[wp-trac] [WordPress Trac] #43998: REST API: Permit unbounded per_page=-1 requests for authorized users

WordPress Trac noreply at wordpress.org
Wed May 23 16:23:18 UTC 2018

#43998: REST API: Permit unbounded per_page=-1 requests for authorized users
 Reporter:  danielbachhuber               |       Owner:  (none)
     Type:  enhancement                   |      Status:  new
 Priority:  normal                        |   Milestone:  4.9.8
Component:  REST API                      |     Version:
 Severity:  normal                        |  Resolution:
 Keywords:  needs-patch needs-unit-tests  |     Focuses:  rest-api

Comment (by earnjam):

 I've been working on a patch for this and am pretty close, but have a few
 inconsistencies that need to be discussed to determine the proper way to
 handle them:

 **1) Sanitize Callback**

 The parameter args take a `sanitize_callback` value. Currently that is set
 to `absint` in `WP_REST_Controller` and it works fine. The logical
 replacement would be `intval` since we'd now be allowing -1.

 However, this throws a PHP Warning `Wrong parameter count for intval()`
 because we are passing 3 parameters in the `call_user_func()` call in
 `WP_Rest_Request`. This doesn't throw the warning for `absint()`, which
 only accepts 1 parameter, because it's not a built-in PHP function. It
 basically just stays silent if you pass too many parameters to user-
 defined functions.

 If we don't pass a `sanitize_callback` as a parameter argument for
 `per_page`, then it ends up just falling back to using
 `rest_sanitize_value_from_schema()` and using the `type` value passed of
 `integer` and then gets typecast as `(int)`, so that will work as long as
 we're ok not explicitly passing a `sanitize_callback` there.


 **2) `per_page=0` vs `per_page=-1`**

 WP_Term_Query uses 0 for the `number` argument to get all terms instead of
 -1 like WP_Query and WP_User_Query do. How should we handle those?

 Should we allow either -1 or 0 and treat them both as unbounded?

 Should we return an invalid parameter for `/wp/v2/posts` and
 `/wp/v2/users` if someone passes `per_page=0`? Same with `/wp/v2/terms` if
 passed -1.

 Or should we just silently fall back to the default of 10 in those cases?

 I would lean toward the first option of accepting either value for any of
 the routes and treating them both as unbounded, but wanted feedback.

 We have some divide by zero situations to resolve depending on the
 direction we go with this.

Ticket URL: <https://core.trac.wordpress.org/ticket/43998#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list