fix: network admin Automatic mode always resets to manual (CMS-1503)

[fabianwgl]

Fixes CMS-1503 — on WordPress multisite, switching to Automatic mode in the network admin and saving would silently revert to Manual on every save.

Root cause: network_settings_save() hardcoded 'manual' as the value for cookiebot-cookie-blocking-mode in sitemeta regardless of what the user selected. Every other field in the same handler correctly reads from $_POST; this one did not.

Secondary issue: The cookie-blocking-mode UI section in both cb_frame and uc_frame network settings views was commented out. The strings inside contained unescaped apostrophes in PHP single-quoted strings (won't, user's, website's, 'strictly necessary'), which caused a parse error when uncommented. This explains why it was disabled in the first place.

Changes:

• Network_Menu_Settings.php — read cookiebot-cookie-blocking-mode from $_POST with allowlist validation, defaulting to 'manual'
• uc_frame/network-settings-page.php — uncommented cookie-blocking UI, escaped apostrophes in three strings
• cb_frame/network-settings-page.php — same

Tested locally with wp-env + Playwright on a multisite install: confirmed bug before fix (sitemeta auto → manual after save), confirmed both Automatic and "Choose per subsite" persist correctly after fix.

[qodo-code-review]

Review Summary by Qodo

Fix network admin Automatic mode always resetting to Manual

🐞 Bug fix

Walkthroughs

Description

• Fix network admin Automatic mode silently reverting to Manual on save
• Read cookie-blocking-mode from POST with validation instead of hardcoding
• Uncomment and fix cookie-blocking UI in both network settings views
• Escape apostrophes in PHP strings to prevent parse errors

Diagram

flowchart LR
  A["Network Settings Save Handler"] -->|Previously hardcoded 'manual'| B["Sitemeta always set to Manual"]
  A -->|Now reads from POST| C["Validate against allowlist"]
  C -->|Valid value| D["Sitemeta preserves user selection"]
  C -->|Invalid value| E["Default to Manual"]
  F["Uncommented UI Sections"] -->|Fixed escaped apostrophes| G["Cookie-blocking mode UI enabled"]

Loading

File Changes

1. src/settings/Network_Menu_Settings.php 🐞 Bug fix +5/-1

Read and validate cookie-blocking mode from POST

• Added allowlist validation for cookiebot-cookie-blocking-mode values
• Read blocking mode from $_POST instead of hardcoding 'manual'
• Sanitize input with sanitize_key() and validate against allowed modes
• Default to 'manual' if POST value is missing or invalid

src/settings/Network_Menu_Settings.php

---

2. src/view/admin/cb_frame/network-settings-page.php 🐞 Bug fix +4/-4

Uncomment and fix cookie-blocking UI section

• Uncommented cookie-blocking mode UI section
• Escaped apostrophe in won't string using backslash
• Escaped apostrophe in 'strictly necessary' string using backslash
• Restored functional cookie-blocking configuration interface

src/view/admin/cb_frame/network-settings-page.php

---

3. src/view/admin/uc_frame/network-settings-page.php 🐞 Bug fix +5/-5

Uncomment and fix cookie-blocking UI section

• Uncommented cookie-blocking mode UI section
• Escaped apostrophe in user's string using backslash
• Escaped apostrophe in website's string using backslash
• Restored functional cookie-blocking configuration interface

src/view/admin/uc_frame/network-settings-page.php

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0)

1. Cookie-blocking text translation break 🐞 Bug ≡ Correctness

Description

The cookie-blocking description strings’ quotes/apostrophes were changed (e.g., ‘strictly necessary’
→ 'strictly necessary', website’s → website's), so existing translations keyed to the old msgids
will not apply.

Code

src/view/admin/cb_frame/network-settings-page.php[81]

+									<?php esc_html_e( 'Select your cookie-blocking mode here. Auto cookie-blocking mode will automatically block all cookies (except for \'strictly necessary\' cookies) until a user has given consent. Manual cookie-blocking mode requests manual adjustments to the cookie-setting scripts. Please find our implementation guides below:', 'cookiebot' ); ?>

Evidence

cookiebot.pot contains msgids with typographic quotes/apostrophes for these cookie-blocking
descriptions; the templates now emit different literal strings, so gettext will not find matching
entries in existing .po files.

src/view/admin/cb_frame/network-settings-page.php[77-83]
src/view/admin/uc_frame/network-settings-page.php[113-118]
langs/cookiebot.pot[1944-1953]
langs/cookiebot.pot[2326-2330]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Cookie-blocking UI strings were uncommented/modified and their punctuation changed (typographic quotes/apostrophes → straight quotes/apostrophes). This changes gettext msgids and breaks existing translations.

### Issue Context
WordPress gettext uses the exact source string as the msgid. Even small punctuation changes create a new key.

### How to fix
Either:
- **Revert the literals to match existing msgids** in `cookiebot.pot` (e.g., keep `‘strictly necessary’` and `website’s`), or
- **Update i18n catalogs**: regenerate `langs/cookiebot.pot`, update all `langs/*.po` entries for the changed msgids (and compile `.mo` if applicable).

### Fix Focus Areas
- src/view/admin/cb_frame/network-settings-page.php[77-83]
- src/view/admin/uc_frame/network-settings-page.php[113-118]
- langs/cookiebot.pot[1944-1953]
- langs/cookiebot.pot[2326-2330]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
35.7% Duplication on New Code

See analysis details on SonarQube Cloud