feat!: make permission_callback arg required
#73
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR makes the permission_callback argument required for ability registration, introducing a breaking change to prevent abilities from running without proper permission checks.
- Removes support for abilities without permission callbacks
- Updates validation logic to require
permission_callbackas a mandatory parameter - Removes tests that verify null permission callback behavior
Reviewed Changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tests/unit/rest-api/wpRestAbilitiesRunController.php | Removes test for abilities without permission callbacks |
| tests/unit/abilities-api/wpRegisterAbility.php | Minor formatting cleanup |
| tests/unit/abilities-api/wpAbilitiesRegistry.php | Adds test to verify rejection of abilities without permission callbacks |
| includes/abilities-api/class-wp-ability.php | Updates validation logic to require permission_callback and removes nullable type |
| includes/abilities-api/class-wp-abilities-registry.php | Updates documentation to reflect required permission_callback |
| includes/abilities-api.php | Reorders parameter documentation for consistency |
| docs/3.registering-abilities.md | Updates documentation to mark permission_callback as required |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Co-authored-by: Copilot <[email protected]>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## trunk #73 +/- ##
============================================
+ Coverage 83.33% 86.91% +3.58%
+ Complexity 96 94 -2
============================================
Files 8 8
Lines 516 512 -4
============================================
+ Hits 430 445 +15
+ Misses 86 67 -19
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| * description?: string, | ||
| * input_schema?: array<string,mixed>, | ||
| * output_schema?: array<string,mixed>, |
There was a problem hiding this comment.
Required before optional.
| if ( empty( $this->get_input_schema() ) ) { | ||
| return call_user_func( $this->permission_callback ); | ||
| } |
There was a problem hiding this comment.
This is handled by ::validate_input()
There was a problem hiding this comment.
The point is that, if there is no schema, then we don't pass any input. What we agreed upon was that if someone wants to explicitly pass null, they need to provide the schema. This builds predictability, and that's why the condition is in place also here.
There was a problem hiding this comment.
Previously, I considered adding a method for calling these callbacks, but it felt like more code than necessary. However, having a method could help document this expected behavior better.
There was a problem hiding this comment.
What we agreed upon was that if someone wants to explicitly pass null, they need to provide the schema.
Can you clarify? If I understood you correctly that behavior is what this change enforces.
Previously diff, if there was no input schema, then any $input would get stripped and the execution callback would be be handled as if nothing was passed. As a result, if the schema allows an "explicit null, then the ability would still execute even if the supplied $input doesn't meet the correct shape.
With this diff, both no $input must be passed and the schema must support a null value for the ability to execute successfully.
(If you're referring to our internal ability to differentiate between null and unset, that was just one one of the concerns about going to mixed that I raised on #58 . Until core's minimum PHP supports named arguments, nothing can compete with either the dx or future-compat of a partially-sealed array, nullable or otherwise. 🤷♂️)
There was a problem hiding this comment.
I'm not sure I follow, so let me explain it in a different way:
- if there is no input schema declared, it means there is no input to pass, so the callback should be executed with no arguments
- If there is an input schema provided, it means it needs to be validated. This also allows passing an explicit
nullas the first argument, but also any other type of data:string,boolean,array, etc.
There was a problem hiding this comment.
if there is no input schema declared, it means there is no input to pass, so the callback should be executed with no arguments
If there is no input schema declared, but a user/mcp/traditional-tool nevertheless passes an $input what should the expected behavior be? E.g.
$post_getter => wp_get_ability( 'my-custom/get-posts ' );
$posts = $post_getter->execute();
$posts_explicit_null = $post_getter->execute( null );
$just_products = $post_getter->execute( [ 'post_type' => 'product' ] );-
$postswill return an error if aninput_schemais defined, but will proceed if an input schema is not defined. (✔️ both ways) -
$posts_explicit_null- old: will pass if no
input_schemais defined, will fail if aninput_schemais defined but does not allow for an explicit null. - this pr: will fail both if the
input_schemais defined but doesn't allow for an explicit null and if noinput_schemais defined. (because you're not passing "nothing", you're explicitly passing anull)
- old: will pass if no
-
$just_products: Here's the IRL dx footgun:- old: if no
input_schemais defined (IRL: filtering isn't supporting for by this specific ability), it will **return the same results as both$postsand$post_explicit_null. Only if there is aninput_schemadefined will you get a WP_Error saying that e.g. the expected argument is calledtypenotpost_type.
(or worse, that you should have called$get_all_posts->execute( int $amount_of_posts )and that ability will never be able to support post type filtering without breaking schema changes. This was my argument against Fix$inputtype hint inWP_Ability#58 and whymixedis arguably the worst thing we could do to this or any public API 🤷) - this: will fail both if the
input_schemais defined (as it should), but also if there is noinput_schema, correctly alerting the user that this is likely not theWP_Abilitythey're looking for.
- old: if no
I believe the behavior here is still ideal, even if the change to mixed negates a small part of the DX win.
Either way once clarified, I'll add backfill the necessary unit test to guarantee the behavior here doesn't change unintentionally
There was a problem hiding this comment.
If there is no input schema, and there is any input provided, then validate_input() kicks in. Reference:
abilities-api/includes/abilities-api/class-wp-ability.php
Lines 275 to 289 in 59d8ec6
So there are no concerns that someone passes an input that can't be validated due to a missing input schema. That's why we can safely skip the argument, making a better experience for devs as they don't have to always include ( $input = null ) for the callbacks that don't consume anything.
It's all a minor thing about ensuring we don't pass the default null when it is not needed.
There was a problem hiding this comment.
Okay now I'm sure we're not following each other, because that's literally the initial comment I left here explaining why I removed this conditional here, except you're using it to (seemingly) justify the opposite of what I am 😭
I'll add the unit tests for the above edge cases, if that doesn't clear things up (for either of us), i'll revert here and open a separate bug report that follows up #61 .
There was a problem hiding this comment.
The key here is that it needs to be impossible to pass unvalidated input through to permission_callback (and similarly execute_callback).
- @justlevine You're right that technically we can drop the
empty( $this->get_input_schema() )condition because if this is the case and the input isn'tnull, thevalidate_inputmethod would return aWP_Errorand this code wouldn't be reached. - That being said, I do think this is good to keep as a safe guard for good measure. We have the same in
do_execute. Having this extra check in there ensures directly before the relevant call that we don't pass any input (i.e. enforcenull) when there's no input schema.
Is it necessary? No. Is it a good measure for defensive coding and clarifying the importance of this to someone new working on this code in the future? Yes, I think so.
IMO we should just keep it. It doesn't hurt.
There was a problem hiding this comment.
This is here because reordering the prepare_properties() by required/not-required (et al) seemed like the least intrusive way to do this, but it's more of an Integration test pattern and not pure PHPUnit.
If wp-core needs vanilla unit tests, we can relocate and refactor these tests to use new WP_Ability()
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
| if ( empty( $this->get_input_schema() ) ) { | ||
| return call_user_func( $this->permission_callback ); | ||
| } |
There was a problem hiding this comment.
The point is that, if there is no schema, then we don't pass any input. What we agreed upon was that if someone wants to explicitly pass null, they need to provide the schema. This builds predictability, and that's why the condition is in place also here.
What
This PR makes
permission_callbacka required argument.Warning
This is a breaking change.
As a result of this change, Abilities that do not include a
permission_callbackwill now return aWP_Error.Why
permission_callbackargument required #68How
Specific implementation notes on diff.