diff --git a/AGENTS.md b/AGENTS.md
index 55d82ba3..f4726f94 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -90,3 +90,21 @@ Sensitive areas in this codebase where hygiene matters most:
- `src/SiteAccess.php`, `src/Remote.php` — SaaS envelope exchange, auth tokens
- `src/SupportUser.php`, `src/SupportRole.php` — privilege boundary, capability grants
- `src/Form.php` — user-facing rendering, escaping
+
+## Comment Discipline
+
+Default to writing no comments. A well-named identifier and the code that follows it should carry the meaning. Add a comment only when the *why* is non-obvious to a future reader.
+
+**Don't write meta-narrative.** Comments that explain the developer's reasoning — "Defense in depth:", "Belt-and-suspenders:", "Cheaper than the alternative because…", "We do this instead of X because Y" — are narrative *about* the code, not part of it. PR descriptions and commit messages are the right home for that voice. Comments that survive in source become stale signal that rots faster than the code does.
+
+**Don't restate the obvious.** A comment immediately above `update_user_meta(...)` saying "Update the user meta" wastes everyone's time. If the call doesn't read clearly, fix the names — don't paper over with prose.
+
+**Don't reference the task, PR, or audit that prompted the code.** No "added for issue #66", "per review feedback", "this was the fix in PR #142". Those handles rot the moment the PR is closed. The thing the comment cared about is in `git blame` and in the PR body — leave it there.
+
+**Don't narrate version-target trade-offs at the call site.** A comment like "we duplicate the cleanup here because the SDK targets PHP 5.3 (no `finally` until 5.5)" is meta narrative about *why the file looks this way*. A reader can see it looks that way; the *why* belongs in this file, not at every call site.
+
+**Do keep comments** that describe a hidden constraint, a subtle invariant, a workaround for a specific bug, or a surprising behavior — things a reader would otherwise have to discover the hard way. These earn their place.
+
+### PHP version target
+
+The SDK runtime supports **PHP 5.3+** (per `composer.json` and `.phpcs.xml.dist`'s `testVersion`). New code must run on 5.3 — no `\Throwable`, no `finally`, no `static function () {}`, no `??` null coalesce, no return-type hints, no arrow functions. Build/test environments are PHP 7.4+ (PHPStan `phpVersion: 70400`, PHPUnit on 8.2), but anything the SDK actually ships has to clear the 5.3 bar.
diff --git a/src/Admin.php b/src/Admin.php
index b7bdd577..c6082090 100644
--- a/src/Admin.php
+++ b/src/Admin.php
@@ -226,7 +226,7 @@ public function user_row_action_revoke( $actions, $user_object ) {
}
return array(
- 'revoke' => "" . esc_html__( 'Revoke Access', 'trustedlogin' ) . ' ',
+ 'revoke' => "" . esc_html( Strings::get( Strings::REVOKE_ACCESS, __( 'Revoke Access', 'trustedlogin' ) ) ) . ' ',
);
}
@@ -267,12 +267,12 @@ public function admin_bar_add_toolbar_items( $admin_bar ) {
$admin_bar->add_menu(
array(
'id' => 'tl-' . $this->config->ns() . '-revoke',
- 'title' => $icon . esc_html__( 'Revoke Access', 'trustedlogin' ),
+ 'title' => $icon . esc_html( Strings::get( Strings::REVOKE_ACCESS, __( 'Revoke Access', 'trustedlogin' ) ) ),
'href' => $this->support_user->get_revoke_url( 'all' ),
'parent' => 'top-secondary',
'meta' => array(
'class' => 'tl-destroy-session',
- 'title' => esc_html__( 'You are logged in as a support user. Click to permanently revoke access.', 'trustedlogin' ),
+ 'title' => esc_html( Strings::get( Strings::YOU_ARE_LOGGED_IN_AS_A, __( 'You are logged in as a support user. Click to permanently revoke access.', 'trustedlogin' ) ) ),
),
)
);
@@ -305,7 +305,7 @@ public function admin_menu_auth_link_page() {
$menu_slug = apply_filters( 'trustedlogin/' . $this->config->ns() . '/admin/menu/menu_slug', 'grant-' . $ns . '-access' );
- $menu_title = $this->config->get_setting( 'menu/title', esc_html__( 'Grant Support Access', 'trustedlogin' ) );
+ $menu_title = $this->config->get_setting( 'menu/title', esc_html( Strings::get( Strings::GRANT_SUPPORT_ACCESS, __( 'Grant Support Access', 'trustedlogin' ) ) ) );
$menu_position = $this->config->get_setting( 'menu/position', null );
$menu_position = is_null( $menu_position ) ? null : (float) $menu_position;
diff --git a/src/Ajax.php b/src/Ajax.php
index c5943c92..e48c1781 100644
--- a/src/Ajax.php
+++ b/src/Ajax.php
@@ -115,13 +115,13 @@ public function ajax_generate_support() {
// `wp_ajax_…` only (no `wp_ajax_nopriv_…`), so `get_current_user_id()`
// is guaranteed non-zero here even though that isn't obvious in isolation.
if ( ! check_ajax_referer( 'tl_nonce-' . get_current_user_id(), '_nonce', false ) ) {
- wp_send_json_error( array( 'message' => esc_html__( 'Verification issue: Request could not be verified. Please reload the page.', 'trustedlogin' ) ) );
+ wp_send_json_error( array( 'message' => esc_html( Strings::get( Strings::VERIFICATION_ISSUE_REQUEST_COULD_NOT_BE, __( 'Verification issue: Request could not be verified. Please reload the page.', 'trustedlogin' ) ) ) ) );
}
if ( ! current_user_can( 'create_users' ) ) {
$this->logging->log( 'Current user does not have `create_users` capability when trying to grant access.', __METHOD__, 'error' );
- wp_send_json_error( array( 'message' => esc_html__( 'You do not have the ability to create users.', 'trustedlogin' ) ) );
+ wp_send_json_error( array( 'message' => esc_html( Strings::get( Strings::YOU_DO_NOT_HAVE_THE_ABILITY, __( 'You do not have the ability to create users.', 'trustedlogin' ) ) ) ) );
}
// Reuse the injected Client if available (hooks already wired). Fall
diff --git a/src/Client.php b/src/Client.php
index b03ae071..38e216c3 100644
--- a/src/Client.php
+++ b/src/Client.php
@@ -141,6 +141,8 @@ public function __construct( Config $config, $init = true ) {
$this->config = $config;
+ Strings::init( $config );
+
$this->logging = new Logging( $config );
$this->cron = new Cron( $this->config, $this->logging );
@@ -263,7 +265,7 @@ public function grant_access( $include_debug_data = false, $ticket_data = null )
// user — it can never be used to log in because no envelope
// reached the vendor dashboard. Fail-fast keeps state clean.
if ( ! $this->config->meets_ssl_requirement() ) {
- return new WP_Error( 'fails_ssl_requirement', esc_html__( 'Support access requires a secure (HTTPS) connection. Please enable HTTPS on this site and try again.', 'trustedlogin' ), array( 'error_code' => 426 ) );
+ return new WP_Error( 'fails_ssl_requirement', esc_html( Strings::get( Strings::SUPPORT_ACCESS_REQUIRES_A_SECURE_HTTPS, __( 'Support access requires a secure (HTTPS) connection. Please enable HTTPS on this site and try again.', 'trustedlogin' ) ) ), array( 'error_code' => 426 ) );
}
timer_start();
@@ -444,7 +446,7 @@ private function extend_access( $user_id ) {
// in via the vendor dashboard still reflects the old expiration.
// Fail fast so the customer is asked to enable HTTPS and retry.
if ( ! $this->config->meets_ssl_requirement() ) {
- return new WP_Error( 'fails_ssl_requirement', esc_html__( 'Support access requires a secure (HTTPS) connection. Please enable HTTPS on this site and try again.', 'trustedlogin' ), array( 'error_code' => 426 ) );
+ return new WP_Error( 'fails_ssl_requirement', esc_html( Strings::get( Strings::SUPPORT_ACCESS_REQUIRES_A_SECURE_HTTPS, __( 'Support access requires a secure (HTTPS) connection. Please enable HTTPS on this site and try again.', 'trustedlogin' ) ) ), array( 'error_code' => 426 ) );
}
timer_start();
@@ -645,7 +647,7 @@ public function revoke_access( $identifier = '' ) {
if ( ! empty( $should_be_deleted ) ) {
$this->logging->log( 'User #' . $should_be_deleted->ID . ' was not removed', __METHOD__, 'error' );
- return new WP_Error( 'support_user_not_deleted', esc_html__( 'The support user was not deleted.', 'trustedlogin' ) );
+ return new WP_Error( 'support_user_not_deleted', esc_html( Strings::get( Strings::THE_SUPPORT_USER_WAS_NOT_DELETED, __( 'The support user was not deleted.', 'trustedlogin' ) ) ) );
}
/**
diff --git a/src/Config.php b/src/Config.php
index 8423897b..130e93e0 100644
--- a/src/Config.php
+++ b/src/Config.php
@@ -378,6 +378,13 @@ public function validate() {
}
}
+ // Walk the optional `strings` array and discard malformed
+ // overrides individually. Bad entries log a warning and fall
+ // back to the SDK default; well-formed entries remain. We
+ // don't push these to $errors because a typo in one string
+ // shouldn't refuse to instantiate the SDK.
+ $this->validate_strings();
+
if ( $errors ) {
$error_text = array();
foreach ( $errors as $error ) {
@@ -397,6 +404,123 @@ public function validate() {
return true;
}
+ /**
+ * Validate the optional `strings` config setting in place.
+ *
+ * Drops the whole entry if not an array; otherwise prunes
+ * malformed individual overrides while keeping valid ones.
+ * Closures pass through untouched; strings are checked against
+ * the placeholder count declared in {@see Strings::registry()};
+ * empty strings are accepted as "render nothing".
+ *
+ * @since 1.11.0
+ *
+ * @return void
+ */
+ private function validate_strings() {
+ if ( ! isset( $this->settings['strings'] ) ) {
+ return;
+ }
+
+ if ( ! is_array( $this->settings['strings'] ) ) {
+ unset( $this->settings['strings'] );
+ return;
+ }
+
+ $registry = Strings::registry();
+ $validated = array();
+
+ foreach ( $this->settings['strings'] as $key => $override ) {
+ if ( ! is_string( $key ) || ! isset( $registry[ $key ] ) ) {
+ continue;
+ }
+
+ $placeholders = isset( $registry[ $key ]['placeholders'] )
+ ? (int) $registry[ $key ]['placeholders']
+ : 0;
+
+ if ( is_callable( $override ) ) {
+ $validated[ $key ] = $override;
+ continue;
+ }
+
+ if ( '' === $override ) {
+ $validated[ $key ] = '';
+ continue;
+ }
+
+ if ( ! is_string( $override ) ) {
+ continue;
+ }
+
+ if ( ! self::placeholders_safe( $override, $placeholders ) ) {
+ continue;
+ }
+
+ $validated[ $key ] = $override;
+ }
+
+ $this->settings['strings'] = $validated;
+
+ // Drop the cached pre-validation read; subsequent get_setting()
+ // calls must hit the pruned array.
+ unset( $this->settings_cache['strings'] );
+ }
+
+ /**
+ * Does $template survive `vsprintf` against $arg_count placeholder args?
+ *
+ * Sentinel-based behavioural test: each arg slot is given a unique
+ * marker and the rendered output must contain every marker. Catches
+ * too-few-args, missing slots, and wrong-conversion-type in one shot
+ * without re-implementing the sprintf grammar.
+ *
+ * @since 1.11.0
+ *
+ * @param string $template Override candidate to test (string from integrator config).
+ * @param int $arg_count Number of positional args the SDK default requires.
+ *
+ * @return bool True if the template renders cleanly with $arg_count args.
+ */
+ private static function placeholders_safe( $template, $arg_count ) {
+ if ( $arg_count <= 0 ) {
+ $stripped = str_replace( '%%', '', (string) $template );
+ return ! (bool) preg_match( '/%[+\-0-9.\'$]*[a-zA-Z]/', $stripped );
+ }
+
+ $sentinels = array();
+ for ( $i = 0; $i < $arg_count; $i++ ) {
+ $sentinels[] = '__TLPLACEHOLDER' . $i . '__';
+ }
+
+ // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_set_error_handler
+ set_error_handler(
+ function () {
+ return true;
+ },
+ E_WARNING
+ );
+
+ $result = false;
+ try {
+ $result = vsprintf( (string) $template, $sentinels );
+ } catch ( \Exception $_ ) {
+ $result = false;
+ }
+ restore_error_handler();
+
+ if ( false === $result || ! is_string( $result ) ) {
+ return false;
+ }
+
+ foreach ( $sentinels as $sentinel ) {
+ if ( false === strpos( $result, $sentinel ) ) {
+ return false;
+ }
+ }
+ return true;
+ }
+
/**
* Returns a timestamp that is the current time + decay time setting
*
diff --git a/src/Encryption.php b/src/Encryption.php
index e8026c41..4c58d022 100644
--- a/src/Encryption.php
+++ b/src/Encryption.php
@@ -260,7 +260,7 @@ public function get_vendor_public_key() {
return new WP_Error(
'invalid_public_key_shape',
- esc_html__( 'Support access could not be set up. The plugin\'s support team\'s encryption key has an unexpected format — please contact them and let them know.', 'trustedlogin' )
+ esc_html( Strings::get( Strings::SUPPORT_ACCESS_COULD_NOT_BE_SET, __( 'Support access could not be set up. The plugin\'s support team\'s encryption key has an unexpected format — please contact them and let them know.', 'trustedlogin' ) ) )
);
}
@@ -283,7 +283,7 @@ public function get_vendor_public_key() {
return new WP_Error(
'public_key_fingerprint_mismatch',
- esc_html__( 'Support access could not be set up. The plugin\'s support team\'s encryption key didn\'t match the configured fingerprint — please contact them.', 'trustedlogin' )
+ esc_html( Strings::get( Strings::SUPPORT_ACCESS_COULD_NOT_BE_SET_799354, __( 'Support access could not be set up. The plugin\'s support team\'s encryption key didn\'t match the configured fingerprint — please contact them.', 'trustedlogin' ) ) )
);
}
}
diff --git a/src/Endpoint.php b/src/Endpoint.php
index 8186a929..f73c3f76 100644
--- a/src/Endpoint.php
+++ b/src/Endpoint.php
@@ -396,8 +396,8 @@ private function fail_login( $error_code, $detailed_reason, $site_identifier_has
* with their own error chrome.
*/
private function render_standalone_failure_page() {
- $heading = __( 'Support login could not complete', 'trustedlogin' );
- $body = __( 'Return to your support tool to try again.', 'trustedlogin' );
+ $heading = Strings::get( Strings::SUPPORT_LOGIN_COULD_NOT_COMPLETE, __( 'Support login could not complete', 'trustedlogin' ) );
+ $body = Strings::get( Strings::RETURN_TO_YOUR_SUPPORT_TOOL_TO, __( 'Return to your support tool to try again.', 'trustedlogin' ) );
wp_die(
'' . esc_html( $body ) . '
',
diff --git a/src/Form.php b/src/Form.php
index 7485e4ec..522a4e7b 100644
--- a/src/Form.php
+++ b/src/Form.php
@@ -274,7 +274,7 @@ public function get_auth_header_html() {
$_user_creator = $_user_creator_id ? get_user_by( 'id', $_user_creator_id ) : false;
// translators: %s is the ID of the user who created the support session. The user can't be found; only the User ID is known.
- $unknown_user_text = sprintf( esc_html__( 'Unknown (User #%d)', 'trustedlogin' ), $_user_creator_id );
+ $unknown_user_text = sprintf( esc_html( Strings::get( Strings::UNKNOWN_USER_D, __( 'Unknown (User #%d)', 'trustedlogin' ) ) ), $_user_creator_id );
$auth_meta = ( $_user_creator && $_user_creator->exists() ) ? esc_html( $_user_creator->display_name ) : $unknown_user_text;
@@ -313,9 +313,9 @@ public function get_auth_header_html() {
// closing the same gap on the auth header path.
$content = array(
'display_name' => esc_html( $support_user->display_name ),
- 'revoke_access_button' => sprintf( '%2$s ', esc_url( $revoke_url ), esc_html__( 'Revoke Access', 'trustedlogin' ) ),
+ 'revoke_access_button' => sprintf( '%2$s ', esc_url( $revoke_url ), esc_html( Strings::get( Strings::REVOKE_ACCESS, __( 'Revoke Access', 'trustedlogin' ) ) ) ),
// translators: %s is the display name of the user who granted access.
