Skip to content

Improve validation and permission checks for WP_HTTP_Polling_Sync_Server#11296

Open
chriszarate wants to merge 2 commits intoWordPress:trunkfrom
chriszarate:fix/http-polling-sync-server-validation
Open

Improve validation and permission checks for WP_HTTP_Polling_Sync_Server#11296
chriszarate wants to merge 2 commits intoWordPress:trunkfrom
chriszarate:fix/http-polling-sync-server-validation

Conversation

@chriszarate
Copy link

@chriszarate chriszarate commented Mar 19, 2026
edited
Loading

Harden WP_HTTP_Polling_Sync_Server endpoints to add additional validation and permission checks.

Props @peterwilsoncc for contributions

Trac ticket: https://core.trac.wordpress.org/ticket/64890

@github-actions
Copy link

github-actions bot commented Mar 19, 2026

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props czarate.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@github-actions
Copy link

github-actions bot commented Mar 19, 2026

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

westonruter
westonruter reviewed Mar 19, 2026
View reviewed changes
src/wp-includes/collaboration/class-wp-http-polling-sync-server.php
'methods' => array( WP_REST_Server::CREATABLE ),
'callback' => array( $this, 'handle_request' ),
'permission_callback' => array( $this, 'check_permissions' ),
'validate_callback' => array( $this, 'validate_request' ),
Copy link
Member

@westonruter westonruter Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The presence of a validate_callback will prevent the input from being validated against the JSON Schema for the args, unfortunately. This is something which was pointed out to me by @deepaklalwani97 in #10966. See #10966 (comment).

I believe you'll need to explicitly validate against the schema in the validate_callback, as seen in that PR.

Copy link
Member

@westonruter westonruter Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or maybe this is different since the validate_callback is added at the endpoint level instead of at the arg level? In any case, I wanted to flag it as something to be verified.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@westonruter westonruter westonruter left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chriszarate @westonruter