Collaboration: Harden storage layer and REST schema

- Document intentional omission of hooks/filters in storage class
  (polling frequency makes hook overhead unacceptable)
- Document capability model in check_permissions: access follows
  existing edit capabilities, no dedicated collaborate cap
- Replace current_time('mysql', true) with gmdate() in storage
  to match cron cleanup and avoid pre_get_current_time filter drift
- Include $wpdb->last_error in storage failure WP_Error responses
  so DB-level failures are diagnosable without SAVEQUERIES
- Add maxLength (1 MB) to the update data field in REST schema
  to prevent unbounded payloads on a high-frequency endpoint
- Fix missing period in permission error message

Author: josephfusco

src/wp-includes/collaboration/class-wp-collaboration-table-storage.php

@@ -12,6 +12,10 @@
  *
  * Data is stored in the `collaboration` and `awareness` database tables.
  *
+ * This class intentionally fires no actions or filters. Collaboration
+ * queries run on every poll (0.5–1 s per editor tab), so hook overhead
+ * would degrade the real-time editing loop for all active sessions.
+ *
  * @since 7.0.0
  *
  * @access private
@@ -54,7 +58,7 @@ public function add_update( string $room, $update ): bool {
 			array(
 				'room'         => $room,
 				'update_value' => wp_json_encode( $update ),
-				'created_at'   => current_time( 'mysql', true ),
+				'created_at'   => gmdate( 'Y-m-d H:i:s' ),
 			),
 			array( '%s', '%s', '%s' )
 		);
@@ -266,7 +270,7 @@ public function set_awareness_state( string $room, int $client_id, array $state,
 				$client_id,
 				$wp_user_id,
 				$update_value,
-				current_time( 'mysql', true )
+				gmdate( 'Y-m-d H:i:s' )
 			)
 		);
 

src/wp-includes/collaboration/class-wp-http-polling-collaboration-server.php

@@ -98,8 +98,9 @@ public function register_routes(): void {
 		$typed_update_args = array(
 			'properties' => array(
 				'data' => array(
-					'type'     => 'string',
-					'required' => true,
+					'type'      => 'string',
+					'required'  => true,
+					'maxLength' => 1048576, // 1 MB — generous ceiling for base64-encoded Yjs updates.
 				),
 				'type' => array(
 					'type'     => 'string',
@@ -185,6 +186,11 @@ public function register_routes(): void {
 	/**
 	 * Checks if the current user has permission to access a room.
 	 *
+	 * Requires `edit_posts` (contributor+), then delegates to
+	 * can_user_collaborate_on_entity_type() for per-entity checks.
+	 * There is no dedicated `collaborate` capability; access follows
+	 * existing edit capabilities for the entity type.
+	 *
 	 * @since 7.0.0
 	 *
 	 * @param WP_REST_Request $request The REST request.
@@ -195,7 +201,7 @@ public function check_permissions( WP_REST_Request $request ) {
 		if ( ! current_user_can( 'edit_posts' ) ) {
 			return new WP_Error(
 				'rest_cannot_edit',
-				__( 'You do not have permission to perform this action' ),
+				__( 'You do not have permission to perform this action.' ),
 				array( 'status' => rest_authorization_required_code() )
 			);
 		}
@@ -446,10 +452,14 @@ private function process_collaboration_update( string $room, int $client_id, int
 
 				if ( ! $has_newer_compaction ) {
 					if ( ! $this->storage->remove_updates_before_cursor( $room, $cursor ) ) {
+						global $wpdb;
 						return new WP_Error(
 							'rest_collaboration_storage_error',
 							__( 'Failed to remove updates during compaction.' ),
-							array( 'status' => 500 )
+							array(
+								'status'   => 500,
+								'db_error' => $wpdb->last_error,
+							)
 						);
 					}
 
@@ -501,10 +511,14 @@ private function add_update( string $room, int $client_id, string $type, string
 		);
 
 		if ( ! $this->storage->add_update( $room, $update ) ) {
+			global $wpdb;
 			return new WP_Error(
 				'rest_collaboration_storage_error',
 				__( 'Failed to store collaboration update.' ),
-				array( 'status' => 500 )
+				array(
+					'status'   => 500,
+					'db_error' => $wpdb->last_error,
+				)
 			);
 		}