Skip to content

Fix documentation anti-patterns and REST API security vulnerability #93

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 12 commits into from
Closed

Fix documentation anti-patterns and REST API security vulnerability #93

wants to merge 12 commits into from

Conversation

Ref34t
Copy link
Contributor

@Ref34t Ref34t commented Sep 30, 2025

Summary

Changes Made

Documentation Fixes

  • docs/2.getting-started.md: Replaced 22-line manual permission checking example with clean 8-line execute() pattern
  • docs/4.using-abilities.md: Eliminated all manual permission checking examples, added advanced error handling section, fixed variable name bug

Security Fix

  • includes/rest-api/endpoints/class-wp-rest-abilities-run-controller.php: Fixed WP_Error truthiness vulnerability in REST API permissions

Test plan

  • Verify documentation examples follow recommended patterns
  • Test REST API endpoint permission handling with various scenarios
  • Confirm no manual permission checking anti-patterns remain in docs

Mohamed Khaled and others added 12 commits September 26, 2025 15:31
Rename has_permission() to check_permission() with deprecation logic
c60032b
Update tests to use check_permission() and add deprecation test
0dba16e
Fix remaining has_permission test usage that was causing CI failure
209b541
Remove specific deprecation test that was causing CI failures
5aeab28
Fix internal execute() method to use new check_permission() method
eb86cc7
Add test coverage for deprecated has_permission method
a44d683
Use WordPress test framework method for deprecated function coverage …
d032fae 
…per maintainer feedback
Switch to @expectedDeprecated PHPDoc annotation for cleaner deprecati…
d55a0bb 
…on test
@Ref34t
Merge branch 'trunk' into feature/fix-has-permission-return-type-issu…
e8d93f3 
…e-67
docs: Fix getting started example to use recommended execute() pattern
b66d298 
Replace 22-line manual permission checking anti-pattern with clean 8-line
execute() approach per @justlevine feedback. This eliminates the security
risk of teaching developers complex permission workflows that can introduce
WP_Error truthiness bugs.
docs: Replace permission checking anti-patterns with secure execute()…
a3c7694 
… examples

- Remove manual check_permission() before execute() examples
- Add clean execute() → is_wp_error() pattern throughout
- Include advanced error handling with ability_invalid_permissions
- Fix variable name bug in first example
- Eliminate confusing method signature that contradicted guidance
- Address all @justlevine feedback about promoting execute() over manual checks
security: Fix WP_Error truthiness vulnerability in REST API permissions
53adb26 
Change permission check from loose to strict comparison in run_ability_permissions_check().
The previous pattern `if ( ! $ability->check_permission( $input ) )` would incorrectly
pass WP_Error objects as truthy, potentially allowing unauthorized access.

Fixed by using `if ( true !== $ability->check_permission( $input ) )` to properly
handle both false and WP_Error return values.
@github-actions GitHub Actions
Copy link

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Unlinked Accounts

The following contributors have not linked their GitHub and WordPress.org accounts: @[email protected].

Contributors, please read how to link your accounts to ensure your work is properly credited in WordPress releases.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Unlinked contributors: [email protected].

Co-authored-by: Ref34t <[email protected]>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@Ref34t Ref34t changed the base branch from trunk to update/version-0.2.0-preps September 30, 2025 08:54
@Ref34t Ref34t changed the base branch from update/version-0.2.0-preps to trunk September 30, 2025 08:54
@Ref34t Ref34t closed this Sep 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Ref34t