[wp-trac] [WordPress Trac] #62903: permission_callback should be called before validate_callback in REST API
WordPress Trac
noreply at wordpress.org
Mon Feb 3 21:02:10 UTC 2025
#62903: permission_callback should be called before validate_callback in REST API
--------------------------+-----------------------------
Reporter: donjajo | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: trunk
Severity: normal | Keywords: has-patch
Focuses: rest-api |
--------------------------+-----------------------------
I am building a REST endpoint that goes like this
`users/articles/{article_id}` while `{article_id}` can be validated with
validate_callback on the $args parameter level.
In my validation, I check for author of the article to match the current
logged in user. If not, it should return WP_Error of 404 status, assuming
the user is logged in.
I expect 403 permission error to come up for guest, from
`permission_callback`, but it does not. Rather, it throws 404 from
`validate_callback` since the user is not logged in, and the ID does not
match the author. Hence, `permission_callback` is not run.
Most of the `validate_callback` on the endpoint does some user
authentication validations which expects `permission_callback` to already
have handled.
I believe a better design will be permission_callback called first on each
route before even running validations.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62903>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list