=== Oxtilo Fast Cal === Contributors: slawomirklimek Donate link: https://oxtilo.pl/ Tags: booking, calendar, appointment, schedule, reservation Requires at least: 5.8 Tested up to: 6.9 Stable tag: 0.9.8 Requires PHP: 7.4 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html A secure and flexible booking management system for WordPress with availability handling, ICS sync, and REST API. == Description == Oxtilo Fast Cal is a secure and flexible booking management system for WordPress. Features robust availability handling, ICS calendar synchronization, email notifications, and a full REST API. Includes built-in Polish translations. = Features = * **Service Management** - Define multiple services with duration and type (online/in-person) * **Booking Intervals** - Configurable slot intervals (15, 30, or 60 minutes) * **Manual Bookings** - Administrator can create bookings for any time, including outside working hours * **Frontend Management** - Clients can reschedule or cancel bookings via secure links * **Working Hours** - Configure working hours for each day of the week * **Availability Calculation** - Automatic slot availability based on working hours and existing bookings * **External Calendar Sync** - Import busy times from iCloud, Proton Calendar, or holiday calendars via ICS * **ICS Feed Export** - Private calendar feed for syncing bookings to external apps * **Email Notifications** - Automatic notifications to admin and clients with ICS attachments and customizable templates * **Mobile Friendly** - Responsive booking form with quick date selection (Today/Tomorrow) * **REST API** - Token-authenticated endpoints for external integrations (Apple Shortcuts, Zapier) * **Built-in Polish Translations** - No `.mo` file needed for Polish locale == Installation == 1. Upload the `oxtilo-fast-cal` folder to `/wp-content/plugins/` 2. Activate the plugin through the 'Plugins' menu in WordPress 3. Go to **Oxtilo Fast Cal** in the admin menu to configure settings == Frequently Asked Questions == = How do I add the booking form? = Add the booking form to any page using the shortcode: `[oxtilofastcal_form]` = Does it support translations? = Yes, it has built-in Polish translations. == Screenshots == 1. (No screenshots available yet) == Changelog == = 0.9.8 = * **Fix**: Introduced fix to WordPress SVN repository. = 0.9.7 = * **Fix**: Renamed main plugin file to `oxtilo-fast-cal.php` to follow WordPress naming conventions. * **Fix**: Removed unnecessary `Domain Path` header (translations handled by WordPress.org). = 0.9.6 = * **Security**: Improved nonce verification and permission checks. * **Refactor**: Replaced inline scripts and styles with `wp_enqueue_script` and `wp_enqueue_style`. * **Fix**: Corrected text domain to `oxtilo-fast-cal` matches plugin slug. * **Compatibility**: Updated Block API version to 3 for WordPress 7.0 readiness. * **Compatibility**: Tested up to WordPress 6.9. = 0.9.5 = * **Refactor**: Codebase improvements for WordPress.org plugin review standards. * **Fix**: Replaced discouraged functions (`unlink` -> `wp_delete_file`) for better hosting compatibility. * **Fix**: Removed redundant `load_plugin_textdomain` as translations are handled by WordPress.org. * **Security**: Enhanced output escaping and sanitization in admin views. * **I18n**: Fixed text domain inconsistencies and missing translation strings. = 0.9.4 = * **Feature**: Added setting to include/hide "Manage Booking" link in the private calendar feed events. * **Security**: Added warning when "Manage Booking" link is enabled in calendar feed to prevent unauthorized access. * **I18n**: Added Polish translations for new settings. = 0.9.3 = * **Security**: Added server-side validation for `max_days_future` in REST API `GET /slots` endpoint. * **Security**: Hardened output escaping for `paginate_links` to prevent potential XSS vulnerabilities. * **Security**: Improved `$_GET` parameter handling and escaping in admin booking pages. * **Compatibility**: Replaced `file_put_contents` with WP Filesystem API for better hosting compatibility. = 0.9.2 = * **Fix**: Prevented double booking when rescheduling by excluding the current booking from availability checks. * **Fix**: Updated frontend availability display to correctly show slots occupied by the current booking as available for rescheduling. = 0.9.1 = * **Security**: Added Anti-Bot Protection (Honeypot + JS Time Trap + Nonce) to booking form. * **Security**: Added ability to enable/disable anti-bot protection in Security settings. * **I18n**: Added Polish translations for new anti-bot settings. = 0.9.0 = * **Security**: Implemented comprehensive Rate Limiting system to prevent abuse (DoS, brute force, spam). * Configurable request limits for public endpoints (requests/minute). * Smart IP detection with support for Cloudflare, Sucuri, AWS CloudFront, Fastly, and proxies. * Rate limiting applied to booking form submissions, AJAX slot checks, and REST API. * **Security**: Fixed potential race condition (TOCTOU) in booking creation using atomic database transactions. * **Security**: Added strict date/time validation to prevent invalid booking durations. * **Security**: Hardened singleton pattern for admin class to prevent multiple instances. * **I18n**: Completed Polish translations for all new security features and API documentation. * **Fix**: Fixed issue with WordPress data sanitization (unslashing) for Apostrophes. * **Fix**: Added validation to ensure end time is always after start time. = 0.8.0 = * **Security**: Separated API token from calendar feed token for better security * Calendar feed token (32 chars): Read-only access for ICS feeds shared with calendar apps * API token (48 chars): Write access for REST API, kept secret * **Breaking**: If using REST API, update your applications to use the new API token from Settings * Added: Dedicated API token display and regeneration button in REST API settings section * Added: Security warning explaining token separation in admin panel = 0.7.0 = * Added: REST API for external integrations (e.g., Apple Shortcuts, Zapier) * Added: GET `/wp-json/oxtilofastcal/v1/slots` endpoint for available time slots * Added: POST `/wp-json/oxtilofastcal/v1/create` endpoint for booking creation * Added: Token-based API authentication via `X-Oxtilofastcal-Token` header * Added: Custom duration parameter for slot availability queries * Added: API documentation in admin settings page with real URLs and tokens * Improved: `get_available_slots()` now supports custom duration override = 0.6.0 = * Added: Administrator ability to manually create bookings from the dashboard. * Added: Configurable booking interval setting (15, 30, or 60 minutes). * Added: "Client Message" field to booking form and notifications. * Added: Quick date selectors (Today, Tomorrow) to frontend form. * Added: Option to toggle 12h/24h time format on frontend. * Added: Email notifications for booking updates and cancellations. * Fixed: Issue with external ICS calendar synchronization. * Fixed: Gutenberg block rendering issues. * Fixed: ICS attachment filename in emails. * Improved: Frontend form styling and responsiveness. * Improved: Admin interface organization. = 0.5.1 = * Refactored codebase into separate files with proper class structure * Added uninstall.php for clean plugin removal * Added PHP 7.4 compatibility (polyfill for `str_ends_with`) * Improved security with better input validation * Changed date input to native HTML5 date picker * Added keyboard accessibility for slot selection * Improved XSS protection in JavaScript * Added multisite support for uninstall = 0.5.0 = * Initial release == Upgrade Notice == = 0.9.8 = SVN repository fix. Recommended update. = 0.9.7 = Plugin review fixes: renamed main file and removed unnecessary Domain Path header. = 0.9.6 = Security and compatibility updates. Recommended update. = 0.9.5 = Codebase refactoring and security improvements. Update recommended.