From 3ed410b68aad5d95490dda4faad02d91ceeb1766 Mon Sep 17 00:00:00 2001
From: ren <18050944+renintw@users.noreply.github.com>
Date: Tue, 21 May 2024 03:29:00 +0900
Subject: [PATCH 1/3] Fix always show "the link you followed has expired" error
 page.

In last commit, the "extend the notes field for vendor payments" causes the "The link you followed has expired" message to always appear when saving a post.

Therefore here only retains the part related to adding a new "Needs follow-up" status for payments and remove else.
---
 .../includes/reimbursement-request.php        | 115 +++++++++-
 .../includes/wordcamp-budgets.php             | 200 +-----------------
 .../reimbursement-request/metabox-notes.php   |  45 ++++
 .../metabox-notes-private.php                 |  36 ----
 .../views/wordcamp-budgets/metabox-notes.php  |  42 ----
 5 files changed, 167 insertions(+), 271 deletions(-)
 create mode 100644 public_html/wp-content/plugins/wordcamp-payments/views/reimbursement-request/metabox-notes.php
 delete mode 100644 public_html/wp-content/plugins/wordcamp-payments/views/wordcamp-budgets/metabox-notes-private.php
 delete mode 100644 public_html/wp-content/plugins/wordcamp-payments/views/wordcamp-budgets/metabox-notes.php

diff --git a/public_html/wp-content/plugins/wordcamp-payments/includes/reimbursement-request.php b/public_html/wp-content/plugins/wordcamp-payments/includes/reimbursement-request.php
index 65eb9644f..0b0904a5b 100644
--- a/public_html/wp-content/plugins/wordcamp-payments/includes/reimbursement-request.php
+++ b/public_html/wp-content/plugins/wordcamp-payments/includes/reimbursement-request.php
@@ -163,6 +163,15 @@ function init_meta_boxes() {
 		'high'
 	);
 
+	add_meta_box(
+		'wcbrr_notes',
+		esc_html__( 'Notes', 'wordcamporg' ),
+		__NAMESPACE__ . '\render_notes_metabox',
+		POST_TYPE,
+		'side',
+		'high'
+	);
+
 	add_meta_box(
 		'wcbrr_general_information',
 		esc_html__( 'General Information', 'wordcamporg' ),
@@ -308,6 +317,19 @@ function render_status_metabox( $post ) {
 	require_once dirname( __DIR__ ) . '/views/reimbursement-request/metabox-status.php';
 }
 
+/**
+ * Render the Notes metabox
+ *
+ * @param WP_Post $post
+ */
+function render_notes_metabox( $post ) {
+	wp_nonce_field( 'notes', 'notes_nonce' );
+
+	$existing_notes = get_post_meta( $post->ID, '_wcbrr_notes', true );
+
+	require_once dirname( __DIR__ ) . '/views/reimbursement-request/metabox-notes.php';
+}
+
 /**
  * Render General Information Metabox
  *
@@ -499,6 +521,7 @@ function save_request( $post_id, $post ) {
 	}
 
 	verify_metabox_nonces();
+	validate_and_save_notes( $post, $_POST['wcbrr_new_note'] );
 
 	/*
 	 * We need to determine if the user is allowed to modify the request -- in terms of this plugin's post_status
@@ -651,6 +674,7 @@ function render_log_metabox( $post ) {
 function verify_metabox_nonces() {
 	$nonces = array(
 		'status_nonce',
+		'notes_nonce',
 		'general_information_nonce',
 		'payment_details_nonce',
 		'expenses_nonce',
@@ -720,6 +744,95 @@ function validate_and_save_expenses( $post_id, $expenses ) {
 	update_post_meta( $post_id, '_wcbrr_expenses', $expenses );
 }
 
