Tracking issue for the findings reported by the WordPress.org Plugin Check scan that must be reviewed before the plugin is accepted. Some are blockers (errors), others are warnings that the reviewer may still flag.
Blocker (error)
includes/class-exelearning-rest-api.php:299 — move_uploaded_file() forbidden
Generic.PHP.ForbiddenFunctions.Found: The use of function move_uploaded_file() is forbidden
Plugin Check forbids direct use of move_uploaded_file(). The save_elp_file() endpoint should route the uploaded file through wp_handle_upload() / wp_handle_sideload() (which performs the move plus MIME validation) and then move/copy the result over the existing ELP file. The current @copy() fallback for PHP-WASM environments needs to be preserved.
Warnings
admin/views/editor-bootstrap.php — non-prefixed globals
Lines 23, 26, 27, 29, 31, 33, 35, 40, 42, 46, 49, 50, 53, 54, 57, 58, 59, 62, 79, 81, 113, 487, 536, 540, 541, 546.
WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
Top-level variables in a template file are treated as globals. Either prefix them ($exelearning_attachment_id, etc.) or wrap the template body in a function/closure so the variables become local.
includes/class-exelearning-editor.php — ini_set() discouraged
Lines 47 and 64.
Squiz.PHP.DiscouragedFunctions.Discouraged: The use of function ini_set() is discouraged
Review whether the ini_set() calls are strictly necessary; if so, document why and consider a phpcs:ignore with a justification comment.
exelearning.php:85 — non-prefixed function
Rename to exelearning_run() (or similar prefixed name) and update the call site.
includes/class-i18n.php:25 — load_plugin_textdomain() discouraged
PluginCheck.CodeAnalysis.DiscouragedFunctions.load_plugin_textdomainFound
Since WP 4.6, plugins hosted on WordPress.org no longer need this call — translations are loaded automatically. Remove the call (and the surrounding hook) once we're confident we don't need it for environments outside WordPress.org.
Context
These findings come from the Plugin Check run done during the WordPress.org submission. The Author URI vs Plugin URI issue is being fixed separately in #36.
Tracking issue for the findings reported by the WordPress.org Plugin Check scan that must be reviewed before the plugin is accepted. Some are blockers (errors), others are warnings that the reviewer may still flag.
Blocker (error)
includes/class-exelearning-rest-api.php:299—move_uploaded_file()forbiddenPlugin Check forbids direct use of
move_uploaded_file(). Thesave_elp_file()endpoint should route the uploaded file throughwp_handle_upload()/wp_handle_sideload()(which performs the move plus MIME validation) and then move/copy the result over the existing ELP file. The current@copy()fallback for PHP-WASM environments needs to be preserved.Warnings
admin/views/editor-bootstrap.php— non-prefixed globalsLines 23, 26, 27, 29, 31, 33, 35, 40, 42, 46, 49, 50, 53, 54, 57, 58, 59, 62, 79, 81, 113, 487, 536, 540, 541, 546.
Top-level variables in a template file are treated as globals. Either prefix them (
$exelearning_attachment_id, etc.) or wrap the template body in a function/closure so the variables become local.includes/class-exelearning-editor.php—ini_set()discouragedLines 47 and 64.
Review whether the
ini_set()calls are strictly necessary; if so, document why and consider aphpcs:ignorewith a justification comment.exelearning.php:85— non-prefixed functionRename to
exelearning_run()(or similar prefixed name) and update the call site.includes/class-i18n.php:25—load_plugin_textdomain()discouragedSince WP 4.6, plugins hosted on WordPress.org no longer need this call — translations are loaded automatically. Remove the call (and the surrounding hook) once we're confident we don't need it for environments outside WordPress.org.
Context
These findings come from the Plugin Check run done during the WordPress.org submission. The Author URI vs Plugin URI issue is being fixed separately in #36.