Abilities API: support schema arrays for show_in_abilities meta

jorgefilipecosta · jorgefilipecosta · commit 26069e1a18cb · 2026-02-19T13:30:33.000Z
diff --git a/src/wp-includes/abilities/class-wp-post-type-abilities.php b/src/wp-includes/abilities/class-wp-post-type-abilities.php
@@ -821,13 +821,19 @@ private static function build_post_schema( WP_Post_Type $post_type_object ): arr
 		);
 
 		if ( post_type_supports( $slug, 'custom-fields' ) ) {
+			$meta_properties = self::get_meta_value_schema_properties( $slug );
+
 			$properties['meta'] = array(
 				'type'                 => 'object',
 				'description'          => __( 'Public post meta key-value pairs. Only present when include.meta is true.' ),
 				'additionalProperties' => array(
 					'type' => array( 'array', 'object', 'string', 'number', 'integer', 'boolean', 'null' ),
 				),
 			);
+
+			if ( ! empty( $meta_properties ) ) {
+				$properties['meta']['properties'] = $meta_properties;
+			}
 		}
 
 		return array(
@@ -1218,25 +1224,21 @@ static function ( $term ): array {
 		}
 
 		if ( ! empty( $include['meta'] ) && post_type_supports( $slug, 'custom-fields' ) ) {
-			$meta              = get_post_meta( $post->ID );
-			$public_meta       = array();
-			$allowed_meta_keys = self::get_allowed_meta_keys( $slug );
-			$registered_meta   = array_merge(
-				get_registered_meta_keys( 'post' ),
-				get_registered_meta_keys( 'post', $slug )
-			);
+			$meta         = get_post_meta( $post->ID );
+			$public_meta  = array();
+			$allowed_meta = self::get_allowed_meta( $slug );
 
 			foreach ( $meta as $key => $values ) {
 				// Skip protected meta keys.
 				if ( is_protected_meta( $key, 'post' ) ) {
 					continue;
 				}
 				// Only include meta keys that are explicitly allowed.
-				if ( ! in_array( $key, $allowed_meta_keys, true ) ) {
+				if ( ! isset( $allowed_meta[ $key ] ) ) {
 					continue;
 				}
 				// Respect the registered 'single' property for consistent behavior with get_post_meta().
-				$is_single           = ! empty( $registered_meta[ $key ]['single'] );
+				$is_single           = ! empty( $allowed_meta[ $key ]['single'] );
 				$public_meta[ $key ] = $is_single ? ( $values[0] ?? null ) : $values;
 			}
 
@@ -1498,19 +1500,124 @@ private static function process_date_top_level( array $input, array &$result ):
 	 * @return string[] List of allowed meta keys.
 	 */
 	private static function get_allowed_meta_keys( string $post_type_slug ): array {
-		$registered_meta = array_merge(
+		return array_keys( self::get_allowed_meta( $post_type_slug ) );
+	}
+
+	/**
+	 * Returns all registered post meta entries that are exposed through abilities for a post type.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @param string $post_type_slug The post type slug.
+	 * @return array<string, array<string, mixed>> Allowed meta registration args keyed by meta key.
+	 */
+	private static function get_allowed_meta( string $post_type_slug ): array {
+		$registered_meta = self::get_registered_meta_for_post_type( $post_type_slug );
+		$allowed         = array();
+
+		foreach ( $registered_meta as $key => $args ) {
+			if ( self::is_meta_enabled_in_abilities( $args ) ) {
+				$allowed[ $key ] = $args;
+			}
+		}
+
+		return $allowed;
+	}
+
+	/**
+	 * Returns all registered post meta entries for a post type, with subtype values overriding global ones.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @param string $post_type_slug The post type slug.
+	 * @return array<string, array<string, mixed>> Registered meta args keyed by meta key.
+	 */
+	private static function get_registered_meta_for_post_type( string $post_type_slug ): array {
+		return array_merge(
 			get_registered_meta_keys( 'post' ),
 			get_registered_meta_keys( 'post', $post_type_slug )
 		);
+	}
 