+/**
+ * Validate and save expense data
+ *
+ * @param WP_Post $post
+ * @param string  $new_note_message
+ */
+function validate_and_save_notes( $post, $new_note_message ) {
+
+	// Save incomplete message.
+	if ( isset( $_POST['wcp_mark_incomplete_notes'] ) ) {
+		$safe_value = '';
+		if ( $post->post_status == 'wcb-incomplete' ) {
+			$safe_value = wp_kses( $_POST['wcp_mark_incomplete_notes'], wp_kses_allowed_html( 'strip' ) );
+		}
+
+		update_post_meta( $post->ID, '_wcp_incomplete_notes', $safe_value );
+	}
+
+	$new_note_message = sanitize_text_field( wp_unslash( $new_note_message ) );
+
+	if ( empty( $new_note_message ) ) {
+		return;
+	}
+
+	$notes = get_post_meta( $post->ID, '_wcbrr_notes', true );
+	if ( ! is_array( $notes ) ) {
+		$notes = array();
+	}
+
+	$new_note = array(
+		'timestamp' => time(),
+		'author_id' => get_current_user_id(),
+		'message'   => $new_note_message,
+	);
+
+	$notes[] = $new_note;
+
+	update_post_meta( $post->ID, '_wcbrr_notes', $notes );
+	notify_parties_of_new_note( $post, $new_note );
+
+	\WordCamp_Budgets::log( $post->ID, get_current_user_id(), sprintf( 'Note: %s', $new_note_message ), array(
+		'action' => 'note-added',
+	) );
+}
+
+/**
+ * Notify WordCamp Central or the request author when new notes are added
+ *
+ * @param WP_Post $request
+ * @param array   $note
+ */
+function notify_parties_of_new_note( $request, $note ) {
+	$note_author = get_user_by( 'id', $note['author_id'] );
+
+	if ( $note_author->has_cap( 'manage_network' ) ) {
+		$to             = \WordCamp_Budgets::get_requester_formatted_email( $request->post_author );
+		$subject_prefix = sprintf( '[%s] ', get_wordcamp_name() );
+	} else {
+		$to             = 'support@wordcamp.org';
+		$subject_prefix = '';
+	}
+
+	if ( ! $to ) {
+		return;
+	}
+
+	$subject          = sprintf( '%sNew note on `%s`', $subject_prefix, sanitize_text_field( $request->post_title ) );
+	$note_author_name = \WordCamp_Budgets::get_requester_name( $note['author_id'] );
+	$request_url      = admin_url( sprintf( 'post.php?post=%s&action=edit', $request->ID ) );
+	$headers          = array( 'Reply-To: support@wordcamp.org' );
+
+	$message = sprintf( '
+		%s has added the following note on the reimbursement request for %s:
+
+		%s
+
+		You can view the request and respond to their note at:
+
+		%s',
+		sanitize_text_field( $note_author_name ),
+		sanitize_text_field( $request->post_title ),
+		sanitize_text_field( $note['message'] ),
+		esc_url_raw( $request_url )
+	);
+	$message = str_replace( "\t", '', $message );
+
+	wp_mail( $to, $subject, $message, $headers );
+}
+
 /**
  * Notify the organizer when the status of their reimbursement changes or when notes are added
  *
@@ -1511,4 +1624,4 @@ function _generate_payment_report_jpm_wires( $args ) {
 	// JPM chokes on accents and non-latin characters.
 	$results = remove_accents( $results );
 	return $results;
-}
+}
\ No newline at end of file
diff --git a/public_html/wp-content/plugins/wordcamp-payments/includes/wordcamp-budgets.php b/public_html/wp-content/plugins/wordcamp-payments/includes/wordcamp-budgets.php
index 56c9a3a77..7da801ef5 100644
--- a/public_html/wp-content/plugins/wordcamp-payments/includes/wordcamp-budgets.php
+++ b/public_html/wp-content/plugins/wordcamp-payments/includes/wordcamp-budgets.php
@@ -19,8 +19,6 @@ public function __construct() {
 		add_action( 'admin_enqueue_scripts',  array( $this, 'enqueue_common_assets' ),             11    );
 		add_filter( 'user_has_cap',           array( __CLASS__, 'user_can_view_payment_details' ), 10, 4 );
 		add_filter( 'default_title',          array( $this, 'set_default_payments_title' ),        10, 2 );
-		add_action( 'add_meta_boxes',         array( $this, 'init_meta_boxes' )                          );
-		add_action( 'save_post',              array( $this, 'save_request' ),                      10, 2 );
 	}
 
 	/**
@@ -29,7 +27,7 @@ public function __construct() {
 	public static function register_post_statuses() {
 		// Uses core's draft status too.
 
-		register_post_status( 'wcb-incomplete', array( // phpcs:ignore PEAR.Functions.FunctionCallSignature.MultipleArguments
+		register_post_status( 'wcb-incomplete', array(
 			'label'       => esc_html_x( 'Incomplete', 'payment request', 'wordcamporg' ),
 			'public'      => false,
 			'protected'   => true,
@@ -40,7 +38,7 @@ public static function register_post_statuses() {
 			),
 		) );
 
-		register_post_status( 'wcb-pending-approval', array( // phpcs:ignore PEAR.Functions.FunctionCallSignature.MultipleArguments
+		register_post_status( 'wcb-pending-approval', array(
 			'label'       => esc_html_x( 'Pending Approval', 'payment request', 'wordcamporg' ),
 			'public'      => false,
 			'protected'   => true,
@@ -51,7 +49,7 @@ public static function register_post_statuses() {
 			),
 		) );
 
-		register_post_status( 'wcb-needs-followup', array( // phpcs:ignore PEAR.Functions.FunctionCallSignature.MultipleArguments
+		register_post_status( 'wcb-needs-followup', array(
 			'label'       => esc_html_x( 'Needs Follow-up', 'payment request', 'wordcamporg' ),
 			'public'      => false,
 			'protected'   => true,
@@ -62,7 +60,7 @@ public static function register_post_statuses() {
 			),
 		) );
 
