Opened 3 years ago
Last modified 7 months ago
#54832 new defect (bug)
_doing_it_wrong should write into debug.log
Reported by: | okvee | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 5.8.3 |
Component: | REST API | Keywords: | |
Focuses: | rest-api | Cc: |
Description
I was created a plugin that called to register_rest_route()
without permission_callback
argument. It worked fine until WordPress 5.5 that this argument is now required.
However, the errors is not appears anywhere except in the REST API headers but it is very hard to notice about that.
I keep using the old code because I didn't know about this change as it is not showing in the debug.log.
Until one day that WordPress 5.8 released and I was entered to the new widget management and BOOM!
All errors appears on the debug.log now.
This function (_doing_it_wring()
) is useful and should write the details into debug.log file no matter where it is called.
Example:
add_action('rest_api_init', 'myplugin_register_routes'); function myplugin_register_routes() { register_rest_route('myplugin', '/allitems', [ 'args' => [ 'mycustom' => 'args', ], 'methods' => \WP_REST_Server::READABLE, 'callback' => 'myplugin_get_items_function', // 'permission_callback' => 'is_missing',// should always showing error in debug.log ]); }
In testing this ticket out today, I discovered why this is happening.
Inside the
_doing_it_wrong
function definition, the following check is done, before triggering the error.See https://github.com/WordPress/wordpress-develop/blob/trunk/src/wp-includes/functions.php#L5984
In the
rest_api_default_filters
function, thisdoing_it_wrong_trigger_error
hook has the__return_false
callback applied to it.See https://github.com/WordPress/wordpress-develop/blob/8ec4d9dfc7e2043485d83d4af9e505ec1cc21470/src/wp-includes/rest-api.php#L219
This is probably to prevent either displaying any errors or overloading the log files if some third party or bot were to spam any REST API request on a WordPress site.
Because the
register_rest_route
function should only be used after therest_api_init
hook, this means any_doing_it_wrong
calls in the context of a REST API request will not be run.However, as @okvee points out, this is not ideal when registering a rest route, as it means a developer could inadvertently register a public route, without specifying a permissions callback.
One way this could be fixed is to add the code below, just before the
_doing_it_wrong
call related to thepermission_callback
check here https://github.com/WordPress/wordpress-develop/blob/8ec4d9dfc7e2043485d83d4af9e505ec1cc21470/src/wp-includes/rest-api.php#L93It also probably needs to be set back to
__return_false
afterwards.