Rentiva v4.33.0 — Pro Gate Unification
v4.33.0 closes three holes left over from the v4.31.0 RSA token migration: 22 callsites that bypassed the token check, a misleading License Admin message, and the impossibility of testing Pro features locally without running a license server.
Why this release exists
v4.31.0 introduced RSA-signed feature tokens as the single Pro authority via Mode::featureGranted(). Every Pro feature gate was supposed to call this method (or one of the canUse*() wrappers that delegate to it). But 22 places in the codebase still called the old Mode::featureEnabled() API, which only checked isPro() — no token verify. A cracked binary patching LicenseManager::isActive() to return true could unlock messages, advanced reports, and exports at those callsites without ever having a valid token.
This release migrates every callsite, soft-deprecates the old API, and adds two UX fixes that were piling up.
Changes
🔒 Security: 22 callsites now token-verify
| File | Callsites |
|---|---|
Frontend/Account/AccountRenderer.php | 1 |
Frontend/Account/WooCommerceIntegration.php | 2 |
Messages/Core/Messages.php | 1 |
Messages/Frontend/CustomerMessages.php | 1 |
Messages/REST/*.php (3 files) | 3 |
Reports/Reports.php | 2 |
Utilities/Export/Export.php | 3 |
Utilities/Export/ExportReports.php | 6 |
Utilities/Menu/Menu.php | 3 |
All migrated to the appropriate Mode::canUse*() method. Mode::featureEnabled() is now a soft-deprecated wrapper that emits a _deprecated_function() notice in WP_DEBUG. The body is preserved for any third-party callers; hard removal slated for v5.0.
🔧 License Admin: actual state instead of static text
The License page used to print "All Pro features active: Unlimited vehicles/bookings, export, advanced reports, Vendor & Payout." every time a license was active — regardless of which feature tokens the server had actually granted. Customers with empty or partial tokens would read that line and then wonder why the Vendor menu was missing.
The new rendering derives the list from real gate decisions:
Active Pro features: Vendor & Payout, Advanced Reports, Messages, Expanded Export
If no gates are active (license active but token empty — a state that shouldn't normally happen but did during the v4.30.x → v4.31.0 transition), the page now shows a warning notice with a "Re-validate Now" CTA instead of the misleading text.
✨ Developer Mode for local Pro testing
Adding a Pro feature locally has been awkward since v4.31.0: the RSA-signed feature token is issued by the license server, which devs may not run on their machine. The result was a fail-closed gate — local Pro features were untestable without copying tokens from production (which you shouldn't).
Two new constants enable a bypass:
// wp-config.php (development only)
define( 'WP_DEBUG', true );
define( 'MHM_RENTIVA_DEV_PRO', true );
When both are true, Mode::featureGranted() skips the token verification step and returns true. The isPro() check still runs first, so a Lite license cannot bypass to Pro — you still need an active license, just not a valid token.
Production safety: Hostinger production environments have WP_DEBUG=false by default, so even if MHM_RENTIVA_DEV_PRO slipped into a production wp-config.php (it shouldn't), the bypass would not engage.
The yellow "Geliştirici Modu" banner subtitle now reflects whether the bypass is actually active or just dormant.
A new filter mhm_rentiva_dev_pro_bypass exposes the bypass decision for testability — PHPUnit cannot toggle PHP defines within a single process.
⚠️ BREAKING: Lite users lose xlsx/pdf export access
Old featureEnabled(FEATURE_EXPORT) returned true unconditionally for Lite users. This was a bug — the format check in callers (! in_array($format, ['csv', 'json'])) was supposed to be the second gate, but featureEnabled short-circuited it. So Lite users could request xlsx and pdf exports.
canUseExport() correctly returns false for Lite. CSV and JSON are still free; xlsx and pdf are now Pro-only as intended.
Migration path for affected Lite users: upgrade to Pro for full format access, or stick with CSV/JSON.
🌐 Translation quality (collateral)
The v4.33.0 i18n pass triggered a msgmerge over the entire TR catalog. Some pre-existing translations had been auto-flagged as fuzzy in earlier releases and never reviewed. We fixed 22 of them in this pass:
- "Airport Transfer" had been mistranslated as "Aktarımı İzin Ver" (literally "Allow Transfer"). Now correctly "Havalimanı Transferi".
- "Report Issue" was "Raporlar" (Reports). Now "Sorun Bildir".
- Multiple plural forms shifted from
%d/%dto positional%1$d/%2$d(matches the source argument order). - A handful of email label colons that had been dropped in earlier passes were restored.
msgmerge fuzzy count post-merge: 0 — verified by automation.
Compatibility
| Component | Required version |
|---|---|
mhm-license-server | v1.11.2 (adds 'export' to the issued feature-token allowlist) |
mhm-polar-bridge | v1.9.0+ |
| WordPress | 6.7+ |
| PHP | 8.1+ |
If v4.33.0 ships before mhm-license-server v1.11.2, Pro users will lose xlsx/pdf export for up to 24 hours — the new canUseExport() gate looks for an 'export' token claim that the server doesn't issue yet. The server's daily cron reissues tokens; manually clicking "Re-validate Now" on the License page refreshes immediately.
That's why the release chain order is server v1.11.2 first, then plugin v4.33.0.
Tests
- 807 → 822 PHPUnit (+15)
- 5 in
ModeDevBypassTest - 4 in
LicenseAdminActiveFeaturesTest - 6 in
ModeGateMigrationTest
- 5 in
- PHPCS: 0 errors, 0 warnings (release scope)
- Plugin Check (WordPress.org compliance): 0 ERROR, 27 WARNING (all pre-existing, all known false-positives from Plugin Check not reading
phpcs.xmlprefix config)
Upgrade notes
- Wait until mhm-license-server v1.11.2 is live (otherwise Pro export breaks for ~24h).
- Update the plugin via WP Admin → Plugins → Upload, or replace the ZIP via FTP.
- After update, click "Re-validate Now" on the License page once. This forces the client to fetch a fresh token from the server — without it, the daily cron is the next refresh window.
- Lite users who relied on (bug-enabled) xlsx exports: upgrade to Pro, or switch to CSV/JSON.
Local development
If you maintain a fork or extend the plugin:
// wp-config.php
define( 'WP_DEBUG', true );
define( 'MHM_RENTIVA_DEV_PRO', true ); // skip token check, exercise Pro gates
This unlocks Vendor Marketplace, Advanced Reports, Messages, and Expanded Export against an active license without a real RSA-signed token. Don't ship this to production.