-		$allowed = array();
-		foreach ( $registered_meta as $key => $args ) {
-			if ( ! empty( $args['show_in_abilities'] ) ) {
-				$allowed[] = $key;
+	/**
+	 * Determines whether a meta key is enabled for abilities.
+	 *
+	 * `show_in_abilities` can be either a boolean or an options array.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @param array<string, mixed> $args Meta registration args.
+	 * @return bool True if enabled for abilities, false otherwise.
+	 */
+	private static function is_meta_enabled_in_abilities( array $args ): bool {
+		return ! empty( $args['show_in_abilities'] );
+	}
+
+	/**
+	 * Builds keyed value schema properties for meta keys that provide `show_in_abilities.schema`.
+	 *
+	 * Keys without a schema continue using the generic additionalProperties fallback.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @param string $post_type_slug The post type slug.
+	 * @return array<string, array<string, mixed>> Value schema properties keyed by meta key.
+	 */
+	private static function get_meta_value_schema_properties( string $post_type_slug ): array {
+		$properties = array();
+
+		foreach ( self::get_allowed_meta( $post_type_slug ) as $key => $args ) {
+			if (
+				! is_array( $args['show_in_abilities'] )
+				|| ! isset( $args['show_in_abilities']['schema'] )
+				|| ! is_array( $args['show_in_abilities']['schema'] )
+			) {
+				continue;
 			}
+
+			$properties[ $key ] = self::build_meta_value_schema( $args );
+		}
+
+		ksort( $properties );
+
+		return $properties;
+	}
+
+	/**
+	 * Builds the value schema for a single meta key.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @param array<string, mixed> $args Meta registration args.
+	 * @return array<string, mixed> JSON Schema for the meta value.
+	 */
+	private static function build_meta_value_schema( array $args ): array {
+		$schema = array(
+			'type' => ! empty( $args['type'] ) ? $args['type'] : 'string',
+		);
+
+		if ( ! empty( $args['label'] ) ) {
+			$schema['title'] = $args['label'];
+		}
+
+		if ( ! empty( $args['description'] ) ) {
+			$schema['description'] = $args['description'];
+		}
+
+		if ( array_key_exists( 'default', $args ) ) {
+			$schema['default'] = $args['default'];
+		}
+
+		$schema = array_merge( $schema, $args['show_in_abilities']['schema'] );
+
+		if ( empty( $args['single'] ) ) {
+			$schema = array(
+				'type'  => 'array',
+				'items' => $schema,
+			);
 		}
 
-		return array_unique( $allowed );
+		return $schema;
 	}
 
 	/**
diff --git a/src/wp-includes/meta.php b/src/wp-includes/meta.php
@@ -1425,7 +1425,9 @@ function sanitize_meta( $meta_key, $meta_value, $object_type, $object_subtype =
  *                                          support for custom fields for registered meta to be accessible via REST.
  *                                          When registering complex meta values this argument may optionally be an
  *                                          array with 'schema' or 'prepare_callback' keys instead of a boolean.
- *     @type bool       $show_in_abilities  Whether this meta key should be exposed through the Abilities API.
+ *     @type bool|array $show_in_abilities  Whether this meta key should be exposed through the Abilities API.
+ *                                          When registering complex meta values this argument may optionally be an
+ *                                          array with a 'schema' key instead of a boolean.
  *                                          Default false.
  *     @type bool       $revisions_enabled  Whether to enable revisions support for this meta_key. Can only be used when the
  *                                          object type is 'post'.
diff --git a/tests/phpunit/tests/abilities-api/wpPostTypeAbilitiesRest.php b/tests/phpunit/tests/abilities-api/wpPostTypeAbilitiesRest.php
@@ -172,6 +172,7 @@ public static function wpTearDownAfterClass(): void {
 		unregister_meta_key( 'post', 'c' );
 		unregister_meta_key( 'post', 'My.Key' );
 		unregister_meta_key( 'post', 'structured_object' );
+		unregister_meta_key( 'post', 'schema_constrained' );
 	}
 
