Context Navigation

← Previous Change
Next Change →

rest-server.php

Timestamp:

09/17/2024 09:50:38 PM (8 months ago)

Author:

TimothyBlynJacobs

Message:

REST API: Automatically populate targetHints for the Allow header.

The REST API uses the "Allow" header to communicate what methods a user is authorized to perform on a resource. This works great when operating on a single item route, but can break down when needing to determine authorization over a collection of items.

This commit uses the "targetHints" property of JSON Hyper Schema to provide access to the "allow" header for "self" links. This alleviates needing to make a separate network request for each item in a collection.

Props mamaduka, noisysocks, peterwilsoncc, spacedmonkey, swissspidy, timothyblynjacobs, tyxla, youknowriad.
Fixes #61739.

File:

: 1 edited

trunk/tests/phpunit/tests/rest-api/rest-server.php (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/tests/phpunit/tests/rest-api/rest-server.php

-                      r57987
+                      r59032
 class Tests_REST_Server extends WP_Test_REST_TestCase {
     protected static $icon_id;
+    protected static $admin_id;
+    protected static $post_id;
     /**
 …
     public static function wpSetUpBeforeClass( WP_UnitTest_Factory $factory ) {
+        $filename      = DIR_TESTDATA . '/images/test-image-large.jpg';
+        self::$icon_id = $factory->attachment->create_upload_object( $filename );
+        $filename       = DIR_TESTDATA . '/images/test-image-large.jpg';
+        self::$icon_id  = $factory->attachment->create_upload_object( $filename );
+        self::$admin_id = $factory->user->create(
+            array(
+                'role' => 'administrator',
+            )
+        );
+        self::$post_id  = $factory->post->create();
+    }
     public static function tear_down_after_class() {
         wp_delete_attachment( self::$icon_id, true );
+        self::delete_user( self::$admin_id );
+        wp_delete_post( self::$post_id );
         parent::tear_down_after_class();
 …
+    }
+    /**
+     * @ticket 61739
+     */
+    public function test_validates_request_when_building_target_hints() {
+        register_rest_route(
+            'test-ns/v1',
+            '/test/(?P<id>\d+)',
+            array(
+                array(
+                    'methods'             => \WP_REST_Server::READABLE,
+                    'callback'            => static function () {
+                        return new \WP_REST_Response();
+                    },
+                    'permission_callback' => '__return_true',
+                    'args'                => array(
+                        'id' => array(
+                            'type' => 'integer',
+                        ),
+                    ),
+                ),
+            )
+        );
+        $response = new WP_REST_Response();
+        $response->add_link( 'self', rest_url( 'test-ns/v1/test/garbage' ) );
+        $links = rest_get_server()::get_response_links( $response );
+        $this->assertArrayHasKey( 'self', $links );
+        $this->assertArrayNotHasKey( 'targetHints', $links['self'][0] );
+    }
+    /**
+     * @ticket 61739
+     */
+    public function test_sanitizes_request_when_building_target_hints() {
+        $validated_param = null;
+        register_rest_route(
+            'test-ns/v1',
+            '/test/(?P<id>\d+)',
+            array(
+                array(
+                    'methods'             => \WP_REST_Server::READABLE,
+                    'callback'            => static function () {
+                        return new \WP_REST_Response();
+                    },
+                    'permission_callback' => function ( WP_REST_Request $request ) use ( &$validated_param ) {
+                        $validated_param = $request['id'];
+                        return true;
+                    },
+                    'args'                => array(
+                        'id' => array(
+                            'type' => 'integer',
+                        ),
+                    ),
+                ),
+            )
+        );
+        $response = new WP_REST_Response();
+        $response->add_link( 'self', rest_url( 'test-ns/v1/test/5' ) );
+        $links = rest_get_server()::get_response_links( $response );
+        $this->assertArrayHasKey( 'self', $links );
+        $this->assertArrayHasKey( 'targetHints', $links['self'][0] );
+        $this->assertIsInt( $validated_param );
+    }
+    /**
+     * @ticket 61739
+     */
+    public function test_populates_target_hints_for_administrator() {
+        wp_set_current_user( self::$admin_id );
+        $response = rest_do_request( '/wp/v2/posts' );
+        $post     = $response->get_data()[0];
+        $link = $post['_links']['self'][0];
+        $this->assertArrayHasKey( 'targetHints', $link );
+        $this->assertArrayHasKey( 'allow', $link['targetHints'] );
+        $this->assertSame( array( 'GET', 'POST', 'PUT', 'PATCH', 'DELETE' ), $link['targetHints']['allow'] );
+    }
+    /**
+     * @ticket 61739
+     */
+    public function test_populates_target_hints_for_logged_out_user() {
+        $response = rest_do_request( '/wp/v2/posts' );
+        $post     = $response->get_data()[0];
+        $link = $post['_links']['self'][0];
+        $this->assertArrayHasKey( 'targetHints', $link );
+        $this->assertArrayHasKey( 'allow', $link['targetHints'] );
+        $this->assertSame( array( 'GET' ), $link['targetHints']['allow'] );
+    }
+    /**
+     * @ticket 61739
+     */
+    public function test_does_not_error_on_invalid_urls() {
+        $response = new WP_REST_Response();
+        $response->add_link( 'self', 'this is not a real URL' );
+        $links = rest_get_server()::get_response_links( $response );
+        $this->assertArrayNotHasKey( 'targetHints', $links['self'][0] );
+    }
+    /**
+     * @ticket 61739
+     */
+    public function test_does_not_error_on_bad_rest_api_routes() {
+        $response = new WP_REST_Response();
+        $response->add_link( 'self', rest_url( '/this/is/not/a/real/route' ) );
+        $links = rest_get_server()::get_response_links( $response );
+        $this->assertArrayNotHasKey( 'targetHints', $links['self'][0] );
+    }
+    /**
+     * @ticket 61739
+     */
+    public function test_prefers_developer_defined_target_hints() {
+        $response = new WP_REST_Response();
+        $response->add_link(
+            'self',
+            '/wp/v2/posts/' . self::$post_id,
+            array(
+                'targetHints' => array(
+                    'allow' => array( 'GET', 'PUT' ),
+                ),
+            )
+        );
+        $links = rest_get_server()::get_response_links( $response );
+        $link  = $links['self'][0];
+        $this->assertArrayHasKey( 'targetHints', $link );
+        $this->assertArrayHasKey( 'allow', $link['targetHints'] );
+        $this->assertSame( array( 'GET', 'PUT' ), $link['targetHints']['allow'] );
+    }
     public function _validate_as_integer_123( $value, $request, $key ) {
         if ( ! is_int( $value ) ) {

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Make WordPress Core

Context Navigation

Changeset 59032 for trunk/tests/phpunit/tests/rest-api/rest-server.php

Legend:

trunk/tests/phpunit/tests/rest-api/rest-server.php

Download in other formats: