Skip to content

Donations Block: Security settings (min/max amount enforcement)#48492

Open
angelablake wants to merge 6 commits intoupdate/donations-frequency-amount-defaultsfrom
update/donations-security-settings
Open

Donations Block: Security settings (min/max amount enforcement)#48492
angelablake wants to merge 6 commits intoupdate/donations-frequency-amount-defaultsfrom
update/donations-security-settings

Conversation

@angelablake
Copy link
Copy Markdown

@angelablake angelablake commented May 4, 2026

Summary

  • Adds a collapsed Security inspector panel with Minimum and Maximum donation amount fields (both opt-in, no defaults)
  • Stripe's floor for the active currency is enforced as the lower bound on the minimum field; inline validation warns if maximum is set below minimum
  • PHP stamps pre-translated error strings (data-min-error / data-max-error) and numeric bounds on the wrapper — no frontend i18n wiring needed
  • view.js enforces the range on preset tile click, custom amount input, and when a configured default amount is applied on load or tab switch; out-of-range keeps the donate button disabled and shows a red message above the separator; clears automatically when the amount comes back in range

Test plan

  • Open the block inspector → Settings panel — Security panel should be present and collapsed by default
  • Expand Security panel — Minimum and Maximum fields appear with numeric inputs; explanation text is visible
  • Set a minimum (e.g. $20) — selecting a $5 or $15 preset tile should disable the donate button and show "The minimum donation amount is $20.00" above the separator
  • With minimum set, select the $100 tile — error clears, button enables
  • Set a maximum (e.g. $50) — selecting the $100 tile should disable the button and show "The maximum donation amount is $50.00"
  • Enter a custom amount below the minimum — error message appears; enter a valid amount — error clears
  • Switch frequency tabs — error clears
  • Set maximum below minimum in the inspector — inline validation message appears on the Maximum field
  • Leave both fields empty — block behaves exactly as before (no regressions)

🤖 Generated with Claude Code

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 4, 2026
edited
Loading

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

  • To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack), and enable the update/donations-security-settings branch.
  • To test on Simple, run the following command on your sandbox:
bin/jetpack-downloader test jetpack update/donations-security-settings

Interested in more tips and information?

  • In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
  • Read more about our development workflow here: PCYsg-eg0-p2
  • Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

@github-actions github-actions Bot added [Block] Donations [Plugin] Jetpack Issues about the Jetpack plugin. https://wordpress.org/plugins/jetpack/ [Status] In Progress labels May 4, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 4, 2026
edited
Loading

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

  • ✅ Include a description of your PR changes.
  • ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  • 🔴 Add testing instructions.
  • 🔴 Specify whether this PR includes any changes to data or privacy.
  • ✅ Add changelog entries to affected projects

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

🔴 Action required: Please include detailed testing steps, explaining how to test your change, like so:

## Testing instructions:

* Go to '..'
*

🔴 Action required: We would recommend that you add a section to the PR description to specify whether this PR includes any changes to data or privacy, like so:

## Does this pull request change what data or activity we track or use?

My PR adds *x* and *y*.

Follow this PR Review Process:

  1. Ensure all required checks appearing at the bottom of this PR are passing.
  2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
  3. You can use GitHub's Reviewers functionality to request a review.
  4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

Jetpack plugin:

No scheduled milestone found for this plugin.

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

@github-actions github-actions Bot added the [Status] Needs Author Reply We need more details from you. This label will be auto-added until the PR meets all requirements. label May 4, 2026
@jp-launch-control
Copy link
Copy Markdown

jp-launch-control Bot commented May 4, 2026
edited
Loading

Code Coverage Summary

No summary data is available for parent commit f88ef1f, so cannot calculate coverage changes. 😴

If that commit is a feature branch rather than a trunk commit, this is expected. Otherwise, this should be updated once coverage for f88ef1f is available.

Full summary · PHP report · JS report

@angelablake angelablake marked this pull request as ready for review May 4, 2026 17:27
Angela Blake and others added 6 commits May 4, 2026 15:05
@claude
Donations Block: add Security panel with min/max amount enforcement
d6e3936 
Inspector: new collapsed Security panel with Minimum and Maximum
amount fields (opt-in, no defaults). Stripe's floor for the active
currency is the lower bound on the minimum field. Inline validation
shows an error if maximum is set below minimum.

Enforcement: PHP stamps pre-translated data-min-error / data-max-error
strings and numeric data-min-amount / data-max-amount on the wrapper.
view.js checks on preset tile click, custom amount input, and when a
configured default amount is applied. Out-of-range keeps the donate
button disabled and shows a red message above the separator; clears
automatically on tab switch or when amount comes back in range.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@claude
Donations Block: show Stripe floor error on custom amount; shorten se…
391f381 
…curity copy

Show a donor-facing message when a custom amount is valid but below
Stripe's minimum for the currency (e.g. entering $0.01 with no admin
minimum set). PHP stamps data-stripe-min-error on the wrapper; view.js
shows it in the else branch only when parsedAmount is a positive number.

Also shortens the Security panel description in the inspector.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@claude
Donations Block: add tests for range validation and security attrs
5eb5458 
JS: add checkAmountRange as a named export in utils.js; view.js
delegates to it. New test/utils.test.js covers all range cases
(below min, above max, at boundaries, no limits set) plus the
existing firstShownInterval helper.

PHP: extract inline security attr logic from render_block into
build_security_data_attrs(). New tests in Donations_Test.php cover
min/max attribute presence, formatted currency values, and that the
Stripe floor message is currency-aware (USD vs GBP).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@claude
Donations Block: accessibility and i18n fixes from code review
941f38c 
- aria-disabled + tabindex=-1 on donate buttons; early click guard stops
  memberships.js from opening Stripe modal for keyboard/AT users
- role=alert set dynamically in showRangeError (not in static HTML) to
  prevent false AT announcements on page load
- @SInCE $$next-version$$ added to build_security_data_attrs()
- Stripe floor string uses _x() with context to avoid shared msgid with
  admin-min string
- .donations__range-error uses gb.$alert-red token and margin-block-end
  for RTL correctness
- PHP tests: both-limits and inverted-limits cases added

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@claude
Donations Block: suppress range error on page load; warn when max < S…
9b4b26a 
…tripe floor

- applyDefaultAmount() takes isUserInitiated flag; range error is only
  displayed when the donor explicitly selects an amount or switches tabs,
  not on the initial render
- Security panel shows inline help on the maximum field when the admin
  sets a value below the payment processor's minimum for the chosen currency

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@claude
Donations Block: fix GBP test assertion to match HTML-entity symbol
02c8f8a 
CURRENCIES['GBP']['symbol'] is '&#163;', not UTF-8 '£', so format_price
returns the HTML entity in raw PHP. The browser decodes it when reading
dataset.* so donors see the symbol correctly; the test must check the
raw value.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@angelablake angelablake force-pushed the update/donations-security-settings branch from 08fda75 to 02c8f8a Compare May 4, 2026 20:05
@angelablake angelablake mentioned this pull request May 5, 2026
Open
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

[Block] Donations [Plugin] Jetpack Issues about the Jetpack plugin. https://wordpress.org/plugins/jetpack/ [Status] In Progress [Status] Needs Author Reply We need more details from you. This label will be auto-added until the PR meets all requirements. [Tests] Includes Tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@angelablake