Changeset 62238

Timestamp:

04/16/2026 07:22:23 AM (4 weeks ago)

Author:

gziolo

Message:

Abilities API: Catch exceptions thrown by ability callbacks and return WP_Error.

Wraps invoke_callback() in a try/catch so that exceptions thrown by execute or permission callbacks are converted to a WP_Error with the ability_callback_exception code instead of propagating as uncaught throwables.

Developed in: ​https://github.com/WordPress/wordpress-develop/pull/11544

Props priyankagusani, jamesgiroux, jeffpaul, dkotter, adamsilverstein, justlevine, jorbin, pavanpatil1.
Fixes #65058.

Location:

trunk

Files:

• src/wp-includes/abilities-api/class-wp-ability.php (modified) (2 diffs)
• tests/phpunit/tests/abilities-api/wpAbility.php (modified) (1 diff)

trunk/src/wp-includes/abilities-api/class-wp-ability.php

@@ -503 +503 @@
      * @param callable $callback The callable to invoke.
      * @param mixed    $input    Optional. The input data for the ability. Default `null`.
-     * @return mixed The result of the callable execution.
+     * @return mixed The result of the callable execution, or a `WP_Error` if the callback threw.
      */
     protected function invoke_callback( callable $callback, $input = null ) {
@@ -511 +511 @@
         }
 
-        return $callback( ...$args );
+        try {
+            return $callback( ...$args );
+        } catch ( Throwable $e ) {
+            return new WP_Error(
+                'ability_callback_exception',
+                sprintf(
+                    /* translators: 1: Ability name, 2: Exception message. */
+                    __( 'Ability "%1$s" callback threw an exception: %2$s' ),
+                    esc_html( $this->name ),
+                    esc_html( $e->getMessage() )
+                )
+            );
+        }
     }
 

trunk/tests/phpunit/tests/abilities-api/wpAbility.php

@@ -499 +499 @@
 
     /**
+     * Tests that an exception thrown by the execute callback is converted to a WP_Error
+     * instead of being propagated as an uncaught throwable.
+     *
+     * @ticket 65058
+     */
+    public function test_execute_catches_callback_exception() {
+        $args = array_merge(
+            self::$test_ability_properties,
+            array(
+                'execute_callback' => static function (): int {
+                    throw new RuntimeException( 'boom' );
+                },
+            )
+        );
+
+        $ability = new WP_Ability( self::$test_ability_name, $args );
+        $result  = $ability->execute();
+
+        $this->assertWPError( $result, 'Ability::execute() should return WP_Error when the callback throws.' );
+        $this->assertSame( 'ability_callback_exception', $result->get_error_code() );
+        $this->assertStringContainsString( 'boom', $result->get_error_message() );
+    }
+
+    /**
+     * Tests that an exception thrown by the permission callback is converted to a WP_Error
+     * instead of being propagated as an uncaught throwable.
+     *
+     * @ticket 65058
+     */
+    public function test_check_permissions_catches_callback_exception() {
+        $args = array_merge(
+            self::$test_ability_properties,
+            array(
+                'permission_callback' => static function (): bool {
+                    throw new RuntimeException( 'permission exploded' );
+                },
+            )
+        );
+
+        $ability = new WP_Ability( self::$test_ability_name, $args );
+        $result  = $ability->check_permissions();
+
+        $this->assertWPError( $result, 'Ability::check_permissions() should return WP_Error when the callback throws.' );
+        $this->assertSame( 'ability_callback_exception', $result->get_error_code() );
+        $this->assertStringContainsString( 'permission exploded', $result->get_error_message() );
+    }
+
+    /**
      * Tests that before_execute_ability action is fired with correct parameters.
      *