[wp-trac] [WordPress Trac] #56483: Weird oneOf behaviour upon validation of post meta value upon GET retrieval via REST API
WordPress Trac
noreply at wordpress.org
Sun Dec 11 15:54:52 UTC 2022
#56483: Weird oneOf behaviour upon validation of post meta value upon GET retrieval
via REST API
-------------------------------+------------------------------
Reporter: joeyojoeyo12 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: 6.0.1
Severity: major | Resolution:
Keywords: reporter-feedback | Focuses: rest-api
-------------------------------+------------------------------
Comment (by TimothyBlynJacobs):
In the future @joeyojoeyo12, it'd be best to add the details in the follow
up comment instead of editing the first one. It makes things easier to
track that way.
> A) The consequence of this is that I cannot block incoming requests that
have more data in the payload than needed, correct?
You can using `additionalProperties`.
> B) So I figured you have to specify it at both levels; can you confirm
that?
You can omit it, but you have to then specify your schema callbacks
manually, see my next reply.
> C) do I still have to provide it explicitly to every argument?
It depends on how you register your route. If you use
`WP_REST_Controller::get_item_schema` combined with
`WP_REST_Controller::get_endpoint_args_for_item_schema` or simply
`rest_get_endpoint_args_for_schema`, the `args` definition for your route
will have the default JSON Schema validation and sanitization callbacks
automatically applied.
Otherwise, `WP_REST_Request` will automatically apply the schema
sanitization via `rest_parse_request_arg` but only if the arg has a
specified `type`.
> D) can you in WP JSON Schema maybe directly tell the args that the
payload is a simply object; basically under no key?
No. The REST API doesn't support this behavior. A lot of the APIs are
formulated around request objects being a dictionary with parameter keys
that each have a set of validation and sanitization bits attached to it.
This may be supported officially in the future, but it would take some
doing.
In the mean time, you could set a `validate_callback` when you register
your REST API route alongside `callback` and `permission_callback`. It is
passed the entire `WP_REST_Request` object. Then you can call the sanitize
and validate callbacks directly.
Here is a corrected schema.
{{{
[
'data' => [
'sanitize_callback' => 'rest_sanitize_request_arg',
'validate_callback' => 'rest_validate_request_arg',
'required' => true,
'oneOf' => [
[
'title' => 'only_banana',
'type' => 'object',
'additionalProperties' => false,
'properties' =>
$banana_attributes
],
[
'title' =>
'banana_and_apple',
'type' => 'object',
'additionalProperties' => false,
'properties' => array_merge(
$banana_attributes,
$apple_attributes
)
],
[
'title' =>
'banana_and_apple_and_pear',
'type' => 'object',
'additionalProperties' => false,
'properties' => array_merge(
$banana_attributes,
$apple_attributes,
$pear_attributes
)
]
]
]
]
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56483#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list