- 'auth_meta' => sprintf( esc_html__( 'Created %1$s ago by %2$s', 'trustedlogin' ), esc_html( human_time_diff( strtotime( $support_user->user_registered ) ) ), esc_html( $auth_meta ) ),
+ 'auth_meta' => sprintf( esc_html( Strings::get( Strings::CREATED_1_S_AGO_BY_2, __( 'Created %1$s ago by %2$s', 'trustedlogin' ) ) ), esc_html( human_time_diff( strtotime( $support_user->user_registered ) ) ), esc_html( $auth_meta ) ),
);
return $this->prepare_output( $template, $content );
@@ -377,8 +377,8 @@ private function get_preflight_action_html( $error ) {
// one, so we always have a surface.
$support_href = '' !== $support_url ? esc_url( $support_url ) : 'mailto:' . rawurlencode( $vendor_email );
$support_text = '' !== $support_url
- ? sprintf( /* translators: %s: the plugin's name */ esc_html__( 'Contact %s support', 'trustedlogin' ), esc_html( $vendor_title ) )
- : sprintf( /* translators: %s: the support email address */ esc_html__( 'Email %s', 'trustedlogin' ), esc_html( $vendor_email ) );
+ ? sprintf( esc_html( Strings::get( Strings::CONTACT_S_SUPPORT, /* translators: %s: the plugin's name */ __( 'Contact %s support', 'trustedlogin' ) ) ), esc_html( $vendor_title ) )
+ : sprintf( esc_html( Strings::get( Strings::EMAIL_S, /* translators: %s: the support email address */ __( 'Email %s', 'trustedlogin' ) ) ), esc_html( $vendor_email ) );
$retry_url = add_query_arg(
array(
@@ -390,7 +390,7 @@ private function get_preflight_action_html( $error ) {
$message = $error->get_error_message();
if ( '' === $message ) {
- $message = esc_html__( 'Support access is temporarily unavailable. Please try again in a few minutes.', 'trustedlogin' );
+ $message = esc_html( Strings::get( Strings::SUPPORT_ACCESS_IS_TEMPORARILY_UNAVAILABLE_PLEASE, __( 'Support access is temporarily unavailable. Please try again in a few minutes.', 'trustedlogin' ) ) );
}
$response_html = sprintf(
@@ -413,7 +413,7 @@ private function get_preflight_action_html( $error ) {
'
',
esc_attr( $ns ),
esc_url( $retry_url ),
- esc_html__( 'Try reconnecting', 'trustedlogin' )
+ esc_html( Strings::get( Strings::TRY_RECONNECTING, __( 'Try reconnecting', 'trustedlogin' ) ) )
);
return array(
@@ -493,7 +493,7 @@ public function get_auth_screen() {
'response' => $response_html,
'actions' => $actions_html,
'actions_container_class' => $grant_container,
- 'secured_by_trustedlogin' => '{{anchor}} ';
@@ -603,7 +603,7 @@ private function get_terms_of_service_html() {
$variables = array(
'ns' => $this->config->ns(),
- 'tos_text' => esc_html__( 'By granting access, you agree to the {{tos_link}}.', 'trustedlogin' ),
+ 'tos_text' => esc_html( Strings::get( Strings::BY_GRANTING_ACCESS_YOU_AGREE_TO, __( 'By granting access, you agree to the {{tos_link}}.', 'trustedlogin' ) ) ),
'tos_link' => $this->prepare_output( $tos_link_template, $tos_link_variables ),
);
@@ -644,7 +644,7 @@ private function get_reference_html() {
$content = array(
// translators: %s is the reference ID.
- 'reference_text' => sprintf( esc_html__( 'Reference #%s', 'trustedlogin' ), $reference_id ),
+ 'reference_text' => sprintf( esc_html( Strings::get( Strings::REFERENCE_S, __( 'Reference #%s', 'trustedlogin' ) ) ), $reference_id ),
'ns' => $this->config->ns(),
'site_url' => esc_html( str_replace( array( 'https://', 'http://' ), '', get_site_url() ) ),
);
@@ -666,7 +666,7 @@ private function get_intro() {
if ( $has_access ) {
foreach ( $has_access as $access ) {
// translators: %1$s is replaced with the name of the software developer (e.g. "Acme Widgets"). %2$s is the amount of time remaining for access ("1 week").
- $intro = sprintf( esc_html__( '%1$s has site access that expires in %2$s.', 'trustedlogin' ), '' . esc_html( $this->config->get_setting( 'vendor/title' ) ) . ' ', str_replace( ' ', ' ', $this->support_user->get_expiration( $access, true, false ) ) );
+ $intro = sprintf( esc_html( Strings::get( Strings::VENDOR_HAS_SITE_ACCESS_THAT, __( '%1$s has site access that expires in %2$s.', 'trustedlogin' ) ) ), '' . esc_html( $this->config->get_setting( 'vendor/title' ) ) . ' ', str_replace( ' ', ' ', $this->support_user->get_expiration( $access, true, false ) ) );
}
return $intro;
@@ -674,10 +674,10 @@ private function get_intro() {
if ( $this->is_login_screen() ) {
// translators: %1$s is replaced with the name of the software developer (e.g. "Acme Widgets").
- $intro = sprintf( esc_html__( '%1$s would like support access to this site.', 'trustedlogin' ), '' . esc_html( $this->config->get_display_name() ) . ' ' );
+ $intro = sprintf( esc_html( Strings::get( Strings::VENDOR_WOULD_LIKE_SUPPORT_ACCESS, __( '%1$s would like support access to this site.', 'trustedlogin' ) ) ), '' . esc_html( $this->config->get_display_name() ) . ' ' );
} else {
// translators: %1$s is replaced with the name of the software developer (e.g. "Acme Widgets").
- $intro = sprintf( esc_html__( 'Grant %1$s access to this site.', 'trustedlogin' ), '' . esc_html( $this->config->get_display_name() ) . ' ' );
+ $intro = sprintf( esc_html( Strings::get( Strings::GRANT_1_S_ACCESS_TO_THIS, __( 'Grant %1$s access to this site.', 'trustedlogin' ) ) ), '' . esc_html( $this->config->get_display_name() ) . ' ' );
}
return $intro;
@@ -755,7 +755,7 @@ class="tl-{{ns}}-toggle"
data-toggle=".tl-{{ns}}-ticket__fields">
%s ' . human_time_diff( 0, $this->config->get_setting( 'decay' ) ) . ' ' );
+ $expire_summary = sprintf( esc_html( Strings::get( Strings::ACCESS_THIS_SITE_FOR_S, __( 'Access this site for %s.', 'trustedlogin' ) ) ), '' . human_time_diff( 0, $this->config->get_setting( 'decay' ) ) . ' ' );
// translators: %s is replaced by the amount of time that the login will be active for (e.g. "1 week").
- $expire_desc = '' . sprintf( esc_html__( 'Access auto-expires in %s. You may revoke access at any time.', 'trustedlogin' ), human_time_diff( 0, $this->config->get_setting( 'decay' ) ) ) . ' ';
+ $expire_desc = '' . sprintf( esc_html( Strings::get( Strings::ACCESS_AUTO_EXPIRES_IN_S_YOU, __( 'Access auto-expires in %s. You may revoke access at any time.', 'trustedlogin' ) ) ), human_time_diff( 0, $this->config->get_setting( 'decay' ) ) ) . ' ';
$cloned_role = translate_user_role( ucfirst( $this->config->get_setting( 'role' ) ) );
if ( $this->config->get_setting( 'clone_role' ) ) {
// translators: %s is replaced with the name of the role (e.g. "Administrator").
- $roles_summary = sprintf( esc_html__( 'Create a user with a role based on %s.', 'trustedlogin' ), '' . $cloned_role . ' ' );
+ $roles_summary = sprintf( esc_html( Strings::get( Strings::CREATE_A_USER_WITH_A_ROLE, __( 'Create a user with a role based on %s.', 'trustedlogin' ) ) ), '' . $cloned_role . ' ' );
if ( $this->config->get_setting( 'caps/add' ) || $this->config->get_setting( 'caps/remove' ) ) {
- $roles_summary .= sprintf( '%s ', esc_html__( 'View modified role capabilities', 'trustedlogin' ) );
+ $roles_summary .= sprintf( '%s ', esc_html( Strings::get( Strings::VIEW_MODIFIED_ROLE_CAPABILITIES, __( 'View modified role capabilities', 'trustedlogin' ) ) ) );
}
} else {
// translators: %s is replaced with the name of the role (e.g. "Administrator").
- $roles_summary = sprintf( esc_html__( 'Create a user with a role of %s.', 'trustedlogin' ), '' . $cloned_role . ' ' );
+ $roles_summary = sprintf( esc_html( Strings::get( Strings::CREATE_A_USER_WITH_A_ROLE_60602C, __( 'Create a user with a role of %s.', 'trustedlogin' ) ) ), '' . $cloned_role . ' ' );
}
$content = array(
@@ -842,11 +842,16 @@ class="tl-{{ns}}-ticket-field__message large-text"
*/
private function get_debug_data_consent_html() {
- // translators: [link] and [/link] are replaced with a link to the Site Health page. Do not translate.
$output = sprintf(
'',
'[/link]' => ' ',
@@ -872,8 +877,8 @@ private function get_caps_html() {
$removed = $this->config->get_setting( 'caps/remove' );
$caps = '';
- $caps .= $this->get_caps_section( $added, __( 'Additional capabilities:', 'trustedlogin' ), 'dashicons-yes-alt' );
- $caps .= $this->get_caps_section( $removed, __( 'Removed capabilities:', 'trustedlogin' ), 'dashicons-dismiss' );
+ $caps .= $this->get_caps_section( $added, Strings::get( Strings::ADDITIONAL_CAPABILITIES, __( 'Additional capabilities:', 'trustedlogin' ) ), 'dashicons-yes-alt' );
+ $caps .= $this->get_caps_section( $removed, Strings::get( Strings::REMOVED_CAPABILITIES, __( 'Removed capabilities:', 'trustedlogin' ) ), 'dashicons-dismiss' );
if ( empty( $caps ) ) {
return $caps;
@@ -943,10 +948,10 @@ private function get_notices_html() {
$content = array(
// translators: %s is replaced with the name of the software developer (e.g. "Acme Widgets").
- 'local_site' => sprintf( esc_html__( '%s support may not be able to access this site.', 'trustedlogin' ), $this->config->get_setting( 'vendor/title' ) ),
- 'need_access' => esc_html__( 'This website is running in a local development environment. To provide support, we must be able to access your site using a publicly-accessible URL.', 'trustedlogin' ),
+ 'local_site' => sprintf( esc_html( Strings::get( Strings::S_SUPPORT_MAY_NOT_BE_ABLE, __( '%s support may not be able to access this site.', 'trustedlogin' ) ) ), $this->config->get_setting( 'vendor/title' ) ),
+ 'need_access' => esc_html( Strings::get( Strings::THIS_WEBSITE_IS_RUNNING_IN_A, __( 'This website is running in a local development environment. To provide support, we must be able to access your site using a publicly-accessible URL.', 'trustedlogin' ) ) ),
'about_live_access_url' => esc_url( $this->config->get_setting( 'vendor/about_live_access_url', self::ABOUT_LIVE_ACCESS_URL ) ),
- 'learn_more' => esc_html__( 'Learn more.', 'trustedlogin' ),
+ 'learn_more' => esc_html( Strings::get( Strings::LEARN_MORE, __( 'Learn more.', 'trustedlogin' ) ) ),
);
return $this->prepare_output( $notice_template, $content );
@@ -967,8 +972,16 @@ private function get_logo_html() {
$logo_output = sprintf(
'%s ', esc_url( 'https://status.trustedlogin.com' ), is_wp_error( wp_remote_request( 'https://app.trustedlogin.com/api/status' ) ) ? esc_html__( 'Offline', 'trustedlogin' ) : esc_html__( 'Online', 'trustedlogin' ) ),
- esc_html__( 'API Key', 'trustedlogin' ) => sprintf( '%s', esc_html( $mask( $api_key ) ) ),
- esc_html__( 'License Key', 'trustedlogin' ) => sprintf( '%s', esc_html( $mask( $license_key ) ) ),
- esc_html__( 'Log URL', 'trustedlogin' ) => '' === $log_url
- ? esc_html__( '(Log path is outside ABSPATH; not exposing as URL.)', 'trustedlogin' )
- : sprintf( '%s ', esc_url( $log_url ), esc_html__( 'Download the log', 'trustedlogin' ) ),
- esc_html__( 'Log Level', 'trustedlogin' ) => esc_html( (string) $this->config->get_setting( 'logging/threshold', __( '(Default)', 'trustedlogin' ) ) ),
- esc_html__( 'Webhook URL', 'trustedlogin' ) => sprintf( '%s', esc_html( (string) $this->config->get_setting( 'webhook/url', '(Empty)' ) ) ),
- esc_html__( 'Vendor Public Key', 'trustedlogin' ) => sprintf( '%s (%s )', esc_html( (string) $encryption->get_vendor_public_key() ), esc_url( (string) $encryption->get_remote_encryption_key_url() ), esc_html__( 'Verify key', 'trustedlogin' ) ),
+ esc_html( Strings::get( Strings::TRUSTEDLOGIN_STATUS, __( 'TrustedLogin Status', 'trustedlogin' ) ) ) => sprintf( '%s ', esc_url( 'https://status.trustedlogin.com' ), is_wp_error( wp_remote_request( 'https://app.trustedlogin.com/api/status' ) ) ? esc_html( Strings::get( Strings::OFFLINE, __( 'Offline', 'trustedlogin' ) ) ) : esc_html( Strings::get( Strings::ONLINE, __( 'Online', 'trustedlogin' ) ) ) ),
+ esc_html( Strings::get( Strings::API_KEY, __( 'API Key', 'trustedlogin' ) ) ) => sprintf( '%s', esc_html( $mask( $api_key ) ) ),
+ esc_html( Strings::get( Strings::LICENSE_KEY, __( 'License Key', 'trustedlogin' ) ) ) => sprintf( '%s', esc_html( $mask( $license_key ) ) ),
+ esc_html( Strings::get( Strings::LOG_URL, __( 'Log URL', 'trustedlogin' ) ) ) => '' === $log_url
+ ? esc_html( Strings::get( Strings::LOG_PATH_IS_OUTSIDE_ABSPATH_NOT, __( '(Log path is outside ABSPATH; not exposing as URL.)', 'trustedlogin' ) ) )
+ : sprintf( '%s ', esc_url( $log_url ), esc_html( Strings::get( Strings::DOWNLOAD_THE_LOG, __( 'Download the log', 'trustedlogin' ) ) ) ),
+ esc_html( Strings::get( Strings::LOG_LEVEL, __( 'Log Level', 'trustedlogin' ) ) ) => esc_html( (string) $this->config->get_setting( 'logging/threshold', Strings::get( Strings::DEFAULT_LEVEL, __( '(Default)', 'trustedlogin' ) ) ) ),
+ esc_html( Strings::get( Strings::WEBHOOK_URL, __( 'Webhook URL', 'trustedlogin' ) ) ) => sprintf( '%s', esc_html( (string) $this->config->get_setting( 'webhook/url', '(Empty)' ) ) ),
+ esc_html( Strings::get( Strings::VENDOR_PUBLIC_KEY, __( 'Vendor Public Key', 'trustedlogin' ) ) ) => sprintf( '%s (%s )', esc_html( (string) $encryption->get_vendor_public_key() ), esc_url( (string) $encryption->get_remote_encryption_key_url() ), esc_html( Strings::get( Strings::VERIFY_KEY, __( 'Verify key', 'trustedlogin' ) ) ) ),
);
$debugging_info = '';
@@ -1130,9 +1143,9 @@ function ( &$value, $key ) use ( $mask ) {
$debugging_output,
array(
'ns' => $this->config->ns(),
- 'debugging_label' => esc_html__( 'Debugging Info', 'trustedlogin' ),
+ 'debugging_label' => esc_html( Strings::get( Strings::DEBUGGING_INFO, __( 'Debugging Info', 'trustedlogin' ) ) ),
'debugging_info' => $debugging_info,
- 'tl_config_label' => esc_html__( 'TrustedLogin Config', 'trustedlogin' ),
+ 'tl_config_label' => esc_html( Strings::get( Strings::TRUSTEDLOGIN_CONFIG, __( 'TrustedLogin Config', 'trustedlogin' ) ) ),
'tl_config' => '' . esc_html( print_r( $config_dump, true ) ) . ' ', // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_print_r
)
);
@@ -1429,9 +1442,18 @@ public function get_button( $atts = array() ) {
$defaults = array(
// translators: %s is replaced with the name of the software developer (e.g. "Acme Widgets").
