Collaboration: Deduplicate awareness query for client_id ownership check

josephfusco · josephfusco · commit 0d77c08c0070 · 2026-03-07T10:19:13.000-05:00
check_permissions() called get_awareness_state() to validate client_id
ownership, then process_awareness_update() called the exact same query
to build the response. Both used the same 30s timeout.

Moves the ownership check into process_awareness_update() so a single
get_awareness_state() call serves both purposes. The method now returns
WP_Error on ownership violations, checked in handle_request().

The current client's awareness state is run through wp_json_encode /
json_decode to match the round-trip path other clients' states take
through the DB, preventing inconsistencies from encoding normalization.

Note: ownership validation now runs per-room inside handle_request()
rather than for all rooms upfront in check_permissions(). In a
multi-room request where room 2 has a conflict, room 1's awareness
upsert will have already completed. This is acceptable because
awareness upserts are idempotent heartbeats.

Saves 1 query per room per poll.
diff --git a/src/wp-includes/collaboration/class-wp-http-polling-collaboration-server.php b/src/wp-includes/collaboration/class-wp-http-polling-collaboration-server.php
@@ -200,24 +200,10 @@ public function check_permissions( WP_REST_Request $request ) {
 			);
 		}
 
-		$rooms      = $request['rooms'];
-		$wp_user_id = get_current_user_id();
+		$rooms = $request['rooms'];
 
 		foreach ( $rooms as $room ) {
-			$client_id = $room['client_id'];
-			$room      = $room['room'];
-
-			// Check that the client_id is not already owned by another user.
-			$existing_awareness = $this->storage->get_awareness_state( $room );
-			foreach ( $existing_awareness as $entry ) {
-				if ( $client_id === $entry['client_id'] && $wp_user_id !== $entry['wp_user_id'] ) {
-					return new WP_Error(
-						'rest_cannot_edit',
-						__( 'Client ID is already in use by another user.' ),
-						array( 'status' => rest_authorization_required_code() )
-					);
-				}
-			}
+			$room = $room['room'];
 
 			$type_parts   = explode( '/', $room, 2 );
 			$object_parts = explode( ':', $type_parts[1] ?? '', 2 );
@@ -263,9 +249,13 @@ public function handle_request( WP_REST_Request $request ) {
 			$cursor    = $room_request['after'];
 			$room      = $room_request['room'];
 
-			// Merge awareness state.
+			// Merge awareness state (also validates client_id ownership).
 			$merged_awareness = $this->process_awareness_update( $room, $client_id, $awareness );
 
+			if ( is_wp_error( $merged_awareness ) ) {
+				return $merged_awareness;
+			}
+
 			// The lowest client ID is nominated to perform compaction when needed.
 			$is_compactor = false;
 			if ( count( $merged_awareness ) > 0 ) {
@@ -371,24 +361,51 @@ private function can_user_collaborate_on_entity_type( string $entity_kind, strin
 	/**
 	 * Processes and stores an awareness update from a client.
 	 *
+	 * Also validates that the client_id is not already owned by another user.
+	 * This check uses the same get_awareness_state() query that builds the
+	 * response, eliminating a duplicate query that was previously performed
+	 * in check_permissions().
+	 *
 	 * @since 7.0.0
 	 *
 	 * @param string                    $room             Room identifier.
 	 * @param int                       $client_id        Client identifier.
 	 * @param array<string, mixed>|null $awareness_update Awareness state sent by the client.
-	 * @return array<int, array<string, mixed>> Map of client ID to awareness state.
+	 * @return array<int, array<string, mixed>>|WP_Error Map of client ID to awareness state, or WP_Error if client_id is owned by another user.
 	 */
-	private function process_awareness_update( string $room, int $client_id, ?array $awareness_update ): array {
+	private function process_awareness_update( string $room, int $client_id, ?array $awareness_update ) {
+		$wp_user_id = get_current_user_id();
+
+		// Check ownership before upserting so a hijacked client_id is rejected.
+		$entries = $this->storage->get_awareness_state( $room, self::AWARENESS_TIMEOUT );
+
+		foreach ( $entries as $entry ) {
+			if ( $client_id === $entry['client_id'] && $wp_user_id !== $entry['wp_user_id'] ) {
+				return new WP_Error(
+					'rest_cannot_edit',
+					__( 'Client ID is already in use by another user.' ),
+					array( 'status' => rest_authorization_required_code() )
+				);
+			}
+		}
+
 		if ( null !== $awareness_update ) {
-			$this->storage->set_awareness_state( $room, $client_id, $awareness_update, get_current_user_id() );
+			$this->storage->set_awareness_state( $room, $client_id, $awareness_update, $wp_user_id );
 		}
 
-		$entries  = $this->storage->get_awareness_state( $room, self::AWARENESS_TIMEOUT );
 		$response = array();
 		foreach ( $entries as $entry ) {
 			$response[ $entry['client_id'] ] = $entry['state'];
 		}
 
+		// Other clients' states were decoded from the DB. Run the current
+		// client's state through the same encode/decode path so the response
+		// is consistent — wp_json_encode may normalize values (e.g. strip
+		// invalid UTF-8) that would otherwise differ on the next poll.
+		if ( null !== $awareness_update ) {
+			$response[ $client_id ] = json_decode( wp_json_encode( $awareness_update ), true );
+		}
+
 		return $response;
 	}
 