 	/**
@@ -237,6 +238,20 @@ public function set_up(): void {
 				'show_in_abilities' => true,
 			)
 		);
+		register_meta(
+			'post',
+			'schema_constrained',
+			array(
+				'type'              => 'string',
+				'single'            => true,
+				'show_in_abilities' => array(
+					'schema' => array(
+						'type' => 'string',
+						'enum' => array( 'allowed' ),
+					),
+				),
+			)
+		);
 
 		$this->reregister_post_type_abilities();
 	}
@@ -722,6 +737,69 @@ public function test_meta_only_includes_show_in_abilities_registered_keys(): voi
 		$this->assertArrayNotHasKey( 'x', (array) $data['meta'] );
 	}
 
+	/**
+	 * Tests that a schema-based `show_in_abilities` registration is accepted for meta queries.
+	 *
+	 * @ticket 64606
+	 */
+	public function test_meta_query_with_schema_based_registration_succeeds(): void {
+		update_post_meta( self::$post_ids[1], 'schema_constrained', 'allowed' );
+
+		$response = $this->dispatch_get_ability(
+			array(
+				'query'    => array(
+					'meta' => array(
+						'queries' => array(
+							array(
+								'key'     => 'schema_constrained',
+								'compare' => '=',
+								'value'   => 'allowed',
+							),
+						),
+					),
+				),
+				'per_page' => 100,
+			)
+		);
+
+		$this->assertSame( 200, $response->get_status() );
+
+		$data     = $response->get_data();
+		$post_ids = $this->get_response_post_ids( $data );
+
+		$this->assertContains( self::$post_ids[1], $post_ids );
+	}
+
+	/**
+	 * Tests that `show_in_abilities.schema` is enforced when meta is included in output.
+	 *
+	 * @ticket 64606
+	 */
+	public function test_meta_include_with_schema_invalid_value_fails_output_validation(): void {
+		$post_id = self::factory()->post->create(
+			array(
+				'post_title'  => 'Post with invalid schema-constrained meta',
+				'post_status' => 'publish',
+			)
+		);
+		update_post_meta( $post_id, 'schema_constrained', 'blocked' );
+
+		$response = $this->dispatch_get_ability(
+			array(
+				'id'      => $post_id,
+				'include' => array( 'meta' => true ),
+			)
+		);
+
+		wp_delete_post( $post_id, true );
+
+		$this->assertSame( 500, $response->get_status() );
+		$data = $response->get_data();
+		$this->assertSame( 'ability_invalid_output', $data['code'] );
+		$this->assertStringContainsString( 'schema_constrained', $data['message'] );
+		$this->assertStringContainsString( 'output', $data['message'] );
+	}
+
 	/**
 	 * Tests that object-like meta values are allowed by the output schema.
 	 *
diff --git a/tests/phpunit/tests/meta/registerMeta.php b/tests/phpunit/tests/meta/registerMeta.php
@@ -80,6 +80,33 @@ public function test_register_meta_with_post_object_type_returns_true() {
 		$this->assertTrue( $result );
 	}
 
+	public function test_register_meta_with_show_in_abilities_schema() {
+		register_meta(
+			'post',
+			'flight_number',
+			array(
+				'show_in_abilities' => array(
+					'schema' => array(
+						'type' => 'string',
+						'enum' => array( 'Oceanic 815' ),
+					),
+				),
+			)
+		);
+		$meta_keys = get_registered_meta_keys( 'post' );
+		unregister_meta_key( 'post', 'flight_number' );
+
+		$this->assertSame(
+			array(
+				'schema' => array(
+					'type' => 'string',
+					'enum' => array( 'Oceanic 815' ),
+				),
+			),
+			$meta_keys['flight_number']['show_in_abilities']
+		);
+	}
+
 	public function test_register_meta_with_post_object_type_populates_wp_meta_keys() {
 		global $wp_meta_keys;
 
