Write permission discoverability for endpoints

[danielbachhuber]

As a client developer writing an application, I want to have my application discover which endpoints are readable / writable through response values, and without having to know the intricacies of WordPress' capabilities system.

Currently, we can't easily support this use case because capability is determined at run time. We'll need some sort of framework for a WP_JSON_Controller to expose permission scope for its endpoints.

[joehoyle]

How we determine it at a code level is implementation logic, but how this actually looks and works from a client's perspective is what we need to nail down.

As I see it we have two types of "permissions":

1. We have resources that conform to the use RESTful GET / DELETE / PUT verbs. This is a resource level permission to make "top level" changes to a whole resource. In the simplest form, this can be expression to the client via OPTIONS requests to the resource.
2. We have some "special" cases for in-resource modifications. Specifically in mind if "post status" which is a state change on an existing resource. The "status" it's self is not a resource, so doesn't work with paradigm 1.

There's a couple of ways I think we can solve number 2:

• We make status a resource, and any other fields that have this kind of logic. This would allow a client to send OPTIONS to /post/123/status to see if they can PUT it, however that wouldn't allow us to say "you can set to pending, but not publish", and is probably too chatty.
• We have a special sub-collection of "actions" that can be performed on the resource. We would probably keep the HTTP Verbs out of this, so it would be for anything that doesn't quite fit into the RESTful approach. I found this pattern in "Thoughts on RESTful API Design", specifically

Sometimes, it is required to expose an operation in the API that inherently is non RESTful. One example of such an operation is where you want to introduce a state change for a resource, but there are multiple ways in which the same final state can be achieved, and those ways actually differ in a significant but non-observable side-effect. Some may say such transitions are bad API design, but not having to model all state can greatly simplify an API. A great example of this is the difference between a “power off” and a “shutdown” of a virtual machine. Both will lead to a vm resource in the “DOWN” state. However, these operations are quite different.

As a solution to such non-RESTful operations, an “actions” sub-collection can be used on a resource. Actions are basically RPC-like messages to a resource to perform a certain operation. The “actions” sub-collection can be seen as a command queue to which new action can be POSTed, that are then executed by the API. Each action resource that is POSTed, should have a “type” attribute that indicates the type of action to be performed, and can have arbitrary other attributes that parameterize the operation.

The recommendation above is that each "action" that is performed on a resource is not a new endpoint. Instead the client sends a POST request to the resource with a type parameter of the action, and any other params are not meant for that action.

I'm not actually that keen on the same-endpoint/resource approach, instead it seems like each "action" would be expression like so:

{
    ...,
    "actions" : [
        {
            "id" : "publish",
            "name" : "Publish",
            "url" : "/post/123/action/publish"
        }
    ]
}

This will allow clients to specify actions on a resource without need to do ahead-of-time lookups in the API, or not necessarily need to know them either. Splitting each action into a different endpoint would allow us to make things a bit more modular and documentation etc a bit easier too.

The actions collection would be limited to use in the WP_JSON_Controller abstraction layer, so wouldn't be "core" to the API. However, I'd imagine it's a pattern we could encourage 3rd parties to adopt too. A "Vote Up Comment" plugin could hook their own actions:

{
    ...,
    "actions" : [
        {
            "id" : "vote",
            "name" : "Vote Up!",
            "url" : "/my-votes-plugin/post/123/action/vote"
        }
    ]
}

There is still one remaining issue, is how do we tell clients what HTTP Verbs they can perform when the GET a resource. Correct me if I'm wrong, but the "norm" here is to send an OPTIONS request to the resource. I'm not sure the best way to handle this still. The idea of another resource property of "allowed_methods" seems ugly, but putting them in the above proposed "actions" collection doesn't seem consistent. Still open to crazy ideas on that one!

[rmccue]

I'm not actually that keen on the same-endpoint/resource approach, instead it seems like each "action" would be expression like so:

I am 👎 on the format above; I think we should fit this into the existing links instead, with custom relations. Following the vote example above:

{
    "_links": {
        "http://rel.wp-api.org/vote": { "href": "http://api.local/wp-json/core/v1/posts/42/vote" }
    }
}

I'm still undecided on whether we specify whether a client can perform the action in a link parameter (e.g. "authorized": true) or by hiding/showing the links. The latter is worse for discoverability IMO and it means the response changes based on the headers (which we avoid right now), but the former feels like a bit of an abuse of link parameters.

There is still one remaining issue, is how do we tell clients what HTTP Verbs they can perform when the GET a resource.

For the resource itself, the Allow header is designed for exactly this purpose. If you need the value but can't access headers, enveloping solves that.

For other resources, I'm -1 on giving it there. I can't think of any cases right now where you'd want to update another object without first reading it, but maybe I just haven't thought of any yet. :)

(If we really want it, and we pick the link format given above, we could use an allow value there to achieve the same as the header.)

[rmccue]

#602 handles the base-level capabilities for each route here.

[danielbachhuber]

@joehoyle what's remaining on this issue?

[joehoyle]

The initial scenario is discovering which endpoints you can write to is now implemented via the OPTIONS requests.

The discussion around more granular capabilities, such as setting status to Publish when you only have access to "Pending" is also available via OPTIONS requests, however we don't have it declared for clients. I'm happy with the OPTIONS request being enough here however.

Anyone feel free to reopen if you disagree.