- 'text' => sprintf( esc_html__( 'Grant %s Access', 'trustedlogin' ), $this->config->get_display_name() ),
- // translators: %s is replaced with the name of the software developer (e.g. "Acme Widgets").
- 'exists_text' => sprintf( esc_html__( 'Extend %s Access', 'trustedlogin' ), $this->config->get_display_name(), ucwords( human_time_diff( time(), time() + (int) $this->config->get_setting( 'decay' ) ) ) ),
+ 'text' => sprintf( esc_html( Strings::get( Strings::GRANT_S_ACCESS, __( 'Grant %s Access', 'trustedlogin' ) ) ), $this->config->get_display_name() ),
+ 'exists_text' => sprintf(
+ esc_html(
+ Strings::get(
+ Strings::EXTEND_VENDOR_ACCESS_FOR_DURATION,
+ /* translators: %1$s is replaced with the name of the software developer (e.g. "Acme Widgets"); %2$s is the human-readable duration of granted access (e.g. "1 week"). */
+ __( 'Extend %1$s Access for %2$s', 'trustedlogin' )
+ )
+ ),
+ $this->config->get_display_name(),
+ ucwords( human_time_diff( time(), time() + (int) $this->config->get_setting( 'decay' ) ) )
+ ),
'size' => 'hero',
'class' => 'button-primary',
'tag' => 'a', // Inline tags only.
@@ -1495,7 +1517,7 @@ public function get_button( $atts = array() ) {
if ( $atts['powered_by'] ) {
$powered_by = sprintf(
'%s
%s
',
sprintf(
// translators: %s is replaced with the name of the software developer (e.g. "Acme Widgets").
- esc_html__( 'The user details could not be sent to %1$s automatically.', 'trustedlogin' ),
+ esc_html( Strings::get( Strings::THE_USER_DETAILS_COULD_NOT_BE, __( 'The user details could not be sent to %1$s automatically.', 'trustedlogin' ) ) ),
$vendor_title
),
sprintf(
// translators: %1$s is the vendor support url and %2$s is the vendor title.
- __( 'Please click here to go to the %2$s support site', 'trustedlogin' ),
+ Strings::get( Strings::PLEASE_A_HREF_1_S_TARGET, __( 'Please click here to go to the %2$s support site', 'trustedlogin' ) ),
esc_url( add_query_arg( $query_args, $this->config->get_setting( 'vendor/support_url' ) ) ),
$vendor_title
)
@@ -1592,45 +1614,45 @@ public function translations() {
$translations = array(
'buttons' => array(
- 'confirm' => esc_html__( 'Confirm', 'trustedlogin' ),
- 'ok' => esc_html__( 'Ok', 'trustedlogin' ),
+ 'confirm' => esc_html( Strings::get( Strings::CONFIRM, __( 'Confirm', 'trustedlogin' ) ) ),
+ 'ok' => esc_html( Strings::get( Strings::OK, __( 'Ok', 'trustedlogin' ) ) ),
// translators: %1$s is the vendor title.
- 'go_to_site' => sprintf( __( 'Go to %1$s support site', 'trustedlogin' ), $vendor_title ),
- 'close' => esc_html__( 'Close', 'trustedlogin' ),
- 'cancel' => esc_html__( 'Cancel', 'trustedlogin' ),
+ 'go_to_site' => sprintf( Strings::get( Strings::GO_TO_1_S_SUPPORT_SITE, __( 'Go to %1$s support site', 'trustedlogin' ) ), $vendor_title ),
+ 'close' => esc_html( Strings::get( Strings::CLOSE, __( 'Close', 'trustedlogin' ) ) ),
+ 'cancel' => esc_html( Strings::get( Strings::CANCEL, __( 'Cancel', 'trustedlogin' ) ) ),
// translators: %1$s is the vendor title.
- 'revoke' => sprintf( esc_html__( 'Revoke %1$s support access', 'trustedlogin' ), $vendor_title ),
- 'copy' => esc_html__( 'Copy', 'trustedlogin' ),
- 'copied' => esc_html__( 'Copied!', 'trustedlogin' ),
+ 'revoke' => sprintf( esc_html( Strings::get( Strings::REVOKE_1_S_SUPPORT_ACCESS, __( 'Revoke %1$s support access', 'trustedlogin' ) ) ), $vendor_title ),
+ 'copy' => esc_html( Strings::get( Strings::COPY, __( 'Copy', 'trustedlogin' ) ) ),
+ 'copied' => esc_html( Strings::get( Strings::COPIED, __( 'Copied!', 'trustedlogin' ) ) ),
),
'a11y' => array(
- 'opens_new_window' => esc_attr__( '(This link opens in a new window.)', 'trustedlogin' ),
- 'copied_text' => esc_html__( 'The access key has been copied to your clipboard.', 'trustedlogin' ),
+ 'opens_new_window' => esc_attr( Strings::get( Strings::THIS_LINK_OPENS_IN_A_NEW, __( '(This link opens in a new window.)', 'trustedlogin' ) ) ),
+ 'copied_text' => esc_html( Strings::get( Strings::THE_ACCESS_KEY_HAS_BEEN_COPIED, __( 'The access key has been copied to your clipboard.', 'trustedlogin' ) ) ),
),
'status' => array(
'synced' => array(
- 'title' => esc_html__( 'Support access granted', 'trustedlogin' ),
+ 'title' => esc_html( Strings::get( Strings::SUPPORT_ACCESS_GRANTED, __( 'Support access granted', 'trustedlogin' ) ) ),
'content' => sprintf(
// translators: %1$s is the vendor title.
- __( 'A temporary support user has been created, and sent to %1$s support.', 'trustedlogin' ),
+ Strings::get( Strings::A_TEMPORARY_SUPPORT_USER_HAS_BEEN, __( 'A temporary support user has been created, and sent to %1$s support.', 'trustedlogin' ) ),
$vendor_title
),
),
'pending' => array(
// translators: %1$s is the vendor title.
- 'content' => sprintf( __( 'Generating & encrypting secure support access for %1$s', 'trustedlogin' ), $vendor_title ),
+ 'content' => sprintf( Strings::get( Strings::GENERATING_ENCRYPTING_SECURE_SUPPORT_ACCESS_FOR, __( 'Generating & encrypting secure support access for %1$s', 'trustedlogin' ) ), $vendor_title ),
),
'extending' => array(
// translators: %1$s is the vendor title and %2$s is the human-readable expiration time (for example, "1 week").
- 'content' => sprintf( __( 'Extending support access for %1$s by %2$s', 'trustedlogin' ), $vendor_title, human_time_diff( time(), time() + (int) $this->config->get_setting( 'decay' ) ) ),
+ 'content' => sprintf( Strings::get( Strings::EXTENDING_SUPPORT_ACCESS_FOR_1_S, __( 'Extending support access for %1$s by %2$s', 'trustedlogin' ) ), $vendor_title, human_time_diff( time(), time() + (int) $this->config->get_setting( 'decay' ) ) ),
),
'syncing' => array(
// translators: %1$s is the vendor title.
- 'content' => sprintf( __( 'Sending encrypted access to %1$s.', 'trustedlogin' ), $vendor_title ),
+ 'content' => sprintf( Strings::get( Strings::SENDING_ENCRYPTED_ACCESS_TO_1_S, __( 'Sending encrypted access to %1$s.', 'trustedlogin' ) ), $vendor_title ),
),
'error' => array(
// translators: %1$s is the vendor title.
- 'title' => sprintf( __( 'Couldn\'t register support access with %1$s', 'trustedlogin' ), $vendor_title ),
+ 'title' => sprintf( Strings::get( Strings::COULDN_T_REGISTER_SUPPORT_ACCESS_WITH, __( 'Couldn\'t register support access with %1$s', 'trustedlogin' ) ), $vendor_title ),
'content' => wp_kses(
$error_content,
array(
@@ -1644,46 +1666,46 @@ public function translations() {
),
),
'cancel' => array(
- 'title' => esc_html__( 'Action Cancelled', 'trustedlogin' ),
+ 'title' => esc_html( Strings::get( Strings::ACTION_CANCELLED, __( 'Action Cancelled', 'trustedlogin' ) ) ),
'content' => sprintf(
// translators: %1$s is the vendor title.
- __( 'A support account for %1$s was not created.', 'trustedlogin' ),
+ Strings::get( Strings::A_SUPPORT_ACCOUNT_FOR_1_S, __( 'A support account for %1$s was not created.', 'trustedlogin' ) ),
$vendor_title
),
),
'failed' => array(
- 'title' => esc_html__( 'Support Access Was Not Granted', 'trustedlogin' ),
- 'content' => esc_html__( 'There was an error granting access: ', 'trustedlogin' ),
+ 'title' => esc_html( Strings::get( Strings::SUPPORT_ACCESS_WAS_NOT_GRANTED, __( 'Support Access Was Not Granted', 'trustedlogin' ) ) ),
+ 'content' => esc_html( Strings::get( Strings::THERE_WAS_AN_ERROR_GRANTING_ACCESS, __( 'There was an error granting access: ', 'trustedlogin' ) ) ),
),
'failed_permissions' => array(
- 'content' => esc_html__( 'Your authorized session has expired. Please refresh the page.', 'trustedlogin' ),
+ 'content' => esc_html( Strings::get( Strings::YOUR_AUTHORIZED_SESSION_HAS_EXPIRED_PLEASE, __( 'Your authorized session has expired. Please refresh the page.', 'trustedlogin' ) ) ),
),
'timeout' => array(
- 'content' => esc_html__( 'The request took too long to complete. Please try again.', 'trustedlogin' ),
+ 'content' => esc_html( Strings::get( Strings::THE_REQUEST_TOOK_TOO_LONG_TO, __( 'The request took too long to complete. Please try again.', 'trustedlogin' ) ) ),
),
'accesskey' => array(
- 'title' => esc_html__( 'Support Access Key Created', 'trustedlogin' ),
+ 'title' => esc_html( Strings::get( Strings::SUPPORT_ACCESS_KEY_CREATED, __( 'Support Access Key Created', 'trustedlogin' ) ) ),
'content' => sprintf(
// translators: %1$s is the vendor title.
- __( 'Share this access key with %1$s to give them secure access:', 'trustedlogin' ),
+ Strings::get( Strings::SHARE_THIS_ACCESS_KEY_WITH_1, __( 'Share this access key with %1$s to give them secure access:', 'trustedlogin' ) ),
$vendor_title
),
'revoke_link' => esc_url( add_query_arg( array( Endpoint::REVOKE_SUPPORT_QUERY_PARAM => $this->config->ns() ), admin_url() ) ),
),
'error404' => array(
- 'title' => esc_html__( 'The support team\'s site could not be found.', 'trustedlogin' ),
+ 'title' => esc_html( Strings::get( Strings::THE_SUPPORT_TEAM_S_SITE_COULD, __( 'The support team\'s site could not be found.', 'trustedlogin' ) ) ),
'content' => '',
),
'error409' => array(
'title' => sprintf(
// translators: %1$s is the vendor title.
- __( '%1$s Support user already exists', 'trustedlogin' ),
+ Strings::get( Strings::VENDOR_SUPPORT_USER_ALREADY_EXISTS, __( '%1$s Support user already exists', 'trustedlogin' ) ),
$vendor_title
),
'content' => sprintf(
wp_kses(
// translators: %1$s is the vendor title, %2$s is the URL to the users list page.
- __( 'A support user for %1$s already exists. You may revoke this support access from your Users list .', 'trustedlogin' ),
+ Strings::get( Strings::A_SUPPORT_USER_FOR_1_S, __( 'A support user for %1$s already exists. You may revoke this support access from your Users list .', 'trustedlogin' ) ),
array(
'a' => array(
'href' => array(),
@@ -1726,7 +1748,7 @@ public function output_support_users( $print_and_return = true ) {
if ( empty( $support_users ) ) {
// translators: %s is replaced with the name of the software developer (e.g. "Acme Widgets").
- $return = '' . sprintf( esc_html__( 'No %s users exist.', 'trustedlogin' ), esc_html( $this->config->get_setting( 'vendor/title' ) ) ) . ' ';
+ $return = '' . sprintf( esc_html( Strings::get( Strings::NO_S_USERS_EXIST, __( 'No %s users exist.', 'trustedlogin' ) ) ), esc_html( $this->config->get_setting( 'vendor/title' ) ) ) . ' ';
if ( $print_and_return ) {
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
@@ -1752,11 +1774,11 @@ public function output_support_users( $print_and_return = true ) {
/* %1$s */
sanitize_title( $this->config->ns() ),
/* %2$s */
- esc_html__( 'Error', 'trustedlogin' ),
+ esc_html( Strings::get( Strings::ERROR, __( 'Error', 'trustedlogin' ) ) ),
/* %3$s */
'div',
/* %4$s */
- esc_html__( 'There was an error returning the access key.', 'trustedlogin' ),
+ esc_html( Strings::get( Strings::THERE_WAS_AN_ERROR_RETURNING_THE, __( 'There was an error returning the access key.', 'trustedlogin' ) ) ),
/* %5$s */
esc_html( $access_key->get_error_message() )
);
@@ -1778,20 +1800,20 @@ public function output_support_users( $print_and_return = true ) {
/* %1$s */
sanitize_title( $this->config->ns() ),
/* %2$s */
- esc_html__( 'Site access key:', 'trustedlogin' ),
+ esc_html( Strings::get( Strings::SITE_ACCESS_KEY, __( 'Site access key:', 'trustedlogin' ) ) ),
/* %3$s */
- esc_html__( 'Access Key', 'trustedlogin' ),
+ esc_html( Strings::get( Strings::ACCESS_KEY, __( 'Access Key', 'trustedlogin' ) ) ),
/* %4$s */
esc_attr( $access_key ),
/* %5$s */
- esc_html__( 'Copy', 'trustedlogin' ),
+ esc_html( Strings::get( Strings::COPY, __( 'Copy', 'trustedlogin' ) ) ),
/* %6$s */
'div',
/* %7$s */
- esc_html__( 'Copy the access key to your clipboard', 'trustedlogin' ),
+ esc_html( Strings::get( Strings::COPY_THE_ACCESS_KEY_TO_YOUR, __( 'Copy the access key to your clipboard', 'trustedlogin' ) ) ),
// %8$s
// translators: %s is the display name of the TrustedLogin support user.
- sprintf( esc_html__( 'The access key is not a password; only %1$s will be able to access your site using this code. You may share this access key on support forums.', 'trustedlogin' ), esc_html( $this->support_user->get_first()->display_name ) ),
+ sprintf( esc_html( Strings::get( Strings::THE_ACCESS_KEY_IS_NOT_A, __( 'The access key is not a password; only %1$s will be able to access your site using this code. You may share this access key on support forums.', 'trustedlogin' ) ) ), esc_html( $this->support_user->get_first()->display_name ) ),
/* %9$s */
esc_attr( $this->support_user->get_expiration( $this->support_user->get_first() ) )
);
@@ -1851,7 +1873,7 @@ public function admin_notice_login_outcome() {
echo esc_html(
sprintf(
// translators: %s vendor title (e.g. Acme Widgets).
- __( 'You are logged in as a %s support user.', 'trustedlogin' ),
+ Strings::get( Strings::YOU_ARE_LOGGED_IN_AS_A_4EED50, __( 'You are logged in as a %s support user.', 'trustedlogin' ) ),
$vendor_title
)
);
@@ -1863,7 +1885,7 @@ public function admin_notice_login_outcome() {
echo esc_html(
sprintf(
// translators: %s human-readable duration like "1 week".
- __( 'Access expires in %s.', 'trustedlogin' ),
+ Strings::get( Strings::ACCESS_EXPIRES_IN_S, __( 'Access expires in %s.', 'trustedlogin' ) ),
$expiration
)
);
@@ -1885,7 +1907,7 @@ public function admin_notice_login_outcome() {
display_name )
);
?>
@@ -1914,11 +1936,11 @@ public function admin_notice_revoked() {
config->get_setting( 'vendor/title' ) ) );
+ echo esc_html( sprintf( Strings::get( Strings::S_ACCESS_REVOKED, __( '%s access revoked.', 'trustedlogin' ) ), $this->config->get_setting( 'vendor/title' ) ) );
?>
-
+
in_lockdown() ) {
$this->logging->log( 'Site is in lockdown mode, aborting login.', __METHOD__, 'error' );
- return new \WP_Error( 'in_lockdown', __( 'Support access is temporarily disabled on this site after repeated failed attempts. Please try again later.', 'trustedlogin' ) );
+ return new \WP_Error( 'in_lockdown', Strings::get( Strings::SUPPORT_ACCESS_IS_TEMPORARILY_DISABLED_ON, __( 'Support access is temporarily disabled on this site after repeated failed attempts. Please try again later.', 'trustedlogin' ) ) );
}
// When passed in the endpoint URL, the unique ID will be the raw value, not the hash.
@@ -139,7 +139,7 @@ public function verify( $passed_user_identifier = '' ) {
$this->logging->log(
sprintf(
// translators: %s is the error message.
- __( 'Support access could not be verified — login aborted. (%s)', 'trustedlogin' ),
+ Strings::get( Strings::SUPPORT_ACCESS_COULD_NOT_BE_VERIFIED_35C1B9, __( 'Support access could not be verified — login aborted. (%s)', 'trustedlogin' ) ),
$approved->get_error_message()
),
__METHOD__,
diff --git a/src/SiteAccess.php b/src/SiteAccess.php
index aac5e7d2..7763e53d 100644
--- a/src/SiteAccess.php
+++ b/src/SiteAccess.php
@@ -67,7 +67,7 @@ public function sync_secret( $secret_id, $site_identifier_hash, $action = 'creat
$encryption = new Encryption( $this->config, $remote, $logging );
if ( ! in_array( $action, self::$sync_actions, true ) ) {
- return new \WP_Error( 'param_error', __( 'Unexpected action value', 'trustedlogin' ) );
+ return new \WP_Error( 'param_error', Strings::get( Strings::UNEXPECTED_ACTION_VALUE, __( 'Unexpected action value', 'trustedlogin' ) ) );
}
$access_key = $this->get_access_key();
@@ -98,7 +98,7 @@ public function sync_secret( $secret_id, $site_identifier_hash, $action = 'creat
}
if ( empty( $response_json['success'] ) ) {
- return new \WP_Error( 'sync_error', __( 'Support access could not be registered. Please try again in a minute, or contact the plugin\'s support team.', 'trustedlogin' ) );
+ return new \WP_Error( 'sync_error', Strings::get( Strings::SUPPORT_ACCESS_COULD_NOT_BE_REGISTERED, __( 'Support access could not be registered. Please try again in a minute, or contact the plugin\'s support team.', 'trustedlogin' ) ) );
}
// Opportunistically cache the SaaS-supplied webhook URL. This
diff --git a/src/Strings.php b/src/Strings.php
new file mode 100644
index 00000000..876f9614
--- /dev/null
+++ b/src/Strings.php
@@ -0,0 +1,662 @@
+
+ */
+ private static $overrides = array();
+
+ /**
+ * Bind the active Config. Subsequent `get()` calls read overrides
+ * and the runtime filter namespace from it.
+ *
+ * @since 1.11.0
+ *
+ * @param Config $config Active configuration to bind for overrides + filter namespacing.
+ */
+ public static function init( Config $config ) {
+ self::$config = $config;
+ self::$overrides = (array) $config->get_setting( 'strings', array() );
+ }
+
+ /**
+ * Clear all bound state.
+ *
+ * @since 1.11.0
+ */
+ public static function reset() {
+ self::$config = null;
+ self::$overrides = array();
+ self::$textdomain = 'trustedlogin';
+ self::$translations_loaded = false;
+ self::$pending_textdomain = '';
+ }
+
+ /**
+ * `init` action callback for textdomains queued by a pre-init
+ * `load_translations()`.
+ *
+ * @since 1.11.0
+ */
+ public static function on_init_load_translations() {
+ if ( '' === self::$pending_textdomain ) {
+ return;
+ }
+ $pending = self::$pending_textdomain;
+ self::$pending_textdomain = '';
+ self::load_translations( $pending );
+ }
+
+ /**
+ * `change_locale` action callback. Reloads the SDK's `.mo` for the
+ * new locale against the currently bound integrator textdomain.
+ *
+ * @since 1.11.0
+ *
+ * @param string $new_locale Locale that WordPress just switched to.
+ */
+ public static function on_change_locale( $new_locale ) {
+ $mo = self::mo_path_for( $new_locale );
+ if ( $mo && is_readable( $mo ) ) {
+ load_textdomain( self::$textdomain, $mo );
+ }
+ }
+
+
+ /**
+ * Registry of every overrideable key and its placeholder budget.
+ *
+ * `placeholders`: how many positional sprintf args the default
+ * requires. 0 = no placeholders, override is taken verbatim.
+ * 1+ = override MUST resolve to the same number of placeholders
+ * (validated behaviorally — see {@see Config::placeholders_safe()}).
+ *
+ * @return array
+ */
+ public static function registry() {
+ return array(
+ self::REVOKE_ACCESS => array( 'placeholders' => 0 ),
+ self::YOU_ARE_LOGGED_IN_AS_A => array( 'placeholders' => 0 ),
+ self::GRANT_SUPPORT_ACCESS => array( 'placeholders' => 0 ),
+ self::VERIFICATION_ISSUE_REQUEST_COULD_NOT_BE => array( 'placeholders' => 0 ),
+ self::YOU_DO_NOT_HAVE_THE_ABILITY => array( 'placeholders' => 0 ),
+ self::SUPPORT_ACCESS_REQUIRES_A_SECURE_HTTPS => array( 'placeholders' => 0 ),
+ self::THE_SUPPORT_USER_WAS_NOT_DELETED => array( 'placeholders' => 0 ),
+ self::SUPPORT_ACCESS_COULD_NOT_BE_SET => array( 'placeholders' => 0 ),
+ self::SUPPORT_ACCESS_COULD_NOT_BE_SET_799354 => array( 'placeholders' => 0 ),
+ self::SUPPORT_LOGIN_COULD_NOT_COMPLETE => array( 'placeholders' => 0 ),
+ self::RETURN_TO_YOUR_SUPPORT_TOOL_TO => array( 'placeholders' => 0 ),
+ self::UNKNOWN_USER_D => array( 'placeholders' => 1 ),
+ self::CREATED_1_S_AGO_BY_2 => array( 'placeholders' => 2 ),
+ self::CONTACT_S_SUPPORT => array( 'placeholders' => 1 ),
+ self::EMAIL_S => array( 'placeholders' => 1 ),
+ self::SUPPORT_ACCESS_IS_TEMPORARILY_UNAVAILABLE_PLEASE => array( 'placeholders' => 0 ),
+ self::TRY_RECONNECTING => array( 'placeholders' => 0 ),
+ self::SECURED_BY_TRUSTEDLOGIN => array( 'placeholders' => 0 ),
+ self::TERMS_OF_SERVICE => array( 'placeholders' => 0 ),
+ self::BY_GRANTING_ACCESS_YOU_AGREE_TO => array( 'placeholders' => 0 ),
+ self::REFERENCE_S => array( 'placeholders' => 1 ),
+ self::VENDOR_HAS_SITE_ACCESS_THAT => array( 'placeholders' => 2 ),
+ self::VISIT_VENDOR_WEBSITE => array( 'placeholders' => 1 ),
+ self::VENDOR_WOULD_LIKE_SUPPORT_ACCESS => array( 'placeholders' => 1 ),
+ self::GRANT_1_S_ACCESS_TO_THIS => array( 'placeholders' => 1 ),
+ self::INCLUDE_A_MESSAGE_FOR_SUPPORT => array( 'placeholders' => 0 ),
+ self::PLEASE_DESCRIBE_THE_ISSUE_YOU_ARE => array( 'placeholders' => 0 ),
+ self::ACCESS_THIS_SITE_FOR_S => array( 'placeholders' => 1 ),
+ self::ACCESS_AUTO_EXPIRES_IN_S_YOU => array( 'placeholders' => 1 ),
+ self::CREATE_A_USER_WITH_A_ROLE => array( 'placeholders' => 1 ),
+ self::VIEW_MODIFIED_ROLE_CAPABILITIES => array( 'placeholders' => 0 ),
+ self::CREATE_A_USER_WITH_A_ROLE_60602C => array( 'placeholders' => 1 ),
+ self::INCLUDE_THE_LINK_SITE_HEALTH_LINK => array( 'placeholders' => 0 ),
+ self::ADDITIONAL_CAPABILITIES => array( 'placeholders' => 0 ),
+ self::REMOVED_CAPABILITIES => array( 'placeholders' => 0 ),
+ self::S_SUPPORT_MAY_NOT_BE_ABLE => array( 'placeholders' => 1 ),
+ self::THIS_WEBSITE_IS_RUNNING_IN_A => array( 'placeholders' => 0 ),
+ self::LEARN_MORE => array( 'placeholders' => 0 ),
+ self::LEARN_ABOUT_TRUSTEDLOGIN => array( 'placeholders' => 0 ),
+ self::TRUSTEDLOGIN_STATUS => array( 'placeholders' => 0 ),
+ self::OFFLINE => array( 'placeholders' => 0 ),
+ self::ONLINE => array( 'placeholders' => 0 ),
+ self::API_KEY => array( 'placeholders' => 0 ),
+ self::LICENSE_KEY => array( 'placeholders' => 0 ),
+ self::LOG_URL => array( 'placeholders' => 0 ),
+ self::LOG_PATH_IS_OUTSIDE_ABSPATH_NOT => array( 'placeholders' => 0 ),
+ self::DOWNLOAD_THE_LOG => array( 'placeholders' => 0 ),
+ self::LOG_LEVEL => array( 'placeholders' => 0 ),
+ self::DEFAULT_LEVEL => array( 'placeholders' => 0 ),
+ self::WEBHOOK_URL => array( 'placeholders' => 0 ),
+ self::VENDOR_PUBLIC_KEY => array( 'placeholders' => 0 ),
+ self::VERIFY_KEY => array( 'placeholders' => 0 ),
+ self::DEBUGGING_INFO => array( 'placeholders' => 0 ),
+ self::TRUSTEDLOGIN_CONFIG => array( 'placeholders' => 0 ),
+ self::GRANT_S_ACCESS => array( 'placeholders' => 1 ),
+ self::EXTEND_VENDOR_ACCESS_FOR_DURATION => array( 'placeholders' => 2 ),
+ self::COULD_NOT_CREATE_SUPPORT_ACCESS => array( 'placeholders' => 0 ),
+ self::THE_USER_DETAILS_COULD_NOT_BE => array( 'placeholders' => 1 ),
+ self::PLEASE_A_HREF_1_S_TARGET => array( 'placeholders' => 2 ),
+ self::CONFIRM => array( 'placeholders' => 0 ),
+ self::OK => array( 'placeholders' => 0 ),
+ self::GO_TO_1_S_SUPPORT_SITE => array( 'placeholders' => 1 ),
+ self::CLOSE => array( 'placeholders' => 0 ),
+ self::CANCEL => array( 'placeholders' => 0 ),
+ self::REVOKE_1_S_SUPPORT_ACCESS => array( 'placeholders' => 1 ),
+ self::COPY => array( 'placeholders' => 0 ),
+ self::COPIED => array( 'placeholders' => 0 ),
+ self::THIS_LINK_OPENS_IN_A_NEW => array( 'placeholders' => 0 ),
+ self::THE_ACCESS_KEY_HAS_BEEN_COPIED => array( 'placeholders' => 0 ),
+ self::SUPPORT_ACCESS_GRANTED => array( 'placeholders' => 0 ),
+ self::A_TEMPORARY_SUPPORT_USER_HAS_BEEN => array( 'placeholders' => 1 ),
+ self::GENERATING_ENCRYPTING_SECURE_SUPPORT_ACCESS_FOR => array( 'placeholders' => 1 ),
+ self::EXTENDING_SUPPORT_ACCESS_FOR_1_S => array( 'placeholders' => 2 ),
+ self::SENDING_ENCRYPTED_ACCESS_TO_1_S => array( 'placeholders' => 1 ),
+ self::COULDN_T_REGISTER_SUPPORT_ACCESS_WITH => array( 'placeholders' => 1 ),
+ self::ACTION_CANCELLED => array( 'placeholders' => 0 ),
+ self::A_SUPPORT_ACCOUNT_FOR_1_S => array( 'placeholders' => 1 ),
+ self::SUPPORT_ACCESS_WAS_NOT_GRANTED => array( 'placeholders' => 0 ),
+ self::THERE_WAS_AN_ERROR_GRANTING_ACCESS => array( 'placeholders' => 0 ),
+ self::YOUR_AUTHORIZED_SESSION_HAS_EXPIRED_PLEASE => array( 'placeholders' => 0 ),
+ self::THE_REQUEST_TOOK_TOO_LONG_TO => array( 'placeholders' => 0 ),
+ self::SUPPORT_ACCESS_KEY_CREATED => array( 'placeholders' => 0 ),
+ self::SHARE_THIS_ACCESS_KEY_WITH_1 => array( 'placeholders' => 1 ),
+ self::THE_SUPPORT_TEAM_S_SITE_COULD => array( 'placeholders' => 0 ),
+ self::VENDOR_SUPPORT_USER_ALREADY_EXISTS => array( 'placeholders' => 1 ),
+ self::A_SUPPORT_USER_FOR_1_S => array( 'placeholders' => 2 ),
+ self::NO_S_USERS_EXIST => array( 'placeholders' => 1 ),
+ self::ERROR => array( 'placeholders' => 0 ),
+ self::THERE_WAS_AN_ERROR_RETURNING_THE => array( 'placeholders' => 0 ),
+ self::SITE_ACCESS_KEY => array( 'placeholders' => 0 ),
+ self::ACCESS_KEY => array( 'placeholders' => 0 ),
+ self::COPY_THE_ACCESS_KEY_TO_YOUR => array( 'placeholders' => 0 ),
+ self::THE_ACCESS_KEY_IS_NOT_A => array( 'placeholders' => 1 ),
+ self::YOU_ARE_LOGGED_IN_AS_A_4EED50 => array( 'placeholders' => 1 ),
+ self::ACCESS_EXPIRES_IN_S => array( 'placeholders' => 1 ),
+ self::YOU_WERE_ALREADY_SIGNED_IN_AS => array( 'placeholders' => 1 ),
+ self::S_ACCESS_REVOKED => array( 'placeholders' => 1 ),
+ self::YOU_MAY_SAFELY_CLOSE_THIS_WINDOW => array( 'placeholders' => 0 ),
+ self::SUPPORT_ACCESS_COULD_NOT_BE_SET_979C0F => array( 'placeholders' => 0 ),
+ self::SUPPORT_ACCESS_COULD_NOT_BE_VERIFIED => array( 'placeholders' => 0 ),
+ self::THE_SUPPORT_TEAM_S_ACCOUNT_HAS => array( 'placeholders' => 0 ),
+ self::SUPPORT_ACCESS_WAS_REFUSED_PLEASE_CONTACT => array( 'placeholders' => 0 ),
+ self::THE_SUPPORT_TEAM_S_SITE_IS => array( 'placeholders' => 0 ),
+ self::THE_SUPPORT_TEAM_S_SITE_IS_6D0AB1 => array( 'placeholders' => 0 ),
+ self::THE_SUPPORT_TEAM_S_SITE_RETURNED => array( 'placeholders' => 0 ),
+ self::COULD_NOT_REACH_THE_SUPPORT_TEAM => array( 'placeholders' => 0 ),
+ self::SUPPORT_ACCESS_COULD_NOT_BE_SET_084A44 => array( 'placeholders' => 1 ),
+ self::SUPPORT_ACCESS_COULD_NOT_BE_SET_829416 => array( 'placeholders' => 1 ),
+ self::SUPPORT_ACCESS_COULD_NOT_BE_SET_BE0B5D => array( 'placeholders' => 0 ),
+ self::SUPPORT_ACCESS_COULD_NOT_BE_SET_343150 => array( 'placeholders' => 1 ),
+ self::SUPPORT_ACCESS_COULD_NOT_BE_SET_C6BDA2 => array( 'placeholders' => 0 ),
+ self::SUPPORT_ACCESS_VENDOR_RETURNED_NOTHING => array( 'placeholders' => 0 ),
+ self::SUPPORT_ACCESS_VENDOR_NOT_CONFIGURED => array( 'placeholders' => 0 ),
+ self::SUPPORT_ACCESS_VENDOR_RESPONSE_INCOMPLETE => array( 'placeholders' => 0 ),
+ self::SUPPORT_ACCESS_IS_TEMPORARILY_DISABLED_ON => array( 'placeholders' => 0 ),
+ self::SUPPORT_ACCESS_COULD_NOT_BE_VERIFIED_35C1B9 => array( 'placeholders' => 1 ),
+ self::UNEXPECTED_ACTION_VALUE => array( 'placeholders' => 0 ),
+ self::SUPPORT_ACCESS_COULD_NOT_BE_REGISTERED => array( 'placeholders' => 0 ),
+ self::S_SUPPORT => array( 'placeholders' => 1 ),
+ self::USER_NOT_CREATED_USER_WITH_THAT => array( 'placeholders' => 0 ),
+ );
+ }
+
+ /**
+ * The full list of overrideable keys. Convenience for validation.
