[in progress] Abilities API: Add a core/content ability#12195
[in progress] Abilities API: Add a core/content ability#12195jorgefilipecosta wants to merge 2 commits into
Conversation
Adds a read-only `core/content` ability that retrieves one or more posts of a post type exposed to abilities via a new `show_in_abilities` post type argument (enabled for `post` and `page` by default). Fetch a single post by ID or by slug, or query multiple posts filtered by post type, status, author, or parent, selecting a support-aware set of fields per post. Permissions follow the REST posts model: a coarse status/capability gate plus an authoritative per-post read_post check, with password-protected content withheld from users who cannot edit the post and a uniform not-found response to avoid leaking the existence of posts.
|
Hi there! 👋 Thank you for your contribution to WordPress! 💖 It looks like this is your first pull request to No one monitors this repository for new pull requests. Pull requests must be attached to a Trac ticket to be considered for inclusion in WordPress Core. To attach a pull request to a Trac ticket, please include the ticket's full URL in your pull request description. Pull requests are never merged on GitHub. The WordPress codebase continues to be managed through the SVN repository that this GitHub repository mirrors. Please feel free to open pull requests to work on any contribution you are making. More information about how GitHub pull requests can be used to contribute to WordPress can be found in the Core Handbook. Please include automated tests. Including tests in your pull request is one way to help your patch be considered faster. To learn about WordPress' test suites, visit the Automated Testing page in the handbook. If you have not had a chance, please review the Contribute with Code page in the WordPress Core Handbook. The Developer Hub also documents the various coding standards that are followed:
Thank you, |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
Mirrors the refinements from the core/settings review that also apply to core/content:
- Memoize the exposed post types so the input schema and the permission/execute
callbacks derive from a single walk of the registered post types.
- Default the input schema to an empty object so the type:object default serializes as {}.
- Harden input/value handling (type guards, a capability resolver, and a non-negative
integer helper) against loosely-typed request data.
1 participant
Summary
Adds a read-only
core/contentability that retrieves one or more posts of a post type exposed to abilities. It is a sibling of thecore/settingsability (#12141) and follows the same structure.A new
show_in_abilitiespost type argument controls exposure (enabled by default forpostandpage). Only post types with a truthyshow_in_abilitiesare queryable through the ability.Behavior
id, or byslug(slug requirespost_type, since slugs are not unique across types).post_type(required unlessidis given), filtered bystatus,author,parent, withpage/per_page.fieldsselects which fields each post returns. Per-post fields: alwaysid, type, status, date, modified, slug, link; and, when the post type supports them,title, excerpt, raw_content, author {id, display_name}, parent.{ posts: [...], total, total_pages }.Security
Follows the REST posts model, with defense in depth:
read/edit_posts/read_private_postscaps), plus an authoritative per-postread_postcheck on every returned row (author/status scoped).publish; non-public statuses require the appropriate capabilities.raw_content/excerpt) is withheld from users who cannot edit the post.Pagination
The ability accepts
page/per_pageand returnstotal/total_pagesin the body. A companion PR adds standardX-WP-Total/X-WP-TotalPagesresponse headers at the REST run-controller level; this ability works with or without that change (the totals are always in the body).Tests
tests/phpunit/tests/abilities-api/wpRegisterCoreContentAbility.php(direct execute/permission coverage) andtests/phpunit/tests/rest-api/wpRestAbilitiesContentController.php(REST dispatch), covering schema, retrieval, the field selector, pagination totals, and the full permission/visibility matrix (status gating, author scoping, private posts, password withholding, anti-enumeration).