Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Abilities API: Add a core/manage-settings ability#90

Open
jorgefilipecosta wants to merge 11 commits into
add/core-settings-abilityfrom
add/core-manage-settings-ability
Open

Abilities API: Add a core/manage-settings ability#90
jorgefilipecosta wants to merge 11 commits into
add/core-settings-abilityfrom
add/core-manage-settings-ability

Conversation

@jorgefilipecosta

Copy link
Copy Markdown
Owner

What

Adds a write-oriented core/manage-settings ability to the Abilities API, the write counterpart to the read-only core/settings ability from WordPress#12141.

WP_Settings_Abilities already reserved a register_manage_settings() slot; this fills it in, reusing the exposed-settings snapshot and the shared helpers (get_exposed_settings(), value_schema(), cast_value()).

  • Input: a map of setting name → new value (at least one). The input/output schemas reuse each setting's own value schema, with additionalProperties: false.
  • Output: a map of each updated setting name → its stored value.
  • Permission: manage_options (shared with core/settings).
  • Annotations: readonly: false, destructive: false, idempotent: true.

Read = write

A truthy show_in_abilities flag grants both read (via core/settings) and write (via core/manage-settings); there is no separate writable flag. No changes to option.php or the exposed-settings helpers are needed.

Atomic, all-or-nothing

The Abilities API validates the input against the registered input schema before execute_manage_settings() runs, so an invalid or unknown value aborts the whole call before any update_option() fires — matching WP_REST_Settings_Controller::update_item(), which rejects the entire request when any value is invalid. Accepted values are sanitized against their schema, stored, then read back and cast for the response.

Tests

Adds Tests_Abilities_API_WpRegisterCoreManageSettingsAbility covering registration/annotations, the mirrored input schema, updating and returning typed values, all-or-nothing aborting on an invalid value, rejection of unknown keys and empty input, the manage_options gate, and writing a setting registered by another plugin. Full --group abilities-api run: 351 tests passing.

Stacked PR

Stacked on WordPress#12141 (base branch add/core-settings-ability); that PR was rebased on latest trunk first. Intended to open against WordPress/wordpress-develop:trunk once WordPress#12141 lands.

Add a read-only core/settings ability that returns WordPress settings as a flat
name => value map. Only settings flagged with the new show_in_abilities
registration arg are exposed; callers can filter by settings group or by name
(mutually exclusive). Requires the manage_options capability.

The logic lives in a new internal WP_Settings_Abilities class, structured so a
future core/manage-settings write ability can reuse its helpers.
'settings' reads more naturally than 'slugs' for filtering an abilities-exposed
settings map by name.
… tests

Register a setting with show_in_abilities and assert it is exposed in the
ability's input enum, output schema, and execute output.
- Simplify the input schema: replace the group-XOR-name `oneOf` with optional,
  combinable `group` and `fields` filters (rename `slugs` -> `fields`, matching
  core/get-site-info). Default to an empty object so the type:object schema default
  serializes as {}.
- Memoize the exposed settings so the input/output schema and execute() derive from a
  single walk of get_registered_settings().
- Cast object-typed values to objects so they serialize as {} (not []) and satisfy the
  output schema validated by execute().
- Harden value handling against loosely-typed registration data.
- Tests: assert keys order-insensitively and cover combined group+fields filtering.
…cblock

The $groups and $field_names params are sequential string lists
(array_keys() and an appended array), so list<string> is the precise
type rather than string[].
…ettings()

The exposed-settings cache is always populated in register_get_settings()
before the ability is registered, so the recompute fallback was dead code.
Read the cache directly and keep a defensive null guard so the unexpected
case is explicit rather than silently recomputing.
…tract

The core/settings ability snapshots the exposed settings when it registers
on wp_abilities_api_init, so a setting must be registered before that hook
fires to be exposed. Note this on the show_in_abilities register_setting()
argument so integrators know their register_setting() has to run earlier.
Make WP_Settings_Abilities final and tighten member visibility so the
intended surface is enforced rather than only documented via @access
private. Only the externally-invoked entry points remain public
(register(), execute_get_settings(), has_permission()); register_get_settings()
and the shared helpers become private, and CATEGORY becomes a private const.
Method bodies and the static cache are unchanged.
Move register() and the ability callbacks (execute_get_settings(),
has_permission()) from public static to public methods, and the internal
helpers to private methods; the exposed-settings cache becomes an instance
property. wp_register_core_abilities() now registers the ability via
( new WP_Settings_Abilities() )->register(), reducing the static surface
of this @access private class.
Implements the write-oriented `core/manage-settings` ability that
WP_Settings_Abilities reserved a slot for. It reuses the exposed-settings
snapshot built for `core/settings`, so every setting flagged with
`show_in_abilities` is both readable (`core/settings`) and writable
(`core/manage-settings`), and the input/output schemas reuse the same
per-setting schemas.

The Abilities API validates the input against those schemas (with
`additionalProperties` disabled) before execution, so an invalid or unknown
value aborts the whole call before any option is written -- matching the
all-or-nothing behavior of the REST settings controller. Each accepted value
is sanitized against its schema, stored, then read back and cast for the
response.
Covers registration and writable annotations, an input schema that mirrors
the exposed settings with additionalProperties disabled, updating and
returning correctly typed values, all-or-nothing aborting on an invalid
value (the valid sibling must not persist), rejection of unknown keys and
empty input, the manage_options permission gate, and writing a setting
registered by another plugin.
@semanticdiff-com

Copy link
Copy Markdown

Review changes with  SemanticDiff

@jorgefilipecosta jorgefilipecosta force-pushed the add/core-settings-ability branch from 8469c64 to 6f4b639 Compare July 2, 2026 17:27
@jorgefilipecosta

Copy link
Copy Markdown
Owner Author

Leaving this PR on hold as it is not a target for 7.1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant