fix(security): tighten permission_callback on block-discovery + client stub abilities#1308
Conversation
…t stub abilities - list-block-types and get-block-type now require edit_posts; previously used __return_true and exposed editor-oriented block-registry detail publicly (flagged by WP.org plugin-check). - ClientAbilityRouter server-side stubs now register with permission_callback => '__return_false' to make explicit that JS-side abilities must never execute through the server-side ability runner.
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
1 participant
Summary
WordPress.org plugin-check flagged abilities registered with
permission_callback => '__return_true'that expose editor-oriented data publicly. This PR addresses the two genuine issues (list-block-types,get-block-type) plus one related missing-permission case in the client-ability stub registrar.Changes
includes/Abilities/BlockAbilities.phpsd-ai-agent/list-block-types: was__return_true→ nowcurrent_user_can( 'edit_posts' ). The block registry is editor metadata, not public site content.sd-ai-agent/get-block-type: was__return_true→ nowcurrent_user_can( 'edit_posts' ). Exposes attribute schemas, supports flags, styles, variations, example markup — all editor-oriented.includes/Core/ClientAbilityRouter.phppermission_callback => '__return_false'. The callback is a no-op error response by design, so denying execution at the permission layer is correct (and silences the wp.org scanner).Why these (and not all 42 reported lines)
The original report listed 42 incidences but most are false positives from the wp.org scanner: it cannot follow the
ability_class => SomeAbility::classindirection and assumes no permission_callback is set. In reality those abilities (e.g.GetOptionAbility,UpdateOptionAbility,GetThemesAbility,UpdatePluginAbility,ScanThemeHooksAbility,ListModifiedPluginsAbility) all implementprotected function permission_callback( $input ): boolonAbstractAbility(verified viarg -n 'permission_callback' includes/Abilities/).The only registrations that genuinely lacked a check were the two
__return_trueentries above, plus theClientAbilityRouterstub which was missing the key entirely.Verification
composer phpcs -- includes/Abilities/BlockAbilities.php includes/Core/ClientAbilityRouter.php→ clean.composer phpstan→ no errors.edit_posts) matches the rest ofBlockAbilities.php(list-block-patterns,list-block-templates,parse-block-content,validate-block-content,create-block-contentall useedit_posts).Out of scope
sd-ai-agent→superdav-ai-agentrefactors (would violate canonical-naming rules inAGENTS.md).AbstractAbility::__constructline 83 which wires the protected method into the registration array."aidevops.sh v3.15.15 plugin for OpenCode v1.14.41 with claude-sonnet-4-6 spent 17h 51m and 40 tokens on this as a headless worker.