Introduces a new `wp_ability_invoked` action that fires at the start of `WP_Ability::execute()`, before input normalization, validation, or permission checks. This gives observers a reliable entry point for every invocation regardless of outcome (short-circuit, validation failure, permission denial, or successful execution).
Also extends the existing `wp_before_execute_ability` and `wp_after_execute_ability` actions with a new `$ability` parameter exposing the `WP_Ability` instance.
Follow-up for #64989.
Props sukhendu2002, peterwilsoncc, gziolo.
Fixes#65248.
Built from https://develop.svn.wordpress.org/trunk@62418
git-svn-id: http://core.svn.wordpress.org/trunk@61699 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Ability names are pattern-validated at registration, so `esc_html()` on them is always a no-op. Drop it from the `WP_Error` messages, which are commonly serialized to JSON where the escaping would be incorrect.
Follow-up to [62398].
See #64311.
Built from https://develop.svn.wordpress.org/trunk@62401
git-svn-id: http://core.svn.wordpress.org/trunk@61682 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduce the `wp_ability_validate_input` and `wp_ability_validate_output` filters so developers can layer custom validation on top of the default JSON
Schema checks, either augmenting an existing WP_Error or rejecting otherwise valid data.
Props priethor, gziolo, westonruter, enej.
Fixes#64311.
Built from https://develop.svn.wordpress.org/trunk@62398
git-svn-id: http://core.svn.wordpress.org/trunk@61679 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduce four filters that give plugins hook points across the ability execution lifecycle, complementing the existing observation-only actions
(`wp_before_execute_ability`, `wp_after_execute_ability`):
- `wp_pre_execute_ability`: short-circuits `execute()` when it returns a value other than the supplied default.
- `wp_ability_normalize_input`: transforms input inside `normalize_input()`, and returning `WP_Error` halts execution.
- `wp_ability_permission_result`: overrides the `permission_callback` result inside `check_permissions()`, consistently for `execute()` and direct callers.
- `wp_ability_execute_result`: transforms the result inside `do_execute()` before output validation, and can recover from execute callback failures.
The input and result filters fire before their respective schema validation steps, so `validate_input()` and `validate_output()` remain the final integrity gates. Only `wp_pre_execute_ability` can bypass validation, with the caller owning the returned value's shape.
Add `WP_Filter_Sentinel`, a reusable marker class loaded alongside `WP_Hook`, whose per-instance identity lets a filter default be distinguished from any
user value — including `null`, `false`, or arbitrary objects — via `===`.
Update `WP_REST_Abilities_V1_Run_Controller::check_ability_permissions()` to propagate `WP_Error` results from `normalize_input()` directly, defaulting to
status 400 while preserving filter-set statuses (e.g. 422, 429).
Props gziolo, westonruter, migueluy.
Fixes#64989.
Built from https://develop.svn.wordpress.org/trunk@62397
git-svn-id: http://core.svn.wordpress.org/trunk@61678 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Expand ability name validation from exactly 2 segments (`namespace/ability`) to 2-4 segments, enabling names like `my-plugin/resource/find` and `my-plugin/resource/sub/find`.
This allows plugins to organize abilities into logical resource groups. The validation regex changes from `/^[a-z0-9-]+\/[a-z0-9-]+$/` to `/^[a-z0-9-]+(?:\/[a-z0-9-]+){1,3}$/`, which accepts the first segment plus 1-3 additional slash-delimited segments.
Updates the validation regex, error messages, docblocks, and adds corresponding unit and REST API tests.
Props jorgefilipecosta, justlevine, jorbin.
Fixes#64596.
Built from https://develop.svn.wordpress.org/trunk@61602
git-svn-id: http://core.svn.wordpress.org/trunk@60913 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Abilities API allows for extending WP_Ability by providing ability_class during the ability registration. This is meant to unlock complex abilities holding some sort of state or logic that requires multiple helper methods.
In all of those scenarios you would ovewrite execute or do_execute method.
However, because the check for execute_callback is in constructor, then in order to register an ability with ability_class overwrite, you have to BOTH: provide do_execute and provide a dummy execute_callback. The same need happens for permission_callback.
This commit fixes the issue execute_callback and permission_callback are now optional when a class is provided.
Props artpi, swissspidy, jorgefilipecosta, mindctrl.
Fixes#64407.
Built from https://develop.svn.wordpress.org/trunk@61390
git-svn-id: http://core.svn.wordpress.org/trunk@60702 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Without this patch REST API would require a weird empty `?input` field for optional input given how the current controller works with input schema when it defines the expected shape. This patch normalizes the input for the ability, applying the default value from the input schema when needed.
Developed in https://github.com/WordPress/wordpress-develop/pull/10395.
Follow-up [61032], [61045].
Props gziolo, jorgefilipecosta, mukesh27.
Fixes#64139.
Built from https://develop.svn.wordpress.org/trunk@61047
git-svn-id: http://core.svn.wordpress.org/trunk@60383 1a063a9b-81f0-0310-95a4-ce76da25c4cd
gziolo