+ *
+ * @return string[]
+ */
+ public static function known_keys() {
+ return array_keys( self::registry() );
+ }
+
+ // -----------------------------------------------------------------
+ // Translation loading (integrator opt-in).
+ // -----------------------------------------------------------------
+
+ /**
+ * Load the SDK's bundled translations against the integrator's textdomain.
+ *
+ * Call once from your plugin on `plugins_loaded` or `init`:
+ *
+ * add_action( 'init', function () {
+ * \Acme\Vendor\TrustedLogin\Strings::load_translations( 'acme-plugin' );
+ * } );
+ *
+ * Defers automatically when called before `init` (avoids the WP 6.7+
+ * early-translation deprecation notice).
+ *
+ * @since 1.11.0
+ *
+ * @param string $textdomain Your plugin's textdomain.
+ *
+ * @return void
+ */
+ public static function load_translations( $textdomain ) {
+ if ( ! is_string( $textdomain ) || '' === $textdomain ) {
+ return;
+ }
+
+ if ( ! did_action( 'init' ) ) {
+ self::$pending_textdomain = $textdomain;
+ add_action( 'init', array( __CLASS__, 'on_init_load_translations' ) );
+ return;
+ }
+
+ self::$textdomain = $textdomain;
+
+ $mo = self::mo_path_for( determine_locale() );
+ if ( $mo && is_readable( $mo ) ) {
+ load_textdomain( $textdomain, $mo );
+ }
+
+ if ( ! self::$translations_loaded ) {
+ add_action( 'change_locale', array( __CLASS__, 'on_change_locale' ) );
+ self::$translations_loaded = true;
+ }
+ }
+
+ /**
+ * Absolute path to the bundled `.mo` for a locale, or empty string if missing.
+ *
+ * Uses `dirname( __FILE__ )` so the path resolves correctly whether
+ * the SDK is at `wp-content/plugins/foo/vendor_prefixed/trustedlogin/
+ * client/src/Strings.php` (Strauss layout) or anywhere else.
+ *
+ * @param string $locale Locale code (e.g. `de_DE`).
+ *
+ * @return string
+ */
+ private static function mo_path_for( $locale ) {
+ if ( ! is_string( $locale ) || '' === $locale ) {
+ return '';
+ }
+ return __DIR__ . '/languages/trustedlogin-' . $locale . '.mo';
+ }
+
+ // -----------------------------------------------------------------
+ // Translation accessor (called by SDK internals).
+ // -----------------------------------------------------------------
+
+ /**
+ * Resolve a translatable string by key, falling back to the SDK
+ * default and finally applying the runtime override filter.
+ *
+ * The call site passes the SDK's English default as a LITERAL
+ * `__()` / `_n()` call wrapped in this getter:
+ *
+ * $label = $strings->get(
+ * Strings::SECURED_BY,
+ * __( 'Secured by TrustedLogin', 'trustedlogin' )
+ * );
+ *
+ * Two things happen here:
+ *
+ * 1. The literal `__( 'Secured…', 'trustedlogin' )` is the anchor
+ * that `wp i18n make-pot` extracts into the SDK's `.pot`. At
+ * runtime it returns the input verbatim unless something has
+ * explicitly loaded the `trustedlogin` textdomain (which
+ * Strauss-prefixed deployments will not).
+ *
+ * 2. {@see self::get()} re-translates against the textdomain the
+ * integrator passed to {@see self::load_translations()}. That
+ * textdomain has the SDK's bundled `.mo` files attached, so the
+ * German translation of "Secured by TrustedLogin" comes back
+ * here even though the call-site `__()` returned English.
+ *
+ * Override resolution (preempts both translations):
+ *
+ * - `null` (no entry) → return translated $default
+ * - `''` (explicit empty) → return ''
+ * - string → return the override verbatim
+ * - callable($context_vals) → invoke and return its result
+ *
+ * The filter `trustedlogin/{namespace}/strings/{key}` fires AFTER
+ * the override decision so it always sees the final candidate.
+ *
+ * @since 1.11.0
+ *
+ * @param string $key A {@see self} class constant.
+ * @param string $default_text The SDK's English default. Already translated
+ * by the caller's literal `__()`/`_n()` call.
+ * @param array $context Positional args passed to a closure override
+ * (e.g. `array( $count )` for a plural).
+ *
+ * @return string
+ */
+ public static function get( $key, $default_text, array $context = array() ) {
+ $value = self::resolve( $key, $default_text, $context );
+
+ // Without an `init()` call the filter has no namespace to attach
+ // to. Return the resolved value without filtering — same English
+ // fallback behavior as if a filter was registered but did nothing.
+ if ( self::$config instanceof Config ) {
+ /**
+ * Filter the resolved value of a TrustedLogin SDK string.
+ *
+ * Fires AFTER override and default fallback so the filter always
+ * sees the final candidate, regardless of which layer produced it.
+ *
+ * @since 1.11.0
+ *
+ * @param string $value The resolved string.
+ * @param string $key The {@see Strings} constant being resolved.
+ * @param array $context Positional args if any (e.g. count for plurals).
+ * @param Config $config Active configuration.
+ */
+ try {
+ $value = (string) apply_filters(
+ 'trustedlogin/' . self::$config->ns() . '/strings/' . $key,
+ $value,
+ $key,
+ $context,
+ self::$config
+ );
+ } catch ( \Exception $e ) {
+ self::log_closure_failure( $key, $e );
+ }
+ }
+
+ // PHP 8 fatals on `sprintf` "too few args". If a closure or
+ // filter produced more placeholders than the registry declares,
+ // fall back to the default rather than let it reach the
+ // caller's sprintf.
+ $registry = self::registry();
+ if ( isset( $registry[ $key ]['placeholders'] ) ) {
+ $expected = (int) $registry[ $key ]['placeholders'];
+ if ( self::count_placeholders( $value ) > $expected ) {
+ // phpcs:ignore WordPress.WP.I18n.LowLevelTranslationFunction,WordPress.WP.I18n.NonSingularStringLiteralText,WordPress.WP.I18n.NonSingularStringLiteralDomain
+ return (string) translate( (string) $default_text, self::$textdomain );
+ }
+ }
+
+ return $value;
+ }
+
+ /**
+ * Count sprintf-style placeholders in a string. Escaped percents
+ * (`%%`) are not counted. Recognizes positional form (`%1$s`),
+ * flag/width/precision modifiers (`%05d`, `%.2f`, `%-10s`), and
+ * all standard conversion types.
+ *
+ * @since 1.11.0
+ *
+ * @param mixed $s Candidate string to scan; non-strings return 0.
+ *
+ * @return int Number of distinct args the string consumes.
+ */
+ public static function count_placeholders( $s ) {
+ if ( ! is_string( $s ) ) {
+ return 0;
+ }
+ $stripped = str_replace( '%%', '', $s );
+ preg_match_all( '/%(?:\d+\$)?[+\-0-9.\']*[a-zA-Z]/', $stripped, $m );
+ $simple = count( $m[0] );
+
+ // Positional placeholders may reuse slots — `%1$s ... %1$s`
+ // only needs 1 arg, but %1$s + %3$s needs 3 args even with
+ // %2$s missing. Count by max positional index.
+ preg_match_all( '/%(\d+)\$/', $stripped, $pm );
+ $max_pos = empty( $pm[1] ) ? 0 : max( array_map( 'intval', $pm[1] ) );
+
+ return max( $simple, $max_pos );
+ }
+
+ /**
+ * Resolve a key against overrides, falling back to the SDK default.
+ *
+ * @since 1.11.0
+ *
+ * @param string $key A {@see self} class constant.
+ * @param string $default_text The SDK's English default.
+ * @param array $context Positional args for a closure override.
+ *
+ * @return string
+ */
+ private static function resolve( $key, $default_text, array $context ) {
+ if ( array_key_exists( $key, self::$overrides ) ) {
+ $override = self::$overrides[ $key ];
+
+ if ( '' === $override ) {
+ return '';
+ }
+
+ if ( is_string( $override ) ) {
+ return $override;
+ }
+
+ if ( is_callable( $override ) ) {
+ try {
+ return (string) call_user_func_array( $override, array_values( $context ) );
+ } catch ( \Exception $e ) {
+ self::log_closure_failure( $key, $e );
+ }
+ }
+ }
+
+ try {
+ // phpcs:ignore WordPress.WP.I18n.LowLevelTranslationFunction,WordPress.WP.I18n.NonSingularStringLiteralText,WordPress.WP.I18n.NonSingularStringLiteralDomain
+ return (string) translate( (string) $default_text, self::$textdomain );
+ } catch ( \Exception $e ) {
+ self::log_closure_failure( $key, $e );
+ return (string) $default_text;
+ }
+ }
+
+ /**
+ * Log an integrator-code failure through the SDK's logging surface.
+ *
+ * Routes through {@see Logging} so messages share the namespaced
+ * log file and the `logging/enabled` gate with the rest of the SDK.
+ * No-op when `init()` hasn't been called yet (no Config bound).
+ *
+ * @since 1.11.0
+ *
+ * @param string $key The Strings constant whose resolution failed.
+ * @param \Exception $e The exception or error from the integrator callback.
+ */
+ private static function log_closure_failure( $key, \Exception $e ) {
+ if ( ! self::$config instanceof Config ) {
+ return;
+ }
+ $logging = new Logging( self::$config );
+ $logging->log(
+ sprintf( 'Strings::%s resolution failed: %s', $key, $e->getMessage() ),
+ __METHOD__,
+ 'error'
+ );
+ }
+}
diff --git a/src/SupportRole.php b/src/SupportRole.php
index 1e12be25..6bf1afa0 100644
--- a/src/SupportRole.php
+++ b/src/SupportRole.php
@@ -273,7 +273,7 @@ public function create( $new_role_slug = '', $clone_role_slug = '' ) {
$role_display_name = apply_filters(
'trustedlogin/' . $this->config->ns() . '/support_role/display_name',
// translators: %s is replaced with the name of the software developer (e.g. "Acme Widgets").
- sprintf( esc_html__( '%s Support', 'trustedlogin' ), $this->config->get_setting( 'vendor/title' ) ),
+ sprintf( esc_html( Strings::get( Strings::S_SUPPORT, __( '%s Support', 'trustedlogin' ) ) ), $this->config->get_setting( 'vendor/title' ) ),
$this
);
diff --git a/src/SupportUser.php b/src/SupportUser.php
index 5d77984a..f7ab35b1 100644
--- a/src/SupportUser.php
+++ b/src/SupportUser.php
@@ -229,7 +229,7 @@ public function create() {
// Only allow the user to be created if the email is not hashed; that way, it's not possible to accidentally
// create a user with the same email as an existing user.
if ( ! $allow_existing_user_match ) {
- return new \WP_Error( 'email_exists', esc_html__( 'User not created; User with that email already exists', 'trustedlogin' ) );
+ return new \WP_Error( 'email_exists', esc_html( Strings::get( Strings::USER_NOT_CREATED_USER_WITH_THAT, __( 'User not created; User with that email already exists', 'trustedlogin' ) ) ) );
}
// If the user already exists and the email matches the hash, use that user.
@@ -245,6 +245,14 @@ public function create() {
'user_registered' => gmdate( 'Y-m-d H:i:s' ),
);
+ // Setting `locale` via wp_insert_user args (vs. a post-create
+ // update_user_meta) ensures the welcome email + first wp-admin
+ // render honor it. Stable since WP 4.7.
+ $locale = $this->resolve_support_user_locale();
+ if ( '' !== $locale ) {
+ $user_data['locale'] = $locale;
+ }
+
$new_user_id = wp_insert_user( $user_data );
if ( is_wp_error( $new_user_id ) ) {
@@ -253,11 +261,63 @@ public function create() {
return $new_user_id;
}
+ // Re-assert in case a `wp_pre_insert_user_data` filter dropped it.
+ if ( '' !== $locale && get_user_meta( $new_user_id, 'locale', true ) !== $locale ) {
+ update_user_meta( $new_user_id, 'locale', $locale );
+ }
+
$this->logging->log( 'Support User #' . $new_user_id, __METHOD__, 'info' );
return $new_user_id;
}
+ /**
+ * Resolve the locale to assign to a newly created support user.
+ *
+ * Reads `support_user/locale` from Config, runs through the
+ * `trustedlogin/{namespace}/support_user/locale` filter, and
+ * format-checks. Returns an empty string for "no locale set" —
+ * WordPress then falls back to the site default.
+ *
+ * @since 1.11.0
+ *
+ * @return string Locale code, or empty string for "site default".
+ */
+ private function resolve_support_user_locale() {
+
+ $configured = (string) $this->config->get_setting( 'support_user/locale', '' );
+
+ /**
+ * Filter the locale assigned to a newly created support user.
+ *
+ * @since 1.11.0
+ *
+ * @param string $locale Locale code, or '' for site default.
+ * @param Config $config Active configuration.
+ */
+ $locale = (string) apply_filters(
+ 'trustedlogin/' . $this->config->ns() . '/support_user/locale',
+ $configured,
+ $this->config
+ );
+
+ if ( '' === $locale ) {
+ return '';
+ }
+
+ // Variant nested inside region so `de_de` doesn't parse as "lang + variant".
+ if ( ! preg_match( '/^[a-z]{2,3}(_[A-Z]{2}(_[a-z0-9]+)?)?$/', $locale ) ) {
+ $this->logging->log(
+ 'Ignoring malformed support_user/locale setting: ' . esc_attr( $locale ),
+ __METHOD__,
+ 'warning'
+ );
+ return '';
+ }
+
+ return $locale;
+ }
+
/**
* Always return a unique username
*
@@ -266,7 +326,7 @@ public function create() {
private function generate_unique_username() {
// translators: %s is replaced with the name of the software developer (e.g. "Acme Widgets").
- $username = sprintf( esc_html__( '%s Support', 'trustedlogin' ), $this->config->get_setting( 'vendor/title' ) );
+ $username = sprintf( esc_html( Strings::get( Strings::S_SUPPORT, __( '%s Support', 'trustedlogin' ) ) ), $this->config->get_setting( 'vendor/title' ) );
if ( ! username_exists( $username ) ) {
return $username;
diff --git a/tests/test-strings-translation.php b/tests/test-strings-translation.php
new file mode 100644
index 00000000..7cbbb687
--- /dev/null
+++ b/tests/test-strings-translation.php
@@ -0,0 +1,377 @@
+reset_strings_state();
+ }
+
+ public function tearDown(): void {
+ foreach ( $this->cleanups as $cleanup ) {
+ $cleanup();
+ }
+ $this->cleanups = array();
+ $this->reset_strings_state();
+ parent::tearDown();
+ }
+
+ /**
+ * Reset Strings' static state so tests don't leak through each other.
+ * Strings::reset() clears $config, $overrides, $textdomain, and
+ * $translations_loaded in one shot.
+ */
+ private function reset_strings_state(): void {
+ Strings::reset();
+ }
+
+ private function build_config( array $overrides = array() ): Config {
+ $base = array(
+ 'auth' => array( 'api_key' => '9946ca31be6aa948' ),
+ 'vendor' => array(
+ 'namespace' => 'translation-test',
+ 'title' => 'Translation Test',
+ 'email' => 'support@example.com',
+ 'website' => 'https://vendor.example.com',
+ 'support_url' => 'https://vendor.example.com/support',
+ ),
+ );
+ if ( ! empty( $overrides ) ) {
+ $base['strings'] = $overrides;
+ }
+ $config = new Config( $base );
+ $config->validate();
+ return $config;
+ }
+
+ /**
+ * Inject a fake translation pair (msgid → msgstr) for a specific
+ * textdomain. The gettext filter runs after WP's own lookup, so
+ * our return value wins. Queues cleanup automatically.