-		register_post_status( 'wcb-approved', array( // phpcs:ignore PEAR.Functions.FunctionCallSignature.MultipleArguments
+		register_post_status( 'wcb-approved', array(
 			'label'       => esc_html_x( 'Approved', 'payment request', 'wordcamporg' ),
 			'public'      => false,
 			'protected'   => true,
@@ -73,7 +71,7 @@ public static function register_post_statuses() {
 			),
 		) );
 
-		register_post_status( 'wcb-pending-payment', array( // phpcs:ignore PEAR.Functions.FunctionCallSignature.MultipleArguments
+		register_post_status( 'wcb-pending-payment', array(
 			'label'       => esc_html_x( 'Payment Sent', 'payment request', 'wordcamporg' ),
 			'public'      => false,
 			'protected'   => true,
@@ -84,7 +82,7 @@ public static function register_post_statuses() {
 			),
 		) );
 
-		register_post_status( 'wcb-paid', array( // phpcs:ignore PEAR.Functions.FunctionCallSignature.MultipleArguments
+		register_post_status( 'wcb-paid', array(
 			'label'       => esc_html_x( 'Paid', 'payment request', 'wordcamporg' ),
 			'public'      => false,
 			'protected'   => true,
@@ -95,7 +93,7 @@ public static function register_post_statuses() {
 			),
 		) );
 
-		register_post_status( 'wcb-failed', array( // phpcs:ignore PEAR.Functions.FunctionCallSignature.MultipleArguments
+		register_post_status( 'wcb-failed', array(
 			'label'       => esc_html_x( 'Failed', 'payment request', 'wordcamporg' ),
 			'public'      => false,
 			'protected'   => true,
@@ -106,7 +104,7 @@ public static function register_post_statuses() {
 			),
 		) );
 
-		register_post_status( 'wcb-cancelled', array( // phpcs:ignore PEAR.Functions.FunctionCallSignature.MultipleArguments
+		register_post_status( 'wcb-cancelled', array(
 			'label'       => esc_html_x( 'Cancelled', 'payment request', 'wordcamporg' ),
 			'public'      => false,
 			'protected'   => true,
@@ -868,186 +866,4 @@ public static function log( $post_id, $user_id, $message, $data = array() ) {
 
