This repository was archived by the owner on Sep 24, 2018. It is now read-only.
This repository was archived by the owner on Sep 24, 2018. It is now read-only.
Only permit registered params to be used within our callbacks #2201
Description
To prevent issues like #2195 and generally help ensure we're only using expected data, I think it would be a better pattern to only permit registered params to be used within our callbacks.
In #2122, I included a pattern like this to prepare our data for the callback:
public static function prepare_query_args_from_request( $request ) {
$prepared_args = array();
$attributes = $request->get_attributes();
foreach ( $attributes['args'] as $key => $args ) {
if ( ! isset( $request[ $key ] ) ) {
continue;
}
$value = $request[ $key ];
$new_key = ! empty( $args['transform_to'] ) ? $args['transform_to'] : $key;
$prepared_args[ $new_key ] = $value;
}
return $prepared_args;
}
Notice it creates $prepared_args from the args registered to the request, instead of blindly accepting request params.
Also, if we included the transform_to mechanism, we could essentially remove WP_REST_Users_Controller::prepare_item_for_database() and many other internal transformation procedures.