+ */
+ private function inject_translation( string $domain, array $pairs ): void {
+ $filter = static function ( $translation, $original, $d ) use ( $domain, $pairs ) {
+ if ( $d === $domain && isset( $pairs[ $original ] ) ) {
+ return $pairs[ $original ];
+ }
+ return $translation;
+ };
+ add_filter( 'gettext', $filter, 10, 3 );
+ $this->cleanups[] = static function () use ( $filter ) {
+ remove_filter( 'gettext', $filter, 10 );
+ };
+ }
+
+
+ public function test_default_runtime_textdomain_is_trustedlogin() {
+ $rc = new ReflectionProperty( Strings::class, 'textdomain' );
+ $rc->setAccessible( true );
+ $this->assertSame( 'trustedlogin', $rc->getValue( null ) );
+ }
+
+ public function test_load_translations_sets_runtime_textdomain() {
+ Strings::load_translations( 'acme-plugin' );
+
+ $rc = new ReflectionProperty( Strings::class, 'textdomain' );
+ $rc->setAccessible( true );
+ $this->assertSame( 'acme-plugin', $rc->getValue( null ) );
+ }
+
+ public function test_load_translations_with_empty_string_is_noop() {
+ Strings::load_translations( '' );
+
+ $rc = new ReflectionProperty( Strings::class, 'textdomain' );
+ $rc->setAccessible( true );
+ $this->assertSame( 'trustedlogin', $rc->getValue( null ),
+ 'Empty domain must not overwrite the default.' );
+ }
+
+ public function test_load_translations_routes_lookups_to_integrator_textdomain() {
+ // Tell WP that "Secured by TrustedLogin" translates to a German
+ // brand-flavored string in the 'acme-plugin' textdomain.
+ $this->inject_translation( 'acme-plugin', array(
+ 'Secured by TrustedLogin' => 'Abgesichert durch Acme Support',
+ ) );
+
+ Strings::load_translations( 'acme-plugin' );
+
+ Strings::init( $this->build_config() );
+ $this->assertSame(
+ 'Abgesichert durch Acme Support',
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'Secured by TrustedLogin' )
+ );
+ }
+
+ public function test_lookups_against_unloaded_textdomain_return_input() {
+ // No load_translations() call — runtime textdomain stays
+ // 'trustedlogin', which has no translations registered. The
+ // SDK's English default flows through.
+ Strings::init( $this->build_config() );
+ $this->assertSame(
+ 'Secured by TrustedLogin',
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'Secured by TrustedLogin' )
+ );
+ }
+
+
+ public function test_load_translations_registers_change_locale_hook() {
+ Strings::load_translations( 'acme-plugin' );
+ $this->assertNotFalse( has_action( 'change_locale' ),
+ 'A change_locale callback should be registered after load_translations().' );
+ }
+
+ public function test_change_locale_callback_runs_without_mo_file() {
+ // Without a real fr_FR .mo file shipped in src/languages/, the
+ // SDK's mo_path_for() returns a path that isn't readable, so
+ // the callback short-circuits before calling load_textdomain.
+ // The callback running (and not crashing) is the contract under
+ // test here; actual reload behavior with a real .mo is a
+ // release-time concern, not a unit-test one.
+ Strings::load_translations( 'acme-plugin' );
+ do_action( 'change_locale', 'fr_FR' );
+
+ // If we got here without a fatal, the callback handled the
+ // missing-file case gracefully — that's the assertion.
+ $this->addToAssertionCount( 1 );
+ }
+
+ public function test_translations_reload_picks_up_new_locale_messages() {
+ // French translations for the SAME msgid that German didn't cover.
+ $this->inject_translation( 'acme-plugin', array(
+ 'Try reconnecting' => 'Réessayer la connexion',
+ ) );
+
+ Strings::load_translations( 'acme-plugin' );
+ switch_to_locale( 'fr_FR' );
+
+ try {
+ Strings::init( $this->build_config() );
+ $this->assertSame(
+ 'Réessayer la connexion',
+ Strings::get( Strings::TRY_RECONNECTING, __( 'Try reconnecting', 'trustedlogin' ) )
+ );
+ } finally {
+ restore_previous_locale();
+ }
+ }
+
+
+ public function test_static_override_preempts_translation() {
+ $this->inject_translation( 'acme-plugin', array(
+ 'Secured by TrustedLogin' => 'Abgesichert durch Acme',
+ ) );
+
+ Strings::load_translations( 'acme-plugin' );
+
+ $config = $this->build_config( array(
+ Strings::SECURED_BY_TRUSTEDLOGIN => 'Powered by Acme', // verbatim brand
+ ) );
+ Strings::init( $config );
+
+ // Override wins. Translation never runs for this key.
+ $this->assertSame(
+ 'Powered by Acme',
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'Secured by TrustedLogin' )
+ );
+ }
+
+ public function test_closure_override_can_invoke_translation_functions() {
+ // The integrator's closure can call __() against their OWN
+ // textdomain. Whatever that returns is what the SDK renders.
+ $this->inject_translation( 'integrator-domain', array(
+ '%d day of Acme support' => '%d Tag Acme-Support',
+ ) );
+
+ $config = $this->build_config( array(
+ Strings::CREATED_1_S_AGO_BY_2 => static function ( $time_ago, $by ) {
+ // The integrator does whatever they want here. They
+ // could call _n(), __(), sprintf(), pull from a
+ // database — the SDK doesn't care.
+ $translated = __( '%d day of Acme support', 'integrator-domain' );
+ return sprintf( '%s — %s ago, %s', $translated, $time_ago, $by );
+ },
+ ) );
+
+ Strings::init( $config );
+ $resolved = Strings::get(
+ Strings::CREATED_1_S_AGO_BY_2,
+ 'Created %1$s ago by %2$s',
+ array( '5 minutes', 'admin' )
+ );
+
+ // Closure used the German translation it just looked up.
+ $this->assertStringContainsString( '%d Tag Acme-Support', $resolved );
+ $this->assertStringContainsString( '5 minutes', $resolved );
+ $this->assertStringContainsString( 'admin', $resolved );
+ }
+
+ public function test_runtime_filter_sees_user_locale_for_context_aware_overrides() {
+ // Set up a user-specific locale via switch_to_locale (simpler
+ // than spinning a user fixture and calling switch_to_user_locale).
+ switch_to_locale( 'de_DE' );
+
+ try {
+ $config = $this->build_config();
+ Strings::init( $config );
+
+ $tag = 'trustedlogin/translation-test/strings/' . Strings::TRY_RECONNECTING;
+
+ $contextual = static function ( $value ) {
+ return determine_locale() === 'de_DE'
+ ? 'Erneut verbinden'
+ : $value;
+ };
+ add_filter( $tag, $contextual, 10, 1 );
+
+ try {
+ $this->assertSame(
+ 'Erneut verbinden',
+ Strings::get( Strings::TRY_RECONNECTING, 'Try reconnecting' )
+ );
+ } finally {
+ remove_filter( $tag, $contextual, 10 );
+ }
+ } finally {
+ restore_previous_locale();
+ }
+ }
+
+
+ public function test_load_translations_before_init_defers() {
+ // We can't actually un-fire `init` once it's done in the test
+ // harness (it fires during WP bootstrap). But we can assert the
+ // guard is in place: invocation during a known-pre-init context
+ // produces a queued action rather than an immediate load.
+ // The empirical proof is `did_action('init')` returns 0 inside
+ // some fixture contexts (e.g., constructor of a class loaded
+ // before init). Since the test harness has already fired init,
+ // we just verify the immediate-load path works AND the deferred
+ // path adds an action.
+ $this->assertGreaterThan( 0, did_action( 'init' ),
+ 'Test harness should have fired init already.' );
+
+ Strings::load_translations( 'acme-plugin' );
+
+ $rc = new ReflectionProperty( Strings::class, 'textdomain' );
+ $rc->setAccessible( true );
+ $this->assertSame( 'acme-plugin', $rc->getValue( null ),
+ 'After init, load should run immediately.' );
+ }
+
+
+ public function test_repeated_load_translations_registers_change_locale_once() {
+ // Count change_locale callbacks at priority 10 before & after.
+ global $wp_filter;
+ $before = isset( $wp_filter['change_locale'] )
+ ? count( $wp_filter['change_locale']->callbacks[10] ?? array() )
+ : 0;
+
+ Strings::load_translations( 'acme-plugin' );
+ Strings::load_translations( 'other-plugin' );
+ Strings::load_translations( 'third-plugin' );
+
+ $after = count( $wp_filter['change_locale']->callbacks[10] );
+ $this->assertSame( $before + 1, $after,
+ 'Repeated load_translations calls must add exactly one change_locale callback total.' );
+ }
+
+ public function test_second_load_translations_overrides_textdomain() {
+ Strings::load_translations( 'acme-plugin' );
+ Strings::load_translations( 'beta-plugin' );
+
+ $rc = new ReflectionProperty( Strings::class, 'textdomain' );
+ $rc->setAccessible( true );
+ $this->assertSame( 'beta-plugin', $rc->getValue( null ),
+ 'The most recent load_translations call wins.' );
+ }
+
+ public function test_change_locale_callback_reads_latest_textdomain_after_second_load() {
+ // The closure's load_textdomain() call is gated on
+ // is_readable() of the .mo path, so we need a real file at
+ // that location to make the spy fire. Build a 0-byte placeholder.
+ $rc = new \ReflectionClass( Strings::class );
+ $languages = dirname( $rc->getFileName() ) . '/languages';
+ if ( ! is_dir( $languages ) ) {
+ mkdir( $languages, 0755, true );
+ }
+ $fake_mo = $languages . '/trustedlogin-fr_FR.mo';
+ file_put_contents( $fake_mo, '' );
+ $this->cleanups[] = static function () use ( $fake_mo, $languages ) {
+ if ( is_file( $fake_mo ) ) {
+ unlink( $fake_mo );
+ }
+ // Best-effort dir cleanup; ignore if not empty.
+ @rmdir( $languages );
+ };
+
+ $attempts = array();
+ $spy = static function ( $override, $domain ) use ( &$attempts ) {
+ unset( $override );
+ $attempts[] = $domain;
+ return true;
+ };
+ add_filter( 'override_load_textdomain', $spy, 10, 2 );
+
+ try {
+ Strings::load_translations( 'acme-plugin' );
+ Strings::load_translations( 'beta-plugin' );
+ $attempts = array(); // ignore the immediate loads
+
+ do_action( 'change_locale', 'fr_FR' );
+
+ $this->assertContains( 'beta-plugin', $attempts,
+ 'change_locale must load .mo against the LATEST textdomain, not the captured-at-registration one.' );
+ $this->assertNotContains( 'acme-plugin', $attempts,
+ 'Stale textdomain must NOT be referenced after second load.' );
+ } finally {
+ remove_filter( 'override_load_textdomain', $spy, 10 );
+ }
+ }
+
+ public function test_mo_path_resolves_relative_to_strings_file() {
+ // mo_path_for is private; reach via reflection. The path must
+ // be anchored to the Strings.php directory (so Strauss-vendored
+ // layouts resolve correctly), NOT to WP_PLUGIN_DIR.
+ $rc = new \ReflectionClass( Strings::class );
+ $method = $rc->getMethod( 'mo_path_for' );
+ $method->setAccessible( true );
+
+ $path = $method->invoke( null, 'de_DE' );
+ $strings_dir = dirname( $rc->getFileName() );
+
+ $this->assertSame(
+ $strings_dir . '/languages/trustedlogin-de_DE.mo',
+ $path,
+ 'mo_path_for must be relative to the Strings.php source file.'
+ );
+ }
+
+ public function test_load_translations_with_non_string_argument_is_noop() {
+ Strings::load_translations( '' );
+
+ $rc = new ReflectionProperty( Strings::class, 'textdomain' );
+ $rc->setAccessible( true );
+ $this->assertSame( 'trustedlogin', $rc->getValue( null ) );
+ }
+}
diff --git a/tests/test-strings.php b/tests/test-strings.php
new file mode 100644
index 00000000..0f6c3bec
--- /dev/null
+++ b/tests/test-strings.php
@@ -0,0 +1,657 @@
+ array( 'api_key' => '9946ca31be6aa948' ),
+ 'vendor' => array(
+ 'namespace' => 'strings-test',
+ 'title' => 'Strings Test',
+ 'email' => 'support@example.com',
+ 'website' => 'https://vendor.example.com',
+ 'support_url' => 'https://vendor.example.com/support',
+ ),
+ );
+ if ( ! empty( $overrides ) ) {
+ $base['strings'] = $overrides;
+ }
+ $config = new Config( $base );
+ $config->validate(); // runs validate_strings() internally
+ return $config;
+ }
+
+
+ public function test_no_override_returns_sdk_default() {
+ Strings::init( $this->build_config() );
+ $this->assertSame(
+ 'Secured by TrustedLogin',
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'Secured by TrustedLogin' )
+ );
+ }
+
+
+ public function test_string_override_replaces_default() {
+ $config = $this->build_config( array(
+ Strings::SECURED_BY_TRUSTEDLOGIN => 'Powered by Acme Support',
+ ) );
+
+ Strings::init( $config );
+ $this->assertSame(
+ 'Powered by Acme Support',
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'Secured by TrustedLogin' )
+ );
+ }
+
+
+ public function test_explicit_empty_override_renders_empty() {
+ $config = $this->build_config( array(
+ Strings::SECURED_BY_TRUSTEDLOGIN => '',
+ ) );
+
+ Strings::init( $config );
+ $this->assertSame(
+ '',
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'Secured by TrustedLogin' )
+ );
+ }
+
+
+ public function test_closure_override_receives_context() {
+ $config = $this->build_config( array(
+ Strings::CREATED_1_S_AGO_BY_2 => static function ( $time_ago, $by ) {
+ return "Acme created {$time_ago} ago by {$by}";
+ },
+ ) );
+
+ Strings::init( $config );
+ $resolved = Strings::get(
+ Strings::CREATED_1_S_AGO_BY_2,
+ 'Created %1$s ago by %2$s',
+ array( '5 minutes', 'admin' )
+ );
+
+ $this->assertSame( 'Acme created 5 minutes ago by admin', $resolved );
+ }
+
+
+ public function test_override_with_missing_placeholder_is_discarded() {
+ $config = $this->build_config( array(
+ Strings::CREATED_1_S_AGO_BY_2 => 'Created at unknown time', // no %1$s %2$s
+ ) );
+
+ Strings::init( $config );
+
+ // Override was malformed → discarded → falls through to SDK default.
+ $resolved = Strings::get(
+ Strings::CREATED_1_S_AGO_BY_2,
+ 'Created %1$s ago by %2$s',
+ array( '5 minutes', 'admin' )
+ );
+
+ // The default still contains placeholders; caller would sprintf
+ // it. We only assert the resolution path returns the default
+ // untouched (no crash, no override applied).
+ $this->assertSame( 'Created %1$s ago by %2$s', $resolved );
+ }
+
+ public function test_override_with_extra_placeholder_is_discarded() {
+ // SECURED_BY expects 0 placeholders. Override that smuggles
+ // a %d should be dropped — would print "%d" raw to customers.
+ $config = $this->build_config( array(
+ Strings::SECURED_BY_TRUSTEDLOGIN => 'Secured by TL (%d sites protected)',
+ ) );
+
+ Strings::init( $config );
+ $this->assertSame(
+ 'Secured by TrustedLogin',
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'Secured by TrustedLogin' )
+ );
+ }
+
+ public function test_override_with_escaped_percent_only_accepted_when_no_placeholders_expected() {
+ // `%%` is the literal percent sign — not a real placeholder.
+ // Must pass the safety check.
+ $config = $this->build_config( array(
+ Strings::SECURED_BY_TRUSTEDLOGIN => 'Secured by 100%% you',
+ ) );
+
+ Strings::init( $config );
+ $this->assertSame(
+ 'Secured by 100%% you',
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'Secured by TrustedLogin' )
+ );
+ }
+
+
+ public function test_unknown_key_is_dropped_silently() {
+ $config = $this->build_config( array(
+ 'no_such_key' => 'this should never render',
+ ) );
+
+ // Reflection-peek to verify the unknown key didn't make it into
+ // the validated set.
+ $strings_setting = $config->get_setting( 'strings', array() );
+ $this->assertArrayNotHasKey( 'no_such_key', $strings_setting );
+ }
+
+
+ public function test_runtime_filter_can_rewrite_resolved_value() {
+ $config = $this->build_config();
+ Strings::init( $config );
+
+ $tag = 'trustedlogin/strings-test/strings/' . Strings::SECURED_BY_TRUSTEDLOGIN;
+
+ $rewriter = static function ( $value ) {
+ return strtoupper( $value );
+ };
+ add_filter( $tag, $rewriter, 10, 1 );
+
+ try {
+ $this->assertSame(
+ 'SECURED BY TRUSTEDLOGIN',
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'Secured by TrustedLogin' )
+ );
+ } finally {
+ remove_filter( $tag, $rewriter, 10 );
+ }
+ }
+
+
+ public function test_object_override_is_discarded() {
+ $config = $this->build_config( array(
+ Strings::SECURED_BY_TRUSTEDLOGIN => new \stdClass(),
+ ) );
+
+ Strings::init( $config );
+ $this->assertSame(
+ 'Secured by TrustedLogin',
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'Secured by TrustedLogin' )
+ );
+ }
+
+
+ public function test_registry_includes_every_class_constant() {
+ $registry = Strings::registry();
+
+ $this->assertArrayHasKey( Strings::SECURED_BY_TRUSTEDLOGIN, $registry );
+ $this->assertArrayHasKey( Strings::REVOKE_ACCESS, $registry );
+ $this->assertArrayHasKey( Strings::SUPPORT_ACCESS_IS_TEMPORARILY_UNAVAILABLE_PLEASE, $registry );
+ $this->assertArrayHasKey( Strings::TRY_RECONNECTING, $registry );
+ $this->assertArrayHasKey( Strings::CREATED_1_S_AGO_BY_2, $registry );
+
+ $this->assertSame( 0, $registry[ Strings::SECURED_BY_TRUSTEDLOGIN ]['placeholders'] );
+ $this->assertSame( 2, $registry[ Strings::CREATED_1_S_AGO_BY_2 ]['placeholders'] );
+ }
+
+
+ // ---- init() / reset() lifecycle --------------------------------
+
+ public function test_init_called_twice_replaces_bound_config() {
+ Strings::init( $this->build_config( array(
+ Strings::SECURED_BY_TRUSTEDLOGIN => 'First brand',
+ ) ) );
+ Strings::init( $this->build_config( array(
+ Strings::SECURED_BY_TRUSTEDLOGIN => 'Second brand',
+ ) ) );
+
+ $this->assertSame(
+ 'Second brand',
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'Secured by TrustedLogin' ),
+ 'A second init() must replace the first binding.'
+ );
+ }
+
+ public function test_get_without_init_returns_default_no_filter() {
+ Strings::reset();
+
+ $filter_fired = false;
+ $spy = static function ( $value ) use ( &$filter_fired ) {
+ $filter_fired = true;
+ return $value;
+ };
+ // Catch ANY trustedlogin strings filter — without init() we
+ // don't know the namespace anyway, but if a filter DOES fire,
+ // the namespace would be 'default' or similar; this catches
+ // the contract violation either way.
+ add_filter( 'trustedlogin/strings-test/strings/' . Strings::SECURED_BY_TRUSTEDLOGIN, $spy, 10, 1 );
+
+ try {
+ $this->assertSame(
+ 'fallback default',
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'fallback default' )
+ );
+ $this->assertFalse( $filter_fired,
+ 'Strings::get() before init() must NOT invoke the runtime filter.' );
+ } finally {
+ remove_filter( 'trustedlogin/strings-test/strings/' . Strings::SECURED_BY_TRUSTEDLOGIN, $spy, 10 );
+ }
+ }
+
+ public function test_reset_clears_all_static_state() {
+ Strings::init( $this->build_config( array(
+ Strings::SECURED_BY_TRUSTEDLOGIN => 'X',
+ ) ) );
+ Strings::load_translations( 'acme-plugin' );
+
+ Strings::reset();
+
+ $rc = new \ReflectionClass( Strings::class );
+ $prop = static function ( $name ) use ( $rc ) {
+ $p = $rc->getProperty( $name );
+ $p->setAccessible( true );
+ return $p->getValue( null );
+ };
+
+ $this->assertNull( $prop( 'config' ) );
+ $this->assertSame( array(), $prop( 'overrides' ) );
+ $this->assertSame( 'trustedlogin', $prop( 'textdomain' ) );
+ $this->assertFalse( $prop( 'translations_loaded' ) );
+ }
+
+ // ---- get() resolution: closures + bad shapes -------------------
+
+ public function test_zero_arg_closure_override_invoked() {
+ $config = $this->build_config( array(
+ Strings::SECURED_BY_TRUSTEDLOGIN => static function () { return 'ZERO-ARG'; },
+ ) );
+ Strings::init( $config );
+
+ $this->assertSame( 'ZERO-ARG',
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'default' ) );
+ }
+
+ public function test_throwing_closure_falls_back_to_default() {
+ // An integrator closure that throws (DB error, null pointer,
+ // undefined variable) must NOT escape the SDK and fatal the
+ // customer's consent screen. resolve() catches \Throwable
+ // and falls back to the translated default.
+ $config = $this->build_config( array(
+ Strings::SECURED_BY_TRUSTEDLOGIN => static function () {
+ throw new \RuntimeException( 'integrator bug' );
+ },
+ ) );
+ Strings::init( $config );
+
+ $this->assertSame(
+ 'fallback default',
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'fallback default' )
+ );
+ }
+
+ public function test_throwing_filter_does_not_fatal_keeps_resolved_value() {
+ Strings::init( $this->build_config() );
+ $tag = 'trustedlogin/strings-test/strings/' . Strings::SECURED_BY_TRUSTEDLOGIN;
+
+ $thrower = static function () {
+ throw new \RuntimeException( 'integrator filter bug' );
+ };
+ add_filter( $tag, $thrower, 10, 1 );
+
+ try {
+ // Filter throws — get() catches and returns the
+ // pre-filter resolved value (the SDK default).
+ $resolved = Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'safe default' );
+ $this->assertSame( 'safe default', $resolved );
+ } finally {
+ remove_filter( $tag, $thrower, 10 );
+ }
+ }
+
+ public function test_throwing_closure_logs_through_sdk_logging() {
+ // Build a config with logging enabled so the SDK's Logging
+ // surface actually fires its actions.
+ $config = new Config( array(
+ 'auth' => array( 'api_key' => '9946ca31be6aa948' ),
+ 'logging' => array( 'enabled' => true ),
+ 'vendor' => array(
+ 'namespace' => 'strings-test',
+ 'title' => 'Strings Test',
+ 'email' => 'support@example.com',
+ 'website' => 'https://vendor.example.com',
+ 'support_url' => 'https://vendor.example.com/support',
+ ),
+ 'strings' => array(
+ Strings::SECURED_BY_TRUSTEDLOGIN => static function () {
+ throw new \RuntimeException( 'integrator bug here' );
+ },
+ ),
+ ) );
+ $config->validate();
+ Strings::init( $config );
+
+ $captured = array();
+ $spy = static function ( $message ) use ( &$captured ) {
+ $captured[] = $message;
+ };
+ add_action( 'trustedlogin/strings-test/logging/log_error', $spy, 10, 1 );
+
+ try {
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'safe default' );
+
+ $this->assertNotEmpty( $captured,
+ 'A closure that throws must log through the SDK Logging surface.' );
+ $joined = implode( "\n", $captured );
+ $this->assertStringContainsString( 'integrator bug here', $joined );
+ $this->assertStringContainsString( Strings::SECURED_BY_TRUSTEDLOGIN, $joined );
+ } finally {
+ remove_action( 'trustedlogin/strings-test/logging/log_error', $spy, 10 );
+ }
+ }
+
+
+ public function test_malformed_override_injected_post_validation_falls_back() {
+ // Force an unsupported shape past Config::validate_strings()
+ // by writing it directly into Strings::$overrides via reflection.
+ // This exercises the belt-and-suspenders branch in resolve().
+ Strings::init( $this->build_config() );
+ $rc = new \ReflectionProperty( Strings::class, 'overrides' );
+ $rc->setAccessible( true );
+ $rc->setValue( null, array( Strings::SECURED_BY_TRUSTEDLOGIN => 12345 ) );
+
+ $this->assertSame( 'fallback default',
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'fallback default' ) );
+ }
+
+ // ---- runtime filter -------------------------------------------
+
+ public function test_runtime_filter_receives_four_args() {
+ Strings::init( $this->build_config() );
+ $tag = 'trustedlogin/strings-test/strings/' . Strings::SECURED_BY_TRUSTEDLOGIN;
+
+ $captured = null;
+ $spy = static function ( $value, $key, $context, $config ) use ( &$captured ) {
+ $captured = compact( 'value', 'key', 'context', 'config' );
+ return $value;
+ };
+ add_filter( $tag, $spy, 10, 4 );
+
+ try {
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'X', array( 'ctx' => 'val' ) );
+
+ $this->assertNotNull( $captured );
+ $this->assertSame( 'X', $captured['value'] );
+ $this->assertSame( Strings::SECURED_BY_TRUSTEDLOGIN, $captured['key'] );
+ $this->assertSame( array( 'ctx' => 'val' ), $captured['context'] );
+ $this->assertInstanceOf( Config::class, $captured['config'] );
+ } finally {
+ remove_filter( $tag, $spy, 10 );
+ }
+ }
+
+ public function test_filter_fires_on_override_path() {
+ $config = $this->build_config( array(
+ Strings::SECURED_BY_TRUSTEDLOGIN => 'from-override',
+ ) );
+ Strings::init( $config );
+
+ $tag = 'trustedlogin/strings-test/strings/' . Strings::SECURED_BY_TRUSTEDLOGIN;
+ $tag_fired_with = null;
+ $spy = static function ( $value ) use ( &$tag_fired_with ) {
+ $tag_fired_with = $value;
+ return $value;
+ };
+ add_filter( $tag, $spy, 10, 1 );
+
+ try {
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'default' );
+ $this->assertSame( 'from-override', $tag_fired_with,
+ 'Filter must see the override value, not the default.' );
+ } finally {
+ remove_filter( $tag, $spy, 10 );
+ }
+ }
+
+ // ---- Config::validate_strings: shape + placeholder edge cases --
+
+ public function test_strings_config_non_array_is_unset() {
+ // Passing a scalar `strings` should be dropped entirely so
+ // the rest of the SDK never sees a non-array shape.
+ $config = new Config( array(
+ 'auth' => array( 'api_key' => '9946ca31be6aa948' ),
+ 'vendor' => array(
+ 'namespace' => 'strings-test',
+ 'title' => 'Strings Test',
+ 'email' => 'support@example.com',
+ 'website' => 'https://vendor.example.com',
+ 'support_url' => 'https://vendor.example.com/support',
+ ),
+ 'strings' => 'oops',
+ ) );
+ $config->validate();
+
+ $this->assertNull( $config->get_setting( 'strings', null ) );
+ }
+
+ public function test_escaped_percent_does_not_count_toward_placeholder_total() {
+ // CREATED_1_S_AGO_BY_2 requires 2 placeholders. Escaped %%
+ // must not be counted. Override that has 2 real placeholders
+ // AND a literal %% should pass.
+ $config = $this->build_config( array(
+ Strings::CREATED_1_S_AGO_BY_2 => 'Created %1$s ago by %2$s (100%% sure)',
+ ) );
+ Strings::init( $config );
+
+ $resolved = Strings::get(
+ Strings::CREATED_1_S_AGO_BY_2,
+ 'Created %1$s ago by %2$s',
+ array( '5min', 'admin' )
+ );
+ $this->assertSame( 'Created %1$s ago by %2$s (100%% sure)', $resolved );
+ }
+
+ public function test_format_flags_recognized_as_placeholders() {
+ // %05d / %.2f / %-10s ARE placeholders. For a 0-placeholder
+ // key, an override containing these must be discarded — they
+ // would print raw "%05d" to the customer otherwise.
+ foreach ( array( 'Got %05d sites', 'Uptime %.2f', 'Name %-10s', 'Hex %x', 'Char %c', 'Float %f' ) as $bad_override ) {
+ $config = $this->build_config( array(
+ Strings::SECURED_BY_TRUSTEDLOGIN => $bad_override,
+ ) );
+ Strings::init( $config );
+
+ $this->assertSame(
+ 'Secured by TrustedLogin',
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'Secured by TrustedLogin' ),
+ sprintf( "Override %s smuggled a placeholder into a 0-placeholder key; should have been discarded.", var_export( $bad_override, true ) )
+ );
+
+ Strings::reset();
+ }
+ }
+
+ /**
+ * @dataProvider non_string_non_callable_overrides
+ */
+ public function test_non_string_non_callable_overrides_dropped( $value, string $why ) {
+ $config = $this->build_config( array(
+ Strings::SECURED_BY_TRUSTEDLOGIN => $value,
+ ) );
+ Strings::init( $config );
+
+ $this->assertSame(
+ 'Secured by TrustedLogin',
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'Secured by TrustedLogin' ),
+ $why
+ );
+ }
+
+ public function non_string_non_callable_overrides(): array {
+ return array(
+ 'int' => array( 42, 'int is not a renderable string' ),
+ 'float' => array( 3.14, 'float is not a renderable string' ),
+ 'true' => array( true, 'bool true is not a renderable string' ),
+ 'false' => array( false, 'bool false is not a renderable string' ),
+ 'null' => array( null, 'null collapses to "no override entry" but should not render anything weird' ),
+ 'array of string' => array( array( 'one', 'two' ), 'list-shape arrays not supported for non-plural keys' ),
+ 'empty array' => array( array(), 'empty array is not a renderable shape' ),
+ );
+ }
+
+ public function test_mixed_valid_and_invalid_overrides_partial_keep() {
+ $config = $this->build_config( array(
+ Strings::SECURED_BY_TRUSTEDLOGIN => 'Powered by Acme',
+ Strings::CREATED_1_S_AGO_BY_2 => 'I forgot the placeholders',
+ ) );
+ Strings::init( $config );
+
+ // Good one preserved.
+ $this->assertSame( 'Powered by Acme',
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'Secured by TrustedLogin' ) );
+ // Bad one falls back to default.
+ $this->assertSame( 'Created %1$s ago by %2$s',
+ Strings::get( Strings::CREATED_1_S_AGO_BY_2, 'Created %1$s ago by %2$s', array( 'x', 'y' ) ) );
+ }
+
+ // ---- Client constructor wires Strings::init -------------------
+
+ // ---- Runtime sprintf safety: closures + filters that produce
+ // strings with TOO MANY placeholders must NOT crash the SDK
+ // call site that's about to sprintf with a fixed arg count.
+ // PHP 8 throws ValueError on "too few arguments" — uncaught
+ // that's a fatal on the customer's consent screen.
+
+ public function test_closure_returning_too_many_placeholders_falls_back_to_default() {
+ // CREATED_1_S_AGO_BY_2 → SDK call site sprintfs with 2 args.
+ // A closure that returns a string requiring 3 placeholders
+ // would crash sprintf in PHP 8 → must fall back instead.
+ $config = $this->build_config( array(
+ Strings::CREATED_1_S_AGO_BY_2 => static function () {
+ return 'Bad: %s %s %s'; // 3 placeholders, only 2 args supplied
+ },
+ ) );
+ Strings::init( $config );
+
+ $resolved = Strings::get(
+ Strings::CREATED_1_S_AGO_BY_2,
+ 'Created %1$s ago by %2$s',
+ array( '5min', 'admin' )
+ );
+
+ $this->assertSame(
+ 'Created %1$s ago by %2$s',
+ $resolved,
+ 'Closure with too many placeholders must fall back to the default; never let sprintf-fatal-producing strings reach the caller.'
+ );
+ }
+
+ public function test_filter_introducing_too_many_placeholders_falls_back_to_default() {
+ Strings::init( $this->build_config() );
+ $tag = 'trustedlogin/strings-test/strings/' . Strings::SECURED_BY_TRUSTEDLOGIN;
+
+ $malicious_filter = static function () {
+ return 'gotcha %s %s %s'; // smuggles placeholders into a 0-placeholder key
+ };
+ add_filter( $tag, $malicious_filter, 10, 1 );
+
+ try {
+ $this->assertSame(
+ 'Secured by TrustedLogin',
+ Strings::get( Strings::SECURED_BY_TRUSTEDLOGIN, 'Secured by TrustedLogin' )
+ );
+ } finally {
+ remove_filter( $tag, $malicious_filter, 10 );
+ }
+ }
+
+ public function test_closure_returning_fewer_placeholders_is_allowed() {
+ // Returning a fully-formatted string (0 placeholders) for a
+ // 2-placeholder key is the COMMON case — closures usually do
+ // their own sprintf. sprintf with extra args is silent. Allow.