 		update_post_meta( $post_id, '_wcp_log', wp_slash( $log ) );
 	}
-
-	/**
-	 * Register meta boxes
-	 */
-	public function init_meta_boxes() {
-		add_meta_box(
-			'wcbrr_notes',
-			esc_html__( 'Notes', 'wordcamporg' ),
-			array( $this, 'render_notes_metabox' ),
-			array( 'wcb_reimbursement', 'wcp_payment_request' ),
-			'side',
-			'default'
-		);
-
-		if ( current_user_can( 'manage_network' ) ) {
-			add_meta_box(
-				'wcbrr_notes_private',
-				esc_html__( 'Private notes', 'wordcamporg' ),
-				array( $this, 'render_notes_private_metabox' ),
-				array( 'wcb_reimbursement', 'wcp_payment_request' ),
-				'side',
-				'default'
-			);
-		}
-	}
-
-	/**
-	 * Render the Notes metabox
-	 *
-	 * @param WP_Post $post
-	 */
-	public function render_notes_metabox( $post ) {
-		wp_nonce_field( 'notes', 'notes_nonce' );
-
-		$existing_notes = get_post_meta( $post->ID, '_wcbrr_notes', true );
-
-		require_once dirname( __DIR__ ) . '/views/wordcamp-budgets/metabox-notes.php';
-	}
-
-	/**
-	 * Render the Private notes metabox
-	 *
-	 * @param WP_Post $post
-	 */
-	public function render_notes_private_metabox( $post ) {
-		wp_nonce_field( 'notes_private', 'notes_private_nonce' );
-
-		$existing_notes = get_post_meta( $post->ID, '_wcbrr_notes_private', true );
-
-		require_once dirname( __DIR__ ) . '/views/wordcamp-budgets/metabox-notes-private.php';
-	}
-
-	/**
-	 * Save the post's data
-	 *
-	 * @param int     $post_id
-	 * @param WP_Post $post
-	 */
-	public function save_request( $post_id, $post ) {
-		if ( empty( $_POST ) || ! empty( $_POST['wcpn-request-import'] ) ) {
-			return;
-		}
-
-		check_admin_referer( str_replace( '_nonce', '', 'notes_nonce' ), 'notes_nonce' );
-		$this::validate_and_save_notes( $post, $_POST['wcbrr_new_note'] );
-
-		if ( current_user_can( 'manage_network' ) ) {
-			check_admin_referer( str_replace( '_nonce', '', 'notes_private_nonce' ), 'notes_private_nonce' );
-			$this::validate_and_save_notes_private( $post, $_POST['wcbrr_new_note_private'] );
-		}
-	}
-
-	/**
-	 * Validate and save notes.
-	 *
-	 * @param WP_Post $post
-	 * @param string  $new_note_message
-	 */
-	public function validate_and_save_notes( $post, $new_note_message ) {
-		$new_note_message = sanitize_text_field( wp_unslash( $new_note_message ) );
-
-		if ( empty( $new_note_message ) ) {
-			return;
-		}
-
-		$notes = get_post_meta( $post->ID, '_wcbrr_notes', true );
-		if ( ! is_array( $notes ) ) {
-			$notes = array();
-		}
-
-		$new_note = array(
-			'timestamp' => time(),
-			'author_id' => get_current_user_id(),
-			'message'   => $new_note_message,
-		);
-
-		$notes[] = $new_note;
-
-		update_post_meta( $post->ID, '_wcbrr_notes', $notes );
-		$this::notify_parties_of_new_note( $post, $new_note );
-
-		$this::log( $post->ID, get_current_user_id(), sprintf( 'Note: %s', $new_note_message ), array( // phpcs:ignore PEAR.Functions.FunctionCallSignature.MultipleArguments
-			'action' => 'note-added',
-		) );
-	}
-
-	/**
-	 * Validate and save private notes.
-	 *
-	 * @param WP_Post $post
-	 * @param string  $new_note_message
-	 */
-	public function validate_and_save_notes_private( $post, $new_note_message ) {
-		$new_note_message = sanitize_text_field( wp_unslash( $new_note_message ) );
-
-		if ( empty( $new_note_message ) ) {
-			return;
-		}
-
-		$notes = get_post_meta( $post->ID, '_wcbrr_notes_private', true );
-		if ( ! is_array( $notes ) ) {
-			$notes = array();
-		}
-
-		$new_note = array(
-			'timestamp' => time(),
-			'author_id' => get_current_user_id(),
-			'message'   => $new_note_message,
-		);
-
-		$notes[] = $new_note;
-
-		update_post_meta( $post->ID, '_wcbrr_notes_private', $notes );
-
-		$this::log( $post->ID, get_current_user_id(), __( 'Private note', 'wordcamporg' ), array( // phpcs:ignore PEAR.Functions.FunctionCallSignature.MultipleArguments
-			'action' => 'note-added',
-		) );
-	}
-
-	/**
-	 * Notify WordCamp Central or the request author when new notes are added
-	 *
-	 * @param WP_Post $request
-	 * @param array   $note
-	 */
-	public function notify_parties_of_new_note( $request, $note ) {
-		$note_author = get_user_by( 'id', $note['author_id'] );
-
-		if ( $note_author->has_cap( 'manage_network' ) ) {
-			$to             = $this::get_requester_formatted_email( $request->post_author );
-			$subject_prefix = sprintf( '[%s] ', get_wordcamp_name() );
-		} else {
-			$to             = 'support@wordcamp.org';
-			$subject_prefix = '';
-		}
-
-		if ( ! $to ) {
-			return;
-		}
-
-		$subject          = sprintf( '%sNew note on `%s`', $subject_prefix, sanitize_text_field( $request->post_title ) );
-		$note_author_name = $this::get_requester_name( $note['author_id'] );
-		$request_url      = admin_url( sprintf( 'post.php?post=%s&action=edit', $request->ID ) );
