[wp-trac] [WordPress Trac] #64989: Add execution lifecycle filters to WP_Ability methods

WordPress Trac noreply at wordpress.org
Thu May 21 07:56:47 UTC 2026


#64989: Add execution lifecycle filters to WP_Ability methods
--------------------------------------+---------------------
 Reporter:  gziolo                    |       Owner:  gziolo
     Type:  enhancement               |      Status:  closed
 Priority:  normal                    |   Milestone:  7.1
Component:  Abilities API             |     Version:  6.9
 Severity:  normal                    |  Resolution:  fixed
 Keywords:  has-patch has-unit-tests  |     Focuses:
--------------------------------------+---------------------
Changes (by gziolo):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 In [changeset:"62397" 62397]:
 {{{
 #!CommitTicketReference repository="" revision="62397"
 Abilities API: Add execution lifecycle filters to WP_Ability methods

 Introduce four filters that give plugins hook points across the ability
 execution lifecycle, complementing the existing observation-only actions
 (`wp_before_execute_ability`, `wp_after_execute_ability`):

 - `wp_pre_execute_ability`: short-circuits `execute()` when it returns a
 value other than the supplied default.
 - `wp_ability_normalize_input`: transforms input inside
 `normalize_input()`, and returning `WP_Error` halts execution.
 - `wp_ability_permission_result`: overrides the `permission_callback`
 result inside `check_permissions()`, consistently for `execute()` and
 direct callers.
 - `wp_ability_execute_result`: transforms the result inside `do_execute()`
 before output validation, and can recover from execute callback failures.

 The input and result filters fire before their respective schema
 validation steps, so `validate_input()` and `validate_output()` remain the
 final integrity gates. Only `wp_pre_execute_ability` can bypass
 validation, with the caller owning the returned value's shape.

 Add `WP_Filter_Sentinel`, a reusable marker class loaded alongside
 `WP_Hook`, whose per-instance identity lets a filter default be
 distinguished from any
 user value — including `null`, `false`, or arbitrary objects — via `===`.

 Update `WP_REST_Abilities_V1_Run_Controller::check_ability_permissions()`
 to propagate `WP_Error` results from `normalize_input()` directly,
 defaulting to
 status 400 while preserving filter-set statuses (e.g. 422, 429).

 Props gziolo, westonruter, migueluy.
 Fixes #64989.
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64989#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list