+ $config = $this->build_config( array(
+ Strings::CREATED_1_S_AGO_BY_2 => static function ( $time_ago, $by ) {
+ return "Acme created {$time_ago} ago by {$by}"; // no placeholders left
+ },
+ ) );
+ Strings::init( $config );
+
+ $this->assertSame(
+ 'Acme created 5min ago by admin',
+ Strings::get(
+ Strings::CREATED_1_S_AGO_BY_2,
+ 'Created %1$s ago by %2$s',
+ array( '5min', 'admin' )
+ )
+ );
+ }
+
+ public function test_filter_calling_sprintf_inline_is_allowed() {
+ // Filter can fully format the string itself — should pass
+ // through even though it has 0 placeholders for a placeholder-
+ // having key (caller's sprintf with extra args is silent).
+ Strings::init( $this->build_config() );
+ $tag = 'trustedlogin/strings-test/strings/' . Strings::CREATED_1_S_AGO_BY_2;
+
+ $inline_formatter = static function ( $value, $key, $context ) {
+ return sprintf( $value, $context[0], $context[1] );
+ };
+ add_filter( $tag, $inline_formatter, 10, 4 );
+
+ try {
+ $resolved = Strings::get(
+ Strings::CREATED_1_S_AGO_BY_2,
+ 'Created %1$s ago by %2$s',
+ array( '5min', 'admin' )
+ );
+ $this->assertSame( 'Created 5min ago by admin', $resolved );
+ } finally {
+ remove_filter( $tag, $inline_formatter, 10 );
+ }
+ }
+
+ public function test_count_placeholders_handles_format_flags_and_positionals() {
+ // Sanity: count_placeholders should recognize all the common forms.
+ $this->assertSame( 0, Strings::count_placeholders( 'no placeholders here' ) );
+ $this->assertSame( 0, Strings::count_placeholders( 'literal 100%% percent' ) );
+ $this->assertSame( 1, Strings::count_placeholders( '%s alone' ) );
+ $this->assertSame( 2, Strings::count_placeholders( '%s and %d' ) );
+ $this->assertSame( 2, Strings::count_placeholders( '%1$s ... %2$s' ) );
+ $this->assertSame( 3, Strings::count_placeholders( '%1$s ... %3$s (skip %2$s in the middle)' ) );
+ $this->assertSame( 1, Strings::count_placeholders( 'pct %05d' ) );
+ $this->assertSame( 1, Strings::count_placeholders( 'float %.2f' ) );
+ $this->assertSame( 1, Strings::count_placeholders( 'name %-10s' ) );
+ $this->assertSame( 1, Strings::count_placeholders( '100%% real and 1 fake: %s' ) );
+ $this->assertSame( 0, Strings::count_placeholders( null ) );
+ $this->assertSame( 0, Strings::count_placeholders( 42 ) );
+ }
+
+ public function test_client_constructor_initializes_strings() {
+ $client_config_data = array(
+ 'auth' => array( 'api_key' => 'aaaa11112222bbbb' ),
+ 'vendor' => array(
+ 'namespace' => 'client-init-test',
+ 'title' => 'Client Init Test',
+ 'email' => 'support@example.com',
+ 'website' => 'https://vendor.example.com',
+ 'support_url' => 'https://vendor.example.com/support',
+ ),
+ );
+ $config = new Config( $client_config_data );
+ new Client( $config );
+
+ $rc = new \ReflectionProperty( Strings::class, 'config' );
+ $rc->setAccessible( true );
+ $this->assertSame( $config, $rc->getValue( null ),
+ 'Client::__construct must bind the Config to Strings::init().' );
+ }
+}
diff --git a/tests/test-support-user-locale.php b/tests/test-support-user-locale.php
new file mode 100644
index 00000000..ce6109cc
--- /dev/null
+++ b/tests/test-support-user-locale.php
@@ -0,0 +1,441 @@
+ array( 'api_key' => '9946ca31be6aa948' ),
+ 'role' => 'editor',
+ 'vendor' => array(
+ 'namespace' => 'locale-test',
+ 'title' => 'Locale Test',
+ 'email' => 'support+{hash}@example.com',
+ 'website' => 'https://vendor.example.com',
+ 'support_url' => 'https://vendor.example.com/support',
+ ),
+ );
+ $base = array_replace_recursive( $base, $overrides );
+ $config = new Config( $base );
+ $config->validate();
+ return $config;
+ }
+
+ public function setUp(): void {
+ parent::setUp();
+
+ // On multisite, the support user needs to be granted super-admin
+ // (or at least added to the current blog) for SupportUser::create()
+ // to find the support role. The role-create step itself works
+ // fine on both; this is just so the cap chain resolves.
+ if ( is_multisite() && function_exists( 'grant_super_admin' ) ) {
+ $admin_id = self::factory()->user->create( array( 'role' => 'administrator' ) );
+ grant_super_admin( $admin_id );
+ wp_set_current_user( $admin_id );
+ }
+ }
+
+ public function test_configured_locale_lands_on_new_support_user() {
+ $config = $this->build_config( array(
+ 'support_user' => array( 'locale' => 'fr_FR' ),
+ ) );
+ $logging = new Logging( $config );
+ $support_role = new SupportRole( $config, $logging );
+ $support_role->create();
+
+ $support_user = new SupportUser( $config, $logging );
+ $new_user_id = $support_user->create();
+
+ $this->assertNotInstanceOf( \WP_Error::class, $new_user_id, 'support user creation should succeed' );
+ $this->assertSame( 'fr_FR', get_user_meta( (int) $new_user_id, 'locale', true ) );
+ }
+
+ public function test_malformed_locale_is_ignored() {
+ $config = $this->build_config( array(
+ 'support_user' => array( 'locale' => 'not-a-locale!' ),
+ ) );
+ $logging = new Logging( $config );
+ $support_role = new SupportRole( $config, $logging );
+ $support_role->create();
+
+ $support_user = new SupportUser( $config, $logging );
+ $new_user_id = $support_user->create();
+
+ $this->assertNotInstanceOf( \WP_Error::class, $new_user_id );
+ // Garbage locale should NOT be written. wp_usermeta has nothing.
+ $this->assertSame( '', (string) get_user_meta( (int) $new_user_id, 'locale', true ) );
+ }
+
+ public function test_filter_can_override_configured_locale() {
+ $config = $this->build_config( array(
+ 'support_user' => array( 'locale' => 'de_DE' ),
+ ) );
+
+ $swap_to_es = static function () { return 'es_ES'; };
+ add_filter( 'trustedlogin/locale-test/support_user/locale', $swap_to_es, 10, 1 );
+
+ try {
+ $logging = new Logging( $config );
+ $support_role = new SupportRole( $config, $logging );
+ $support_role->create();
+
+ $support_user = new SupportUser( $config, $logging );
+ $new_user_id = $support_user->create();
+
+ $this->assertNotInstanceOf( \WP_Error::class, $new_user_id );
+ $this->assertSame( 'es_ES', get_user_meta( (int) $new_user_id, 'locale', true ) );
+ } finally {
+ remove_filter( 'trustedlogin/locale-test/support_user/locale', $swap_to_es, 10 );
+ }
+ }
+
+ public function test_no_locale_setting_leaves_locale_unset() {
+ $config = $this->build_config(); // no support_user/locale
+ $logging = new Logging( $config );
+ $support_role = new SupportRole( $config, $logging );
+ $support_role->create();
+
+ $support_user = new SupportUser( $config, $logging );
+ $new_user_id = $support_user->create();
+
+ $this->assertNotInstanceOf( \WP_Error::class, $new_user_id );
+ $this->assertSame( '', (string) get_user_meta( (int) $new_user_id, 'locale', true ) );
+ }
+
+
+ /**
+ * @dataProvider valid_locales
+ */
+ public function test_valid_locale_formats_are_accepted( string $locale ) {
+ $config = $this->build_config( array(
+ 'support_user' => array( 'locale' => $locale ),
+ ) );
+
+ // Drive the resolver via reflection so we don't have to spin a
+ // full user creation for every locale.
+ $logging = new Logging( $config );
+ $support_user = new SupportUser( $config, $logging );
+ $rc = new \ReflectionClass( SupportUser::class );
+ $method = $rc->getMethod( 'resolve_support_user_locale' );
+ $method->setAccessible( true );
+
+ $this->assertSame( $locale, $method->invoke( $support_user ) );
+ }
+
+ public function valid_locales(): array {
+ return array(
+ 'standard de_DE' => array( 'de_DE' ),
+ 'pt_BR' => array( 'pt_BR' ),
+ 'WP variant suffix de_DE_formal' => array( 'de_DE_formal' ),
+ 'real WP.org locale pt_PT_ao90' => array( 'pt_PT_ao90' ),
+ 'three-letter language ckb' => array( 'ckb' ),
+ 'three-letter w/ region ckb_IQ' => array( 'ckb_IQ' ),
+ );
+ }
+
+
+ public function test_get_user_locale_returns_configured_value() {
+ $user_id = $this->grant_support_user_with_locale( 'fr_FR' );
+
+ $this->assertSame( 'fr_FR', get_user_locale( $user_id ),
+ 'get_user_locale() should mirror the wp_usermeta `locale` row the SDK just wrote.' );
+ }
+
+ public function test_get_user_locale_falls_back_to_site_default_when_unset() {
+ $user_id = $this->grant_support_user_with_locale( null );
+
+ // In multisite, the harness blog locale stays at the site default.
+ // We just assert that user-specific locale is NOT set — WP's
+ // normal fallback chain takes over from there.
+ $this->assertSame( '', (string) get_user_meta( $user_id, 'locale', true ) );
+ $this->assertSame( get_locale(), get_user_locale( $user_id ),
+ 'With no user-level locale, get_user_locale should fall back to site locale.' );
+ }
+
+ public function test_switch_to_user_locale_activates_set_locale() {
+ if ( ! function_exists( 'switch_to_user_locale' ) ) {
+ $this->markTestSkipped( 'switch_to_user_locale() not available before WP 6.2.' );
+ }
+
+ $user_id = $this->grant_support_user_with_locale( 'de_DE' );
+
+ $this->assertTrue( switch_to_user_locale( $user_id ) );
+ try {
+ $this->assertSame( 'de_DE', determine_locale(),
+ 'After switch_to_user_locale, determine_locale should return the user locale.' );
+ } finally {
+ restore_previous_locale();
+ }
+ }
+
+ public function test_multiple_support_users_keep_independent_locales() {
+ $id_a = $this->grant_support_user_with_locale( 'de_DE' );
+
+ // Re-config under a different namespace so we can create a
+ // SECOND support user with a different locale on the same site.
+ $config_b = new Config( array(
+ 'auth' => array( 'api_key' => 'b146ca31be6aa948' ),
+ 'role' => 'editor',
+ 'vendor' => array(
+ 'namespace' => 'locale-test-b',
+ 'title' => 'Locale Test B',
+ 'email' => 'support+b+{hash}@example.com',
+ 'website' => 'https://vendor.example.com',
+ 'support_url' => 'https://vendor.example.com/support',
+ ),
+ 'support_user' => array( 'locale' => 'fr_FR' ),
+ ) );
+ $config_b->validate();
+ $logging_b = new Logging( $config_b );
+ ( new SupportRole( $config_b, $logging_b ) )->create();
+ $id_b = ( new SupportUser( $config_b, $logging_b ) )->create();
+
+ $this->assertNotInstanceOf( \WP_Error::class, $id_b );
+ $this->assertSame( 'de_DE', get_user_locale( $id_a ) );
+ $this->assertSame( 'fr_FR', get_user_locale( (int) $id_b ) );
+ }
+
+ public function test_locale_persists_across_simulated_logins() {
+ $user_id = $this->grant_support_user_with_locale( 'es_ES' );
+
+ // First "login" — simulate WP loading the user.
+ wp_set_current_user( $user_id );
+ $first = get_user_locale( $user_id );
+ wp_set_current_user( 0 );
+
+ // Drop the user object cache so we re-hydrate from the DB.
+ clean_user_cache( $user_id );
+
+ // Second "login".
+ wp_set_current_user( $user_id );
+ $second = get_user_locale( $user_id );
+
+ $this->assertSame( 'es_ES', $first );
+ $this->assertSame( 'es_ES', $second );
+ $this->assertSame( $first, $second,
+ 'The user-locale row should survive cache eviction between sessions.' );
+ }
+
+
+ public function test_pre_insert_user_data_filter_stripping_locale_triggers_reassert() {
+ $strip_locale = static function ( $data ) {
+ if ( isset( $data['locale'] ) ) {
+ unset( $data['locale'] );
+ }
+ return $data;
+ };
+ add_filter( 'wp_pre_insert_user_data', $strip_locale, 10, 1 );
+
+ try {
+ $user_id = $this->grant_support_user_with_locale( 'de_DE' );
+
+ // Even though the filter stripped `locale` before insert,
+ // SupportUser::create() detects the mismatch and re-asserts
+ // via update_user_meta(). End-state must match the request.
+ $this->assertSame( 'de_DE', (string) get_user_meta( $user_id, 'locale', true ) );
+ } finally {
+ remove_filter( 'wp_pre_insert_user_data', $strip_locale, 10 );
+ }
+ }
+
+ public function test_filter_returning_empty_string_clears_configured_locale() {
+ $clear = static function () { return ''; };
+ add_filter( 'trustedlogin/locale-test/support_user/locale', $clear, 10, 1 );
+
+ try {
+ $config = $this->build_config( array(
+ 'support_user' => array( 'locale' => 'de_DE' ),
+ ) );
+ $logging = new Logging( $config );
+ ( new SupportRole( $config, $logging ) )->create();
+ $user_id = ( new SupportUser( $config, $logging ) )->create();
+
+ $this->assertNotInstanceOf( \WP_Error::class, $user_id );
+ $this->assertSame( '', (string) get_user_meta( (int) $user_id, 'locale', true ),
+ 'Filter forcing empty should suppress the configured locale entirely.' );
+ } finally {
+ remove_filter( 'trustedlogin/locale-test/support_user/locale', $clear, 10 );
+ }
+ }
+
+ public function test_filter_returning_garbage_is_rejected_by_format_check() {
+ $garbage = static function () { return 'not a real locale!'; };
+ add_filter( 'trustedlogin/locale-test/support_user/locale', $garbage, 10, 1 );
+
+ try {
+ $config = $this->build_config( array(
+ 'support_user' => array( 'locale' => 'de_DE' ),
+ ) );
+ $logging = new Logging( $config );
+ ( new SupportRole( $config, $logging ) )->create();
+ $user_id = ( new SupportUser( $config, $logging ) )->create();
+
+ $this->assertNotInstanceOf( \WP_Error::class, $user_id );
+ $this->assertSame( '', (string) get_user_meta( (int) $user_id, 'locale', true ),
+ 'Garbage from the filter must be format-rejected, leaving locale unset.' );
+ } finally {
+ remove_filter( 'trustedlogin/locale-test/support_user/locale', $garbage, 10 );
+ }
+ }
+
+
+ /**
+ * @dataProvider invalid_locales
+ */
+ public function test_malformed_locale_formats_are_rejected( string $locale, string $why ) {
+ $config = $this->build_config( array(
+ 'support_user' => array( 'locale' => $locale ),
+ ) );
+ $logging = new Logging( $config );
+ $support_user = new SupportUser( $config, $logging );
+ $rc = new \ReflectionClass( SupportUser::class );
+ $method = $rc->getMethod( 'resolve_support_user_locale' );
+ $method->setAccessible( true );
+
+ $this->assertSame( '', $method->invoke( $support_user ), $why );
+ }
+
+ public function invalid_locales(): array {
+ return array(
+ 'empty string' => array( '', 'no locale requested' ),
+ 'whitespace' => array( ' ', 'whitespace shouldn\'t pass' ),
+ 'shell injection attempt' => array( 'de_DE; rm -rf /', 'shell-style payload must be rejected' ),
+ 'bare language too short' => array( 'd', 'one-letter language code invalid' ),
+ 'wrong-case region' => array( 'de_de', 'WP locale convention is uppercase region' ),
+ 'IETF style with hyphen' => array( 'de-DE', 'WP uses underscores, not hyphens' ),
+ 'path traversal attempt' => array( '../../etc/passwd', 'no slashes anywhere' ),
+ 'angle brackets' => array( 'de_DE