[wp-trac] [WordPress Trac] #62903: permission_callback should be called before validate_callback in REST API

WordPress Trac noreply at wordpress.org
Tue Feb 4 08:12:39 UTC 2025 

#62903: permission_callback should be called before validate_callback in REST API
--------------------------+------------------------------
 Reporter:  donjajo       |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  REST API      |     Version:  trunk
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:  rest-api
--------------------------+------------------------------

Comment (by donjajo):

 Replying to [comment:3 dd32]:
 > I believe what you're seeing is correct.
 >
 > `validate_callback` shouldn't be used to validate whether it's correct
 for a user, rather, it should validate that the value presented is correct
 for the field.
 >
 > For example:
 > {{{
 > validate_callback: Validate that the ID input is numeric. This should
 only fail for always invalid inputs.
 > ie. is_numeric( $input )
 >
 > permission_callback: Verify that the user is logged in, and has access
 to the referenced item
 > ie. current_user_can( 'edit_post', $post_id )
 >
 > callback: Fetch data, output
 > ie. return get_post( $post_id )->post_name;
 > }}}
 >
 > It would be best practice to also include capability checks in the
 callback itself, rather than purely relying upon the permission_callback,
 as capability checks should be relatively cheap computation wise.

 Your explanation is valid. What I am concerned about is the order of
 execution. I think permission check should come first before the
 validation check.

 For example:

 - permission_callback: Checks if user is logged in and is in "writers
 role"
 - validation_callback: Checks if the current logged-in user has access to
 their URL resource which specifies the ID. This is also a valid use-case
 of validation_callback, because, if the user does not, it is an invalid
 value. (e.g. trying to access a post that you did not create
 `users/articles/{article_id}`)

 We require permissions to pass before validation.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/62903#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list