PROD-9984#4967
Conversation
Upgrade caseproof/ground-level-{container,mothership,in-product-notifications}
to 7.3.1 and adapt the BuddyBoss Mothership layer to the new dependency-injection
ServiceProvider API (the static-container Service classes were removed upstream).
Core changes
- BB_Mothership_Loader: build a Container, register + boot the Mothership and IPN
service providers, and resolve vendor services (AddonsManager, LicenseManager,
Credentials, LicenseActivations) from the container instead of the removed
static helpers.
- BB_Plugin_Connector: override resolveLicenseKey/storeLicenseKey/
setLicenseActivationStatus so the existing BuddyBoss option names are preserved
(avoids orphaning every current activation under the new vendor defaults).
- BB_Addons_Manager / BB_License_Manager: container-resolved instances; keep the
static facade BuddyBoss callers rely on.
Bug fixes
- autoload-aliases: enable autoloading when resolving the original GroundLevel
classes in the forward alias map. Without it, non-scoped builds created no
aliases and the Add-ons/License pages fataled ("class not found"). Add reverse
aliases so scoped builds resolve @Inject docblock constants and boot the
providers.
- Add nonce verification to the "Refresh Add-ons" action.
- Fix malformed "application / json" Content-Type/Accept headers in the license
details request.
- License view: replace invalid <p><li> markup with <ol> and correct the
"Update License" instruction copy to match the actual button.
Cleanup
- Migrate DRM callers to get_container(); keep getContainer() as a deprecated
backward-compatibility wrapper for any external consumers.
- Remove dead code: BB_Plugin_Connector::getDebugInfo(),
BB_Mothership_Loader::refresh_plugin_connector(), BB_License_Manager::init().
- Correct @SInCE tags, trim the phantom dev-constant docblock, and stop escaping
the cached license key in the data layer.
|
Claude finished @KartikSuthar's task —— View job Comprehensive Code Review ResultsI've completed a thorough review of this PR which migrates BuddyBoss licensing/add-ons to GroundLevel 7.3.1. Here are my findings: 🚨 Critical Issues1. BLOCKER: DRM Development Environment Bypass DisabledFile: public static function is_dev_environment() {
return false; // ← This hardcodes false, disabling ALL development environment detection!
// The following 150+ lines of comprehensive dev detection logic become unreachable
}Impact: This completely prevents local development without license validation. The extensive detection logic (localhost, .local, .test domains, IP ranges, staging environments, etc.) becomes unreachable dead code. Recommendation: This appears to be an accidental debugging leftover. Remove the
|
…learing - class-bb-drm-helper.php: remove the hardcoded `return false;` at the top of is_dev_environment() that short-circuited all dev detection (localhost/.test/ .ddev/staging, etc.), making the logic below it unreachable. It was an accidental debugging leftover committed in an unrelated change; restoring detection lets the 8 DRM call sites correctly bypass license enforcement in local/staging environments. - class-bb-plugin-connector.php: extract the repeated add-ons + license-details cache-clear blocks into a single private clear_all_caches() helper. The before/after calls in setDynamicPluginId()/clearDynamicPluginId() are retained (they purge the OLD vs NEW plugin-ID-scoped keys — not redundant); this is a readability/DRY change with no behavior difference.
|
@claude please review |
|
Claude finished @KartikSuthar's task in 3m 22s —— View job Code Review – PROD-9984 (GroundLevel 7.3.1 Migration)
SummaryThis PR migrates BuddyBoss licensing/add-ons from the old static-container GroundLevel API to the DI-based ServiceProvider pattern in 7.3.1. The two issues flagged in the previous review have both been resolved. The overall quality is solid — here is a full second-pass review. ✅ Previous Issues Resolved1. DRM dev-env bypass fixed — The 2. Cache clearing consolidated —
✅ Positive Changes in This RevisionContent-Type header bug fix — // Before (broken – extra spaces make the header invalid):
'Content-Type' => 'application / json',
// After (correct):
'Content-Type' => 'application/json',This would have silently caused API request rejections. Nonce added to add-ons refresh form — The manual refresh button previously had no CSRF protection. A HTML structure fix —
Graceful container-boot failure — The License migration uses singleton —
New GroundLevel 7.3.1 lifecycle hooks — add_action( $plugin_id . '_active_license_invalidated', array( $this, 'handle_license_revoked' ) );
add_action( $plugin_id . '_active_license_expired', array( $this, 'handle_license_revoked' ) );The old
The method that was previously inherited from the vendor is now a first-class BuddyBoss implementation with:
|
…ates Bump GroundLevel mothership and in-product-notifications to 7.4.0 and wire a header-independent fallback for the Platform's own update notice
|
Claude finished @KartikSuthar's task in 4m 9s —— View job Code Review – PROD-9984 (GroundLevel 7.3.1 Migration)
✅ All Previously Flagged Issues Resolved
🚨 New: Version Discrepancy Between Composer Files
The PR title and all code comments consistently reference 7.3.1, but the root
|
Bump GroundLevel mothership and in-product-notifications to 7.4.0 and add a
header-independent fallback that serves the Platform's own plugin update with
its icon, backed by an invalidation-driven cache.
The native vendor UpdateService only serves updates via update_plugins_{host},
which needs an `Update URI` header on bp-loader.php; when absent, no update
surfaces. inject_platform_update() on site_transient_update_plugins fills that
gap. It pulls from Products::getVersionCheck() (same source as the vendor),
runs only when licensed, defers to the native path when the header is present,
and includes the product icon (1x/2x) so the BuddyBoss logo renders on
Dashboard > Updates.
Cache the resolved update item in a site transient (12h backstop TTL) so the
injector is a single transient read on normal admin loads instead of a
licence + version check on every site_transient_update_plugins fire. Errors
are not cached so a transient API failure retries. Invalidate the cache:
- on pre_set_site_transient_update_plugins (a genuine WP update fetch),
- on licence activate/validate/deactivate (add/update_option of
{plugin_id}_license_active and _license_key),
- on edition/tier change (buddyboss_dynamic_plugin_id option write).
|
@claude Review from fresh |
|
Claude finished @KartikSuthar's task in 5m 2s —— View job Code Review – PROD-9984 (Fresh Review)
✅ All Previously Flagged Issues Resolved
|
…ense controller, add Update URI header - Bind update-cache invalidation to overridden _license_activation_status option - Route validation-path rate-limit write through prefixed helper - Remove pre-nonce dynamic-plugin-ID mutation from controller() - Add Update URI header to activate native Mothership plugin updates - Refresh stale 7.3.1 docblocks to 7.4.0; fix "Overrides parent" comments
|
Claude encountered an error —— View job I'll analyze this and get back to you. |
Jira Issue:
https://buddyboss.atlassian.net/browse/PROD-9984
General Note
Keep all conversations related to this PR in the associated Jira issue(s). Do NOT add comment on this PR or edit this PR’s description.
Notes to Developer
Notes to Reviewer