=== Cutmap Editorial Workflow ===
Contributors: aswinikumar
Tags: workflow, content management, editorial, assignments, review
Requires at least: 5.8
Tested up to: 6.9
Stable tag: 1.4.6
Requires PHP: 7.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Professional content workflow system. Admin assigns creators and approvers to manage editorial cycles.

== Description ==

The Cutmap Editorial Workflow (CEW) is a professional-grade content management solution for WordPress. It is designed to bring structure, accountability, and security to the content creation process by implementing a multi-stage editorial workflow.

Whether you are managing a small blog or a large-scale news portal, CEW ensures that every piece of content is reviewed and approved before it reaches your audience.

Key Features:

*   Role-Based Access Control (RBAC): Specialized user roles (Creators, Approvers) with restricted admin access.
*   Multi-Stage Workflow Tracking: Post lifecycle stages including Assigned, In Review, and Approved.
*   Centralized Assignment Dashboard: Admins can manage all active workflows and assign specific Creators and Approvers to any post, page, or custom post type.
*   Content Isolation & Focus: Creators and Approvers only see the content they are currently assigned to, reducing clutter and preventing unauthorized edits.
*   Transparent Revision Management: Safe editing of live content via snapshots that only go live after approval.
*   Activity & Audit Logging: Detailed logs for tracking all workflow events.
*   Automated Notifications: Real-time email/admin alerts on task assignments and status updates.

== Installation ==

1. Upload the `cutmap-editorial-workflow` folder to the `/wp-content/plugins/` directory.
2. Activate the plugin through the 'Plugins' menu in WordPress.
3. Use the 'Workflows' menu in the admin dashboard to start assigning content.

== Frequently Asked Questions ==

= Can I use this for Custom Post Types? =

Yes, the Cutmap Editorial Workflow supports Posts, Pages, and all registered Custom Post Types.

= How do I add a Creator? =

The plugin automatically creates a 'Creator' role upon activation. You can assign this role to any user from the WordPress 'Users' menu.

== Screenshots ==

1. The central assignments dashboard showing all active workflows.
2. The post editor screen with the Workflow Management metabox.
3. Audit log showing the history of a specific content piece.

== Changelog ==

= 1.4.6 =
* Security: Removed hardcoded sample-user password (`Workflow@123`). Each new sample user now receives a unique password generated via `wp_generate_password(16, true)`, displayed once in the admin notice and never stored in source.
* Security: Added `rest_pre_insert_{post_type}` enforcement to block unauthorized publish attempts via the REST API. Admin-role REST tokens can no longer bypass the editorial workflow when a post has an active assignment.
* Bug fix: `reject()` no longer overwrites the approved content snapshot with the rejected draft. Visitors continue seeing the last explicitly approved version while the creator revises and re-submits.
* Performance: `dbDelta()` schema checks in `CUTMAP_DB` and `CUTMAP_WNS` are now guarded by a version option (`cew_db_version`, `cew_wns_version`). The expensive schema introspection runs only on activation/upgrade, not on every page load.
* Cleanup: `uninstall.php` now deletes all `_cew_*` post meta rows and removes plugin version options, leaving no orphaned data after deletion.
* Reliability: The `ALTER TABLE … DROP INDEX` migration for the audit-log unique key now runs reliably on every upgrade because the schema version option is cleared on activation.

= 1.4.5 =
* Resolved remaining critical security checklist issues including strict nonce validation across all forms/actions.
* Sanitized remaining raw $_POST and $_GET superglobal accesses and strictly avoided empty() checks for them.
* Re-audited output escaping inside admin tables and guaranteed all display logic passes through esc_html() and esc_url().
* Ensured every single admin_post action starts with a firm current_user_can() capability check followed by wp_die().

= 1.4.4 =
* Hardened admin actions with strict `current_user_can()` capability checks.
* Improved security by ensuring complete table cleanup on uninstall.
* Verified input sanitization and output escaping across the plugin.

= 1.4.3 =
* Removed UTF-8 Byte Order Marks (BOM) from PHP files to satisfy automated checks.

= 1.4.2 =
* Fixed unescaped translatable label strings in the frontend shortcode output by using `esc_html__`.

= 1.4.1 =
* Fixed `the_title` escaping context from `wp_kses_post` to `esc_html`.
* Fixed stale admin hook slug to ensure assets enqueue correctly.

= 1.4.0 =
* Fixed `wp_enqueue` issues by converting raw script/style tags.
* Added rigorous escaping output (`wp_kses_post`) to all filter callbacks.
* Cleaned up unclosed `ob_start` buffers to ensure safe hook flows.
* Changed short prefixes to longer `CUTMAP_` prefixes.

= 1.3.0 =
* Fixed plugin header metadata parsing issues for strict WordPress.org compatibility.

= 1.2.0 =
* Renamed plugin to Cutmap Editorial Workflow.
* Enhanced security: Enqueued all inline scripts and styles using WP core APIs.
* Refactored prefixes to comply with WordPress official plugin guidelines.
* Improved dashboard UI and workflow assignment screen.

= 1.1.0 =
* Hardened security and addressed plugin review feedback.
* Refined capabilities and user role checks.
* Removed redundant database tables for improved performance.

= 1.0.0 =
* Initial release.
* Added Creator and Approver roles.
* Added assignment tracking for posts and pages.
* Added email notification system.