-		$headers          = array( 'Reply-To: support@wordcamp.org' );
-
-		$message = sprintf( '
-			%s has added the following note on the reimbursement request for %s:
-
-			%s
-
-			You can view the request and respond to their note at:
-
-			%s',
-			sanitize_text_field( $note_author_name ),
-			sanitize_text_field( $request->post_title ),
-			sanitize_text_field( $note['message'] ),
-			esc_url_raw( $request_url )
-		);
-		$message = str_replace( "\t", '', $message );
-
-		wp_mail( $to, $subject, $message, $headers );
-	}
 }
diff --git a/public_html/wp-content/plugins/wordcamp-payments/views/reimbursement-request/metabox-notes.php b/public_html/wp-content/plugins/wordcamp-payments/views/reimbursement-request/metabox-notes.php
new file mode 100644
index 000000000..c8b71fc64
--- /dev/null
+++ b/public_html/wp-content/plugins/wordcamp-payments/views/reimbursement-request/metabox-notes.php
@@ -0,0 +1,45 @@
+<?php
+
+namespace WordCamp\Budgets\Reimbursement_Requests;
+defined( 'WPINC' ) or die();
+
+?>
+
+<?php if ( empty ( $existing_notes ) ) : ?>
+
+	<?php _e( 'There are no notes yet.', 'wordcamporg' ); ?>
+
+<?php else : ?>
+
+	<?php foreach ( $existing_notes as $note ) : ?>
+		<div class="wcbrr-note">
+			<span class="wcbrr-note-meta">
+				<?php echo esc_html( date( 'Y-m-d', $note['timestamp'] ) ); ?>
+				<?php echo esc_html( \WordCamp_Budgets::get_requester_name( $note['author_id'] ) ); ?>:
+			</span>
+
+			<?php echo esc_html( $note['message'] ); ?>
+		</div>
+	<?php endforeach; ?>
+
+<?php endif; ?>
+
+<div>
+	<h3>
+		<label for="wcbrr_new_note">
+			<?php _e( 'Add a Note', 'wordcamporg' ); ?>
+		</label>
+
+		<?php if ( current_user_can( 'manage_network' ) ) : ?>
+			<p class="description">(visible to organizers)</p>
+		<?php endif; ?>
+	</h3>
+
+	<textarea id="wcbrr_new_note" name="wcbrr_new_note" class="large-text"></textarea>
+
+	<?php submit_button(
+		esc_html__( 'Add Note', 'wordcamporg' ),
+		'secondary',
+		'wcbrr_add_note'
+	); ?>
+</div>
diff --git a/public_html/wp-content/plugins/wordcamp-payments/views/wordcamp-budgets/metabox-notes-private.php b/public_html/wp-content/plugins/wordcamp-payments/views/wordcamp-budgets/metabox-notes-private.php
deleted file mode 100644
index d68aedd66..000000000
--- a/public_html/wp-content/plugins/wordcamp-payments/views/wordcamp-budgets/metabox-notes-private.php
+++ /dev/null
@@ -1,36 +0,0 @@
-<?php
-
-if ( ! defined( 'WPINC' ) ) {
-	die();
-}
-
-if ( empty( $existing_notes ) ) :
-	esc_html_e( 'There are no private notes yet.', 'wordcamporg' );
-else :
-	foreach ( $existing_notes as $note ) : ?>
-		<div class="wcbrr-note">
-			<span class="wcbrr-note-meta">
-				<?php echo esc_html( gmdate( 'Y-m-d', $note['timestamp'] ) ); ?>
-				<?php echo esc_html( WordCamp_Budgets::get_requester_name( $note['author_id'] ) ); ?>:
-			</span>
-
-			<?php echo esc_html( $note['message'] ); ?>
-		</div>
-	<?php endforeach;
-endif; ?>
-
-<div>
-	<h3>
-		<label for="wcbrr_new_note_private">
-			<?php esc_html_e( 'Add a private note', 'wordcamporg' ); ?>
-		</label>
-	</h3>
-
-	<textarea id="wcbrr_new_note_private" name="wcbrr_new_note_private" class="large-text"></textarea>
-
-	<?php submit_button(
-		esc_html__( 'Add private note', 'wordcamporg' ),
-		'secondary',
-		'wcbrr_add_note'
-	); ?>
-</div>
diff --git a/public_html/wp-content/plugins/wordcamp-payments/views/wordcamp-budgets/metabox-notes.php b/public_html/wp-content/plugins/wordcamp-payments/views/wordcamp-budgets/metabox-notes.php
deleted file mode 100644
index 83294aac0..000000000
--- a/public_html/wp-content/plugins/wordcamp-payments/views/wordcamp-budgets/metabox-notes.php
+++ /dev/null
@@ -1,42 +0,0 @@
-<?php
-
-if ( ! defined( 'WPINC' ) ) {
-	die();
-}
-
-if ( empty( $existing_notes ) ) :
-	esc_html_e( 'There are no private notes yet.', 'wordcamporg' );
-else :
-	foreach ( $existing_notes as $note ) : ?>
-		<div class="wcbrr-note">
-			<span class="wcbrr-note-meta">
-				<?php echo esc_html( gmdate( 'Y-m-d', $note['timestamp'] ) ); ?>
-				<?php echo esc_html( WordCamp_Budgets::get_requester_name( $note['author_id'] ) ); ?>:
-			</span>
-
-			<?php echo esc_html( $note['message'] ); ?>
-		</div>
-	<?php endforeach;
-endif;
-
-if ( current_user_can( 'view_wordcamp_payment_details', $post->ID ) ) : ?>
-	<div>
-		<h3>
-			<label for="wcbrr_new_note">
-				<?php esc_html_e( 'Add a Note', 'wordcamporg' ); ?>
-			</label>
-
-			<?php if ( current_user_can( 'manage_network' ) ) : ?>
-				<p class="description">(visible to organizers)</p>
-			<?php endif; ?>
-		</h3>
-
-		<textarea id="wcbrr_new_note" name="wcbrr_new_note" class="large-text"></textarea>
-
-		<?php submit_button(
-			esc_html__( 'Add Note', 'wordcamporg' ),
-			'secondary',
-			'wcbrr_add_note'
-		); ?>
-	</div>
-<?php endif; ?>

From 9a6fe3f3ec39aef3526c57407774c50e3c3c96b3 Mon Sep 17 00:00:00 2001
From: ren <18050944+renintw@users.noreply.github.com>
Date: Tue, 21 May 2024 03:52:06 +0900
Subject: [PATCH 2/3] PHPCS

---
 .../includes/reimbursement-request.php        |  23 ++-
 .../includes/wordcamp-budgets.php             | 184 ++++++++++--------
 .../reimbursement-request/metabox-notes.php   |  31 ++-
 3 files changed, 133 insertions(+), 105 deletions(-)

diff --git a/public_html/wp-content/plugins/wordcamp-payments/includes/reimbursement-request.php b/public_html/wp-content/plugins/wordcamp-payments/includes/reimbursement-request.php
index 0b0904a5b..0097455f4 100644
--- a/public_html/wp-content/plugins/wordcamp-payments/includes/reimbursement-request.php
+++ b/public_html/wp-content/plugins/wordcamp-payments/includes/reimbursement-request.php
@@ -521,6 +521,9 @@ function save_request( $post_id, $post ) {
 	}
 
 	verify_metabox_nonces();
+
+	// phpcs:ignore is added because verify_metabox_nonces(); already checks that.
+	// phpcs:ignore WordPress.Security.NonceVerification.Missing
 	validate_and_save_notes( $post, $_POST['wcbrr_new_note'] );
 
 	/*
@@ -753,10 +756,11 @@ function validate_and_save_expenses( $post_id, $expenses ) {
 function validate_and_save_notes( $post, $new_note_message ) {
 
 	// Save incomplete message.
-	if ( isset( $_POST['wcp_mark_incomplete_notes'] ) ) {
+	// phpcs:ignore is used because verify_metabox_nonces(); already checks that.
+	if ( isset( $_POST['wcp_mark_incomplete_notes'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing
 		$safe_value = '';
-		if ( $post->post_status == 'wcb-incomplete' ) {
-			$safe_value = wp_kses( $_POST['wcp_mark_incomplete_notes'], wp_kses_allowed_html( 'strip' ) );
+		if ( 'wcb-incomplete' == $post->post_status ) {
+			$safe_value = wp_kses( $_POST['wcp_mark_incomplete_notes'], wp_kses_allowed_html( 'strip' ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing
 		}
 
 		update_post_meta( $post->ID, '_wcp_incomplete_notes', $safe_value );
@@ -784,9 +788,14 @@ function validate_and_save_notes( $post, $new_note_message ) {
 	update_post_meta( $post->ID, '_wcbrr_notes', $notes );
 	notify_parties_of_new_note( $post, $new_note );
 
-	\WordCamp_Budgets::log( $post->ID, get_current_user_id(), sprintf( 'Note: %s', $new_note_message ), array(
-		'action' => 'note-added',
-	) );
+	\WordCamp_Budgets::log(
+		$post->ID,
+		get_current_user_id(),
+		sprintf( 'Note: %s', $new_note_message ),
+		array(
+			'action' => 'note-added',
+		)
+	);
 }
 
 /**
@@ -1624,4 +1633,4 @@ function _generate_payment_report_jpm_wires( $args ) {
 	// JPM chokes on accents and non-latin characters.
 	$results = remove_accents( $results );
 	return $results;
-}
\ No newline at end of file
+}
diff --git a/public_html/wp-content/plugins/wordcamp-payments/includes/wordcamp-budgets.php b/public_html/wp-content/plugins/wordcamp-payments/includes/wordcamp-budgets.php
index 7da801ef5..f803e2eeb 100644
--- a/public_html/wp-content/plugins/wordcamp-payments/includes/wordcamp-budgets.php
+++ b/public_html/wp-content/plugins/wordcamp-payments/includes/wordcamp-budgets.php
@@ -27,93 +27,117 @@ public function __construct() {
 	public static function register_post_statuses() {
 		// Uses core's draft status too.
 
-		register_post_status( 'wcb-incomplete', array(
-			'label'       => esc_html_x( 'Incomplete', 'payment request', 'wordcamporg' ),
-			'public'      => false,
-			'protected'   => true,
-			'label_count' => _nx_noop(
-				'Incomplete <span class="count">(%s)</span>',
-				'Incomplete <span class="count">(%s)</span>',
-				'wordcamporg'
-			),
-		) );
+		register_post_status(
+			'wcb-incomplete',
+			array(
+				'label'       => esc_html_x( 'Incomplete', 'payment request', 'wordcamporg' ),
+				'public'      => false,
+				'protected'   => true,
+				'label_count' => _nx_noop(
+					'Incomplete <span class="count">(%s)</span>',
+					'Incomplete <span class="count">(%s)</span>',
+					'wordcamporg'
+				),
+			)
+		);
 
-		register_post_status( 'wcb-pending-approval', array(
-			'label'       => esc_html_x( 'Pending Approval', 'payment request', 'wordcamporg' ),
-			'public'      => false,
-			'protected'   => true,
-			'label_count' => _nx_noop(
-				'Pending Approval <span class="count">(%s)</span>',
-				'Pending Approval <span class="count">(%s)</span>',
-				'wordcamporg'
-			),
-		) );
+		register_post_status(
+			'wcb-pending-approval',
+			array(
+				'label'       => esc_html_x( 'Pending Approval', 'payment request', 'wordcamporg' ),
+				'public'      => false,
+				'protected'   => true,
+				'label_count' => _nx_noop(
+					'Pending Approval <span class="count">(%s)</span>',
+					'Pending Approval <span class="count">(%s)</span>',
+					'wordcamporg'
+				),
+			)
+		);
 
-		register_post_status( 'wcb-needs-followup', array(
-			'label'       => esc_html_x( 'Needs Follow-up', 'payment request', 'wordcamporg' ),
-			'public'      => false,
-			'protected'   => true,
-			'label_count' => _nx_noop(
-				'Needs Follow-up <span class="count">(%s)</span>',
-				'Needs Follow-up <span class="count">(%s)</span>',
-				'wordcamporg'
-			),
-		) );
+		register_post_status(
+			'wcb-needs-followup',
+			array(
+				'label'       => esc_html_x( 'Needs Follow-up', 'payment request', 'wordcamporg' ),
+				'public'      => false,
+				'protected'   => true,
+				'label_count' => _nx_noop(
+					'Needs Follow-up <span class="count">(%s)</span>',
+					'Needs Follow-up <span class="count">(%s)</span>',
+					'wordcamporg'
+				),
+			)
+		);
 
-		register_post_status( 'wcb-approved', array(
-			'label'       => esc_html_x( 'Approved', 'payment request', 'wordcamporg' ),
-			'public'      => false,
-			'protected'   => true,
-			'label_count' => _nx_noop(
-				'Approved <span class="count">(%s)</span>',
-				'Approved <span class="count">(%s)</span>',
-				'wordcamporg'
-			),
-		) );
+		register_post_status(
+			'wcb-approved',
+			array(
+				'label'       => esc_html_x( 'Approved', 'payment request', 'wordcamporg' ),
+				'public'      => false,
+				'protected'   => true,
+				'label_count' => _nx_noop(
+					'Approved <span class="count">(%s)</span>',
+					'Approved <span class="count">(%s)</span>',
+					'wordcamporg'
+				),
+			)
+		);
 
-		register_post_status( 'wcb-pending-payment', array(
-			'label'       => esc_html_x( 'Payment Sent', 'payment request', 'wordcamporg' ),
-			'public'      => false,
-			'protected'   => true,
-			'label_count' => _nx_noop(
-				'Payment Sent <span class="count">(%s)</span>',
-				'Payment Sent <span class="count">(%s)</span>',
-				'wordcamporg'
-			),
-		) );
+		register_post_status(
+			'wcb-pending-payment',
+			array(
+				'label'       => esc_html_x( 'Payment Sent', 'payment request', 'wordcamporg' ),
+				'public'      => false,
+				'protected'   => true,
+				'label_count' => _nx_noop(
+					'Payment Sent <span class="count">(%s)</span>',
+					'Payment Sent <span class="count">(%s)</span>',
+					'wordcamporg'
+				),
+			)
+		);
 
-		register_post_status( 'wcb-paid', array(
-			'label'       => esc_html_x( 'Paid', 'payment request', 'wordcamporg' ),
-			'public'      => false,
-			'protected'   => true,
-			'label_count' => _nx_noop(
-				'Paid <span class="count">(%s)</span>',
-				'Paid <span class="count">(%s)</span>',
-				'wordcamporg'
-			),
-		) );
+		register_post_status(
+			'wcb-paid',
+			array(
+				'label'       => esc_html_x( 'Paid', 'payment request', 'wordcamporg' ),
+				'public'      => false,
+				'protected'   => true,
+				'label_count' => _nx_noop(
+					'Paid <span class="count">(%s)</span>',
+					'Paid <span class="count">(%s)</span>',
+					'wordcamporg'
+				),
+			)
+		);
 
-		register_post_status( 'wcb-failed', array(
-			'label'       => esc_html_x( 'Failed', 'payment request', 'wordcamporg' ),
-			'public'      => false,
-			'protected'   => true,
-			'label_count' => _nx_noop(
-				'Failed <span class="count">(%s)</span>',
-				'Failed <span class="count">(%s)</span>',
-				'wordcamporg'
-			),
-		) );
+		register_post_status(
+			'wcb-failed',
+			array(
+				'label'       => esc_html_x( 'Failed', 'payment request', 'wordcamporg' ),
+				'public'      => false,
+				'protected'   => true,
+				'label_count' => _nx_noop(
+					'Failed <span class="count">(%s)</span>',
+					'Failed <span class="count">(%s)</span>',
+					'wordcamporg'
+				),
+			)
+		);
 
