Promote validate_input to public method and refactor usage

gziolo · gziolo · commit bde0aa6e6479 · 2025-10-21T13:00:51.000+02:00
diff --git a/src/wp-includes/abilities-api/class-wp-ability.php b/src/wp-includes/abilities-api/class-wp-ability.php
@@ -408,7 +408,7 @@ public function get_meta_item( string $key, $default_value = null ) {
 	 * @param mixed $input Optional. The input data to validate. Default `null`.
 	 * @return true|WP_Error Returns true if valid or the WP_Error object if validation fails.
 	 */
-	protected function validate_input( $input = null ) {
+	public function validate_input( $input = null ) {
 		$input_schema = $this->get_input_schema();
 		if ( empty( $input_schema ) ) {
 			if ( null === $input ) {
@@ -462,23 +462,20 @@ protected function invoke_callback( callable $callback, $input = null ) {
 	/**
 	 * Checks whether the ability has the necessary permissions.
 	 *
-	 * The input is validated against the input schema before it is passed to to permission callback.
+	 * Please note that input is not automatically validated against the input schema.
+	 * Use `validate_input()` method to validate input before calling this method if needed.
 	 *
 	 * @since 6.9.0
 	 *
-	 * @param mixed $input Optional. The input data for permission checking. Default `null`.
+	 * @see validate_input()
+	 *
+	 * @param mixed $input Optional. The valid input data for permission checking. Default `null`.
 	 * @return bool|WP_Error Whether the ability has the necessary permission.
 	 */
 	public function check_permissions( $input = null ) {
-		$is_valid = $this->validate_input( $input );
-		if ( is_wp_error( $is_valid ) ) {
-			return $is_valid;
-		}
-
 		return $this->invoke_callback( $this->permission_callback, $input );
 	}
 
-
 	/**
 	 * Executes the ability callback.
 	 *
@@ -539,12 +536,14 @@ protected function validate_output( $output ) {
 	 * @return mixed|WP_Error The result of the ability execution, or WP_Error on failure.
 	 */
 	public function execute( $input = null ) {
+		$is_valid = $this->validate_input( $input );
+		if ( is_wp_error( $is_valid ) ) {
+			return $is_valid;
+		}
+
 		$has_permissions = $this->check_permissions( $input );
 		if ( true !== $has_permissions ) {
 			if ( is_wp_error( $has_permissions ) ) {
-				if ( 'ability_invalid_input' === $has_permissions->get_error_code() ) {
-					return $has_permissions;
-				}
 				// Don't leak the permission check error to someone without the correct perms.
 				_doing_it_wrong(
 					__METHOD__,
@@ -561,7 +560,7 @@ public function execute( $input = null ) {
 		}
 
 		/**
-		 * Fires before an ability gets executed and after permission check.
+		 * Fires before an ability gets executed, after input validation and permissions check.
 		 *
 		 * @since 6.9.0
 		 *
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-abilities-v1-run-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-abilities-v1-run-controller.php
@@ -92,9 +92,6 @@ public function execute_ability( $request ) {
 		$input  = $this->get_input_from_request( $request );
 		$result = $ability->execute( $input );
 		if ( is_wp_error( $result ) ) {
-			if ( 'ability_invalid_input' === $result->get_error_code() ) {
-				$result->add_data( array( 'status' => 400 ) );
-			}
 			return $result;
 		}
 
@@ -161,12 +158,16 @@ public function check_ability_permissions( $request ) {
 			return $is_valid;
 		}
 
-		$input  = $this->get_input_from_request( $request );
+		$input    = $this->get_input_from_request( $request );
+		$is_valid = $ability->validate_input( $input );
+		if ( is_wp_error( $is_valid ) ) {
+			$is_valid->add_data( array( 'status' => 400 ) );
+			return $is_valid;
+		}
+
 		$result = $ability->check_permissions( $input );
 		if ( is_wp_error( $result ) ) {
-			if ( 'ability_invalid_input' === $result->get_error_code() ) {
-				$result->add_data( array( 'status' => 400 ) );
-			}
+			$result->add_data( array( 'status' => rest_authorization_required_code() ) );
 			return $result;
 		}
 		if ( ! $result ) {
diff --git a/tests/phpunit/tests/abilities-api/wpRegisterAbility.php b/tests/phpunit/tests/abilities-api/wpRegisterAbility.php
@@ -357,16 +357,16 @@ public function test_execute_ability_no_output_schema_match(): void {
 	}
 
 	/**
-	 * Tests permission callback receiving input not matching schema.
+	 * Tests input validation failing due to schema mismatch.
 	 *
 	 * @ticket 64098
 	 */
-	public function test_permission_callback_no_input_schema_match(): void {
+	public function test_validate_input_no_input_schema_match(): void {
 		do_action( 'wp_abilities_api_init' );
 
 		$result = wp_register_ability( self::$test_ability_name, self::$test_ability_args );
 
-		$actual = $result->check_permissions(
+		$actual = $result->validate_input(
 			array(
 				'a'       => 2,
 				'b'       => 3,
@@ -376,7 +376,7 @@ public function test_permission_callback_no_input_schema_match(): void {
 
 		$this->assertWPError(
 			$actual,
-			'Permission check should fail due to input not matching schema.'
+			'Input validation should fail due to input not matching schema.'
 		);
 		$this->assertSame( 'ability_invalid_input', $actual->get_error_code() );
 		$this->assertSame(
