Make WordPress Core

Opened 2 years ago

Last modified 2 months ago

#54832 new defect (bug)

_doing_it_wrong should write into debug.log

Reported by: okvee's profile okvee Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.8.3
Component: REST API Keywords:
Focuses: rest-api Cc:

Description

I was created a plugin that called to register_rest_route() without permission_callback argument. It worked fine until WordPress 5.5 that this argument is now required.

However, the errors is not appears anywhere except in the REST API headers but it is very hard to notice about that.

I keep using the old code because I didn't know about this change as it is not showing in the debug.log.
Until one day that WordPress 5.8 released and I was entered to the new widget management and BOOM!
All errors appears on the debug.log now.

This function (_doing_it_wring()) is useful and should write the details into debug.log file no matter where it is called.

Example:

add_action('rest_api_init', 'myplugin_register_routes');
function myplugin_register_routes()
{
    register_rest_route('myplugin', '/allitems', [
        'args' => [
            'mycustom' => 'args',
        ],
        'methods' => \WP_REST_Server::READABLE,
        'callback' => 'myplugin_get_items_function',
        // 'permission_callback' => 'is_missing',// should always showing error in debug.log
    ]);
}

Change History (3)

This ticket was mentioned in Slack in #core by jon_bossenger. View the logs.


3 months ago

#2 @psykro
2 months ago

In testing this ticket out today, I discovered why this is happening.

Inside the _doing_it_wrong function definition, the following check is done, before triggering the error.

See https://github.com/WordPress/wordpress-develop/blob/trunk/src/wp-includes/functions.php#L5984

if ( WP_DEBUG && apply_filters( 'doing_it_wrong_trigger_error', true, $function_name, $message, $version ) ) {

In the rest_api_default_filters function, this doing_it_wrong_trigger_error hook has the __return_false callback applied to it.

See https://github.com/WordPress/wordpress-develop/blob/8ec4d9dfc7e2043485d83d4af9e505ec1cc21470/src/wp-includes/rest-api.php#L219

This is probably to prevent either displaying any errors or overloading the log files if some third party or bot were to spam any REST API request on a WordPress site.

Because the register_rest_route function should only be used after the rest_api_init hook, this means any _doing_it_wrong calls in the context of a REST API request will not be run.

However, as @okvee points out, this is not ideal when registering a rest route, as it means a developer could inadvertently register a public route, without specifying a permissions callback.

One way this could be fixed is to add the code below, just before the _doing_it_wrong call related to the permission_callback check here https://github.com/WordPress/wordpress-develop/blob/8ec4d9dfc7e2043485d83d4af9e505ec1cc21470/src/wp-includes/rest-api.php#L93

add_filter('doing_it_wrong_trigger_error', '__return_true');

It also probably needs to be set back to __return_false afterwards.

This ticket was mentioned in Slack in #core-restapi by jon_bossenger. View the logs.


2 months ago

Note: See TracTickets for help on using tickets.