[wp-trac] [WordPress Trac] #62903: permission_callback should be called before validate_callback in REST API
WordPress Trac
noreply at wordpress.org
Wed Feb 5 01:20:08 UTC 2025
#62903: permission_callback should be called before validate_callback in REST API
-----------------------------+------------------------------
Reporter: donjajo | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch close | Focuses: rest-api
-----------------------------+------------------------------
Changes (by dd32):
* keywords: has-patch => has-patch close
Comment:
I disagree personally, as in your example the `validation` callback is
doing a permission check rather than validation.
The intention is that only valid inputs then proceed to check if the user
has access (ie. Can't determine if the user can edit the post, if no valid
post ID is provided), and only if the validation and permission checks
pass does it pass to the callback.
While I understand your opinion of the order of operations, as you've
noted, that's not something that can be changed due to back-compat and
existing plugins. So even if the current behaviour was wrong (which I
don't believe it is) it couldn't be changed.
If you don't agree with the behaviour of the callbacks, you can skip using
`validation_callback` and/or `permission_callback` and instead perform all
validation and permission checking within the `callback`.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62903#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list