validate_callback is called before permission_callback. I think this is wrong

  • I am building a REST endpoint that goes like this users/articles/{article_id} while {article_id} can be validated with validate_callback on the $args parameter level.
    In my validation, I check for author of the article to match the current logged in user. If not, it returns WP_Error of 404, assuming the user is logged in.
    I expect 403 permission error to come up for guest, but it does not. Rather, it throws 404 since the user is not logged in.

    permission_callback is called after validate_callback which I think is wrong. Permissions should come first before validation in my opinion

    Example

    register_rest_route($this->namespace, $this->resource_name .'/(?P<article_id>[\d]+)', [
    	'methods' => WP_REST_Server::READABLE,
    	'permission_callback' => [$this, 'get_item_permissions_check'], // This happens later
    	'callback' => [$this, 'get_item'],
    	'validate_callback' => [self::class, 'validate_article'], // This is the validation
    ]);
Viewing 5 replies - 1 through 5 (of 5 total)
Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.