From 84faaf12b0d960c80407bc5db6da60ea574fbed1 Mon Sep 17 00:00:00 2001
From: vytisbulkevicius <b.vytis@gmail.com>
Date: Wed, 4 Mar 2026 11:45:18 +0200
Subject: [PATCH 1/3] Fix chart creation nonce verification mismatch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The security PR that was merged to development added nonce action
parameters to nonce creation and uploadData verification, but forgot
to update _handleTypesPage verification. This caused a mismatch where:

- Nonces were created WITH action: wp_create_nonce('visualizer-upload-data')
- But _handleTypesPage verified WITHOUT action: wp_verify_nonce($nonce)
- Result: Nonce verification failed, chart creation broken

This fix updates _handleTypesPage to verify WITH the action parameter
to match the nonce creation, allowing charts to be created successfully
while maintaining all security improvements.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 classes/Visualizer/Module/Chart.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/classes/Visualizer/Module/Chart.php b/classes/Visualizer/Module/Chart.php
index 29d0794f..e31133b1 100644
--- a/classes/Visualizer/Module/Chart.php
+++ b/classes/Visualizer/Module/Chart.php
@@ -955,7 +955,7 @@ private function _handleDataAndSettingsPage() {
 	 */
 	private function _handleTypesPage() {
 		// process post request
-		if ( $_SERVER['REQUEST_METHOD'] === 'POST' && wp_verify_nonce( filter_input( INPUT_POST, 'nonce' ) ) ) {
+		if ( $_SERVER['REQUEST_METHOD'] === 'POST' && wp_verify_nonce( filter_input( INPUT_POST, 'nonce' ), 'visualizer-upload-data' ) ) {
 			$type = filter_input( INPUT_POST, 'type' );
 			$library = filter_input( INPUT_POST, 'chart-library' );
 			if ( Visualizer_Module_Admin::checkChartStatus( $type ) ) {

From 30b3817af48c2f253560ea4fb110d859785da2c9 Mon Sep 17 00:00:00 2001
From: vytisbulkevicius <b.vytis@gmail.com>
Date: Wed, 4 Mar 2026 11:54:32 +0200
Subject: [PATCH 2/3] Fix Visualizer_Pro class not found error in free version
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Layout.php line 983 was unconditionally accessing Visualizer_Pro::ACTION_FETCH_DATA
even in the free version, causing a fatal error when creating charts.

The nonce creation now checks if PRO version is active before accessing
the Visualizer_Pro class, matching the pattern used for the action parameter.

Security fix from previous commit remains intact:
- Chart.php line 958: Nonce verification with 'visualizer-upload-data' action
- uploadData() method: Capability checks and per-chart ownership validation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 classes/Visualizer/Render/Layout.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/classes/Visualizer/Render/Layout.php b/classes/Visualizer/Render/Layout.php
index 36197054..a89353ef 100644
--- a/classes/Visualizer/Render/Layout.php
+++ b/classes/Visualizer/Render/Layout.php
@@ -980,7 +980,7 @@ class="dashicons dashicons-lock"></span></h2>
 													add_query_arg(
 														array(
 															'action' => Visualizer_Module::is_pro() ? Visualizer_Pro::ACTION_FETCH_DATA : '',
-															'nonce'  => wp_create_nonce( Visualizer_Pro::ACTION_FETCH_DATA ),
+															'nonce'  => Visualizer_Module::is_pro() ? wp_create_nonce( Visualizer_Pro::ACTION_FETCH_DATA ) : wp_create_nonce(),
 														),
 														admin_url( 'admin-ajax.php' )
 													)

From 805544d2640f78ab02b043be8f349db293c68981 Mon Sep 17 00:00:00 2001
From: vytisbulkevicius <b.vytis@gmail.com>
Date: Wed, 4 Mar 2026 12:00:08 +0200
Subject: [PATCH 3/3] Fix PHPStan class name case error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixed incorrect case usage: Visualizer_PRO -> Visualizer_Pro
This resolves the PHPStan check failure that was blocking CI.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 classes/Visualizer/Gutenberg/Block.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/classes/Visualizer/Gutenberg/Block.php b/classes/Visualizer/Gutenberg/Block.php
index c6fcfab7..045819b5 100644
--- a/classes/Visualizer/Gutenberg/Block.php
+++ b/classes/Visualizer/Gutenberg/Block.php
@@ -668,7 +668,7 @@ public function update_chart_data( $data ) {
 
 			if ( Visualizer_Module::is_pro() ) {
 				$permissions_data = map_deep( $data['visualizer-permissions'], array( $this, 'sanitize_value' ) );
-				update_post_meta( $data['id'], Visualizer_PRO::CF_PERMISSIONS, $permissions_data );
+				update_post_meta( $data['id'], Visualizer_Pro::CF_PERMISSIONS, $permissions_data );
 			}
 
 			if ( $data['visualizer-chart-url'] ) {