[wp-trac] [WordPress Trac] #65099: Fix: Only auto register settings if the plugin the connector references is installed and active
WordPress Trac
noreply at wordpress.org
Tue Apr 21 09:03:42 UTC 2026
#65099: Fix: Only auto register settings if the plugin the connector references is
installed and active
--------------------------------------+---------------------
Reporter: jorgefilipecosta | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 7.0
Component: General | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+---------------------
Description changed by jorgefilipecosta:
Old description:
> `_wp_register_default_connector_settings()` in
> `src/wp-includes/connectors.php` is hooked to `init` (priority `20`) and
> walks
> every connector returned by `wp_get_connectors()`. For each connector
> that
> declares `authentication.method = 'api_key'` and an
> `authentication.setting_name`, it calls `register_setting( 'connectors',
> … )`
> so the setting is registered and available.
>
> Before this change, the only gate applied to non-AI connector types was
> that the setting had not already been registered. In practice this meant:
>
> 1. A connector for plugin B registered by another plugin (plugin A) would
> have its API key setting auto-registered even when the '''owning service
> plugin was not
> installed or not active'''.
> 2. The "orphan" setting then appeared in the `/wp-json/wp/v2/settings`
> response for a service that could not actually consume them.
> 3. For `ai_provider` connectors this was already handled — the function
> skipped providers that the AI Client registry did not know about — but
> the equivalent guard was missing for every other connector type.
>
> The root cause is that the non-AI branch had no mechanism to ask the
> owning
> plugin "are you actually here?" before exposing the setting.
>
> Uses is_active connector proposed by @iamadisingh at
> https://core.trac.wordpress.org/ticket/65020.
> PR https://github.com/WordPress/wordpress-develop/pull/11565.
>
> ** Testing **
>
> Verify the connectors page works as before.
> Verify the unit tests pass.
New description:
`_wp_register_default_connector_settings()` in
`src/wp-includes/connectors.php` is hooked to `init` (priority `20`) and
walks
every connector returned by `wp_get_connectors()`. For each connector that
declares `authentication.method = 'api_key'` and an
`authentication.setting_name`, it calls `register_setting( 'connectors', …
)`
so the setting is registered and available.
Before this change, the only gate applied to non-AI connector types was
that the setting had not already been registered. In practice this meant:
1. A connector for plugin B registered by another plugin (plugin A) would
have its API key setting auto-registered even when the '''owning service
plugin was not
installed or not active'''.
2. The "orphan" setting then appeared in the `/wp-json/wp/v2/settings`
response for a service that could not actually consume them.
3. For `ai_provider` connectors this was already handled — the function
skipped providers that the AI Client registry did not know about — but
the equivalent guard was missing for every other connector type.
The root cause is that the non-AI branch had no mechanism to ask the
owning
plugin "are you actually here?" before exposing the setting.
Uses is_active connector proposed by @iamadisingh at
https://core.trac.wordpress.org/ticket/65020.
PR fixing this issue at https://github.com/WordPress/wordpress-
develop/pull/11564.
** Testing **
Verify the connectors page works as before.
Verify the unit tests pass.
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/65099#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list