-		register_post_status( 'wcb-cancelled', array(
-			'label'       => esc_html_x( 'Cancelled', 'payment request', 'wordcamporg' ),
-			'public'      => false,
-			'protected'   => true,
-			'label_count' => _nx_noop(
-				'Cancelled <span class="count">(%s)</span>',
-				'Cancelled <span class="count">(%s)</span>',
-				'wordcamporg'
-			),
-		) );
+		register_post_status(
+			'wcb-cancelled',
+			array(
+				'label'       => esc_html_x( 'Cancelled', 'payment request', 'wordcamporg' ),
+				'public'      => false,
+				'protected'   => true,
+				'label_count' => _nx_noop(
+					'Cancelled <span class="count">(%s)</span>',
+					'Cancelled <span class="count">(%s)</span>',
+					'wordcamporg'
+				),
+			)
+		);
 	}
 
 	/**
diff --git a/public_html/wp-content/plugins/wordcamp-payments/views/reimbursement-request/metabox-notes.php b/public_html/wp-content/plugins/wordcamp-payments/views/reimbursement-request/metabox-notes.php
index c8b71fc64..e014c6564 100644
--- a/public_html/wp-content/plugins/wordcamp-payments/views/reimbursement-request/metabox-notes.php
+++ b/public_html/wp-content/plugins/wordcamp-payments/views/reimbursement-request/metabox-notes.php
@@ -1,33 +1,28 @@
 <?php
 
-namespace WordCamp\Budgets\Reimbursement_Requests;
-defined( 'WPINC' ) or die();
-
-?>
-
-<?php if ( empty ( $existing_notes ) ) : ?>
-
-	<?php _e( 'There are no notes yet.', 'wordcamporg' ); ?>
-
-<?php else : ?>
-
-	<?php foreach ( $existing_notes as $note ) : ?>
+if ( ! defined( 'WPINC' ) ) {
+	die();
+}
+
+if ( empty( $existing_notes ) ) :
+	esc_html_e( 'There are no private notes yet.', 'wordcamporg' );
+else :
+	foreach ( $existing_notes as $note ) : ?>
 		<div class="wcbrr-note">
 			<span class="wcbrr-note-meta">
-				<?php echo esc_html( date( 'Y-m-d', $note['timestamp'] ) ); ?>
-				<?php echo esc_html( \WordCamp_Budgets::get_requester_name( $note['author_id'] ) ); ?>:
+				<?php echo esc_html( gmdate( 'Y-m-d', $note['timestamp'] ) ); ?>
+				<?php echo esc_html( WordCamp_Budgets::get_requester_name( $note['author_id'] ) ); ?>:
 			</span>
 
 			<?php echo esc_html( $note['message'] ); ?>
 		</div>
-	<?php endforeach; ?>
-
-<?php endif; ?>
+	<?php endforeach;
+endif; ?>
 
 <div>
 	<h3>
 		<label for="wcbrr_new_note">
-			<?php _e( 'Add a Note', 'wordcamporg' ); ?>
+			<?php esc_html_e( 'Add a Note', 'wordcamporg' ); ?>
 		</label>
 
 		<?php if ( current_user_can( 'manage_network' ) ) : ?>

From 663588c725069f15b86764af763ce40659c0efa0 Mon Sep 17 00:00:00 2001
From: ren <18050944+renintw@users.noreply.github.com>
Date: Tue, 21 May 2024 04:32:01 +0900
Subject: [PATCH 3/3] Fix needs followup filter

---
 .../includes/payment-requests-dashboard.php                     | 1 -
 .../includes/payment-requests-list-table.php                    | 2 ++
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/public_html/wp-content/plugins/wordcamp-payments-network/includes/payment-requests-dashboard.php b/public_html/wp-content/plugins/wordcamp-payments-network/includes/payment-requests-dashboard.php
index f51c2aeea..fcc149ccd 100644
--- a/public_html/wp-content/plugins/wordcamp-payments-network/includes/payment-requests-dashboard.php
+++ b/public_html/wp-content/plugins/wordcamp-payments-network/includes/payment-requests-dashboard.php
@@ -333,7 +333,6 @@ public static function get_current_tab() {
 		$tabs = array(
 			'drafts',
 			'overdue',
-
 			'pending-approval',
 			'approved',
 			'pending-payment',
diff --git a/public_html/wp-content/plugins/wordcamp-payments-network/includes/payment-requests-list-table.php b/public_html/wp-content/plugins/wordcamp-payments-network/includes/payment-requests-list-table.php
index 561bbdfb2..b56fca832 100644
--- a/public_html/wp-content/plugins/wordcamp-payments-network/includes/payment-requests-list-table.php
+++ b/public_html/wp-content/plugins/wordcamp-payments-network/includes/payment-requests-list-table.php
@@ -71,6 +71,8 @@ public function prepare_items() {
 			$where .= " AND `status` IN ( 'wcb-failed', 'wcb-cancelled' ) ";
 		} elseif ( 'drafts' == $view ) {
 			$where .= " AND `status` = 'draft' ";
+		} elseif ( 'needs-followup' == $view ) {
+			$where .= " AND `status` = 'wcb-needs-followup' ";
 		}
 
 		if ( ! empty( $_REQUEST['s'] ) ) {