Abilities API: Add a core/manage-settings ability#90
Open
jorgefilipecosta wants to merge 11 commits into
Open
Conversation
Add a read-only core/settings ability that returns WordPress settings as a flat name => value map. Only settings flagged with the new show_in_abilities registration arg are exposed; callers can filter by settings group or by name (mutually exclusive). Requires the manage_options capability. The logic lives in a new internal WP_Settings_Abilities class, structured so a future core/manage-settings write ability can reuse its helpers.
'settings' reads more naturally than 'slugs' for filtering an abilities-exposed settings map by name.
… tests Register a setting with show_in_abilities and assert it is exposed in the ability's input enum, output schema, and execute output.
- Simplify the input schema: replace the group-XOR-name `oneOf` with optional,
combinable `group` and `fields` filters (rename `slugs` -> `fields`, matching
core/get-site-info). Default to an empty object so the type:object schema default
serializes as {}.
- Memoize the exposed settings so the input/output schema and execute() derive from a
single walk of get_registered_settings().
- Cast object-typed values to objects so they serialize as {} (not []) and satisfy the
output schema validated by execute().
- Harden value handling against loosely-typed registration data.
- Tests: assert keys order-insensitively and cover combined group+fields filtering.
…cblock The $groups and $field_names params are sequential string lists (array_keys() and an appended array), so list<string> is the precise type rather than string[].
…ettings() The exposed-settings cache is always populated in register_get_settings() before the ability is registered, so the recompute fallback was dead code. Read the cache directly and keep a defensive null guard so the unexpected case is explicit rather than silently recomputing.
…tract The core/settings ability snapshots the exposed settings when it registers on wp_abilities_api_init, so a setting must be registered before that hook fires to be exposed. Note this on the show_in_abilities register_setting() argument so integrators know their register_setting() has to run earlier.
Make WP_Settings_Abilities final and tighten member visibility so the intended surface is enforced rather than only documented via @access private. Only the externally-invoked entry points remain public (register(), execute_get_settings(), has_permission()); register_get_settings() and the shared helpers become private, and CATEGORY becomes a private const. Method bodies and the static cache are unchanged.
Move register() and the ability callbacks (execute_get_settings(), has_permission()) from public static to public methods, and the internal helpers to private methods; the exposed-settings cache becomes an instance property. wp_register_core_abilities() now registers the ability via ( new WP_Settings_Abilities() )->register(), reducing the static surface of this @access private class.
Implements the write-oriented `core/manage-settings` ability that WP_Settings_Abilities reserved a slot for. It reuses the exposed-settings snapshot built for `core/settings`, so every setting flagged with `show_in_abilities` is both readable (`core/settings`) and writable (`core/manage-settings`), and the input/output schemas reuse the same per-setting schemas. The Abilities API validates the input against those schemas (with `additionalProperties` disabled) before execution, so an invalid or unknown value aborts the whole call before any option is written -- matching the all-or-nothing behavior of the REST settings controller. Each accepted value is sanitized against its schema, stored, then read back and cast for the response.
Covers registration and writable annotations, an input schema that mirrors the exposed settings with additionalProperties disabled, updating and returning correctly typed values, all-or-nothing aborting on an invalid value (the valid sibling must not persist), rejection of unknown keys and empty input, the manage_options permission gate, and writing a setting registered by another plugin.
8469c64 to
6f4b639
Compare
Owner
Author
|
Leaving this PR on hold as it is not a target for 7.1. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a write-oriented
core/manage-settingsability to the Abilities API, the write counterpart to the read-onlycore/settingsability from WordPress#12141.WP_Settings_Abilitiesalready reserved aregister_manage_settings()slot; this fills it in, reusing the exposed-settings snapshot and the shared helpers (get_exposed_settings(),value_schema(),cast_value()).additionalProperties: false.manage_options(shared withcore/settings).readonly: false,destructive: false,idempotent: true.Read = write
A truthy
show_in_abilitiesflag grants both read (viacore/settings) and write (viacore/manage-settings); there is no separatewritableflag. No changes tooption.phpor the exposed-settings helpers are needed.Atomic, all-or-nothing
The Abilities API validates the input against the registered input schema before
execute_manage_settings()runs, so an invalid or unknown value aborts the whole call before anyupdate_option()fires — matchingWP_REST_Settings_Controller::update_item(), which rejects the entire request when any value is invalid. Accepted values are sanitized against their schema, stored, then read back and cast for the response.Tests
Adds
Tests_Abilities_API_WpRegisterCoreManageSettingsAbilitycovering registration/annotations, the mirrored input schema, updating and returning typed values, all-or-nothing aborting on an invalid value, rejection of unknown keys and empty input, themanage_optionsgate, and writing a setting registered by another plugin. Full--group abilities-apirun: 351 tests passing.Stacked PR
Stacked on WordPress#12141 (base branch
add/core-settings-ability); that PR was rebased on latesttrunkfirst. Intended to open againstWordPress/wordpress-develop:trunkonce WordPress#12141 lands.