public function update_visibility_settings( array $args ) {
 			);
 		}
 
+		// Define valid visibility options.
+		$valid_options = array( 'pos_only', 'online_only', '' );
+
+		// Check if visibility is set and valid.
+		if ( ! isset( $args['visibility'] ) || ! in_array( $args['visibility'], $valid_options, true ) ) {
+			return new WP_Error(
+				'woocommerce_pos_settings_error',
+				__( 'Invalid visibility option provided', 'woocommerce-pos' ),
+				array( 'status' => 400 )
+			);
+		}
+
 		$post_type = $args['post_type'];
 		$scope = $args['scope'] ?? 'default';
 		$visibility = $args['visibility'] ?? '';
diff --git a/readme.txt b/readme.txt
index c5a34e8..e3f49db 100644
--- a/readme.txt
+++ b/readme.txt
@@ -3,7 +3,7 @@ Contributors: kilbot
 Tags: ecommerce, point-of-sale, pos, inventory, woocommerce
 Requires at least: 5.6
 Tested up to: 6.5
-Stable tag: 1.6.2
+Stable tag: 1.6.3
 License: GPL-3.0
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
 
@@ -80,6 +80,9 @@ There is more information on our website at [https://wcpos.com](https://wcpos.co
 
 == Changelog ==
 
+= 1.6.3 - 2024/06/29 =
+- Fix: Critical error preventing bulk update of products
+
 = 1.6.2 - 2024/06/20 = 
 - Fix: Error preventing resources (products, orders, customers, etc) from loading on Windows servers
 
diff --git a/woocommerce-pos.php b/woocommerce-pos.php
index 100fb52..78996ed 100644
--- a/woocommerce-pos.php
+++ b/woocommerce-pos.php
@@ -3,7 +3,7 @@
  * Plugin Name:       WooCommerce POS
  * Plugin URI:        https://wordpress.org/plugins/woocommerce-pos/
  * Description:       A simple front-end for taking WooCommerce orders at the Point of Sale. Requires <a href="http://wordpress.org/plugins/woocommerce/">WooCommerce</a>.
- * Version:           1.6.2
+ * Version:           1.6.3
  * Author:            kilbot
  * Author URI:        http://wcpos.com
  * Text Domain:       woocommerce-pos
@@ -24,7 +24,7 @@
 namespace WCPOS\WooCommercePOS;
 
 // Define plugin constants.
-const VERSION     = '1.6.2';
+const VERSION     = '1.6.3';
 const PLUGIN_NAME = 'woocommerce-pos';
 const SHORT_NAME  = 'wcpos';
 \define( __NAMESPACE__ . '\PLUGIN_FILE', plugin_basename( __FILE__ ) ); // 'woocommerce-pos/woocommerce-pos.php'