[wp-trac] [WordPress Trac] #48818: REST API does not check nested required properties

WordPress Trac noreply at wordpress.org
Thu Nov 28 02:22:38 UTC 2019 

#48818: REST API does not check nested required properties
-------------------------------+-----------------------------
 Reporter:  TimothyBlynJacobs  |      Owner:  (none)
     Type:  defect (bug)       |     Status:  new
 Priority:  normal             |  Milestone:  Awaiting Review
Component:  REST API           |    Version:  4.9
 Severity:  normal             |   Keywords:
  Focuses:                     |
-------------------------------+-----------------------------
 `WP_REST_Server` checks if a request is valid using
 `WP_REST_Request::has_valid_params`. That function first checks if all
 required parameters are supplied. A parameter is required if it has the
 `required` property specified. The REST API only checks for the existence
 of the top-level properties. Nested properties are not checked.

 For example, given the following schema:

 {{{
 {
   "type": "object",
   "properties": {
     "my_obj": {
       "type": "object",
       "required": true,
       "properties": {
         "my_prop": {
           "type": "string",
           "required": true
         }
       }
     },
     "my_arr": {
       "type": "array",
       "required": true,
       "items": {
         "type": "object",
         "properties": {
           "my_prop": {
             "type": "string",
             "required": true
           }
         }
       }
     }
   }
 }
 }}}

 The following data is valid.

 {{{
 {
   "my_obj": {
     "other_prop": "hi"
   },
   "my_arr": [
     {
       "other_prop": "hi"
     }
   ]
 }

 }}}

 We could fix this in either `WP_REST_Request::has_valid_params` or
 `rest_validate_value_from_schema`.

 Doing it in the request object would have the benefits of consistency with
 top-level required properties. It would also allow checking all required
 properties before checking for validity and returning it in one `WP_Error`
 object. However, there could be a BC issue if a user has specified a
 schema using `required` for child parameters, but then provided a custom
 `validate_callback` that didn't actually check that the parameter is
 required.

 If it is in `rest_validate_value_from_schema` we wouldn't have the BC
 issue. It'd also be easier to implement since that function already
 recurses.

 We'd also want to make sure that if a parent property isn't required, that
 child properties aren't required if the parent value is missing entirely.
 For instance given the following schema, an empty request object should be
 valid, but `{my_prop: {}}` wouldn't be.

 {{{
 {
   "type": "object",
   "properties": {
     "my_obj": {
       "type": "object",
       "properties": {
         "my_prop": {
           "type": "string",
           "required": true
         }
       }
     }
   }
 }
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/48818>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list