Abilities: normalize core/get-user output coercion

Author: jorgefilipecosta

src/wp-includes/abilities/class-wp-users-abilities.php

@@ -161,12 +161,12 @@ private static function get_user_output_schema(): array {
 				'id',
 				'username',
 			),
-				'properties'           => array(
-					'avatar_urls'     => $avatar_urls_schema,
-					'capabilities'    => array(
-						'type'        => 'object',
-						'description' => __( 'All capabilities assigned to the user. Only included if include_capabilities is true and the current user can view them.' ),
-					),
+			'properties'           => array(
+				'avatar_urls'     => $avatar_urls_schema,
+				'capabilities'    => array(
+					'type'        => 'object',
+					'description' => __( 'All capabilities assigned to the user. Only included if include_capabilities is true and the current user can view them.' ),
+				),
 				'description'     => array(
 					'type'        => 'string',
 					'description' => __( 'Description of the user.' ),
@@ -211,13 +211,13 @@ private static function get_user_output_schema(): array {
 					'format'      => 'date-time',
 					'description' => __( 'Registration date for the user in ISO 8601 format.' ),
 				),
-					'roles'           => array(
-						'type'        => 'array',
-						'description' => __( 'Roles assigned to the user when the current user can view them.' ),
-						'items'       => array(
-							'type' => 'string',
-						),
+				'roles'           => array(
+					'type'        => 'array',
+					'description' => __( 'Roles assigned to the user when the current user can view them.' ),
+					'items'       => array(
+						'type' => 'string',
 					),
+				),
 				'slug'            => array(
 					'type'        => 'string',
 					'description' => __( 'An alphanumeric identifier for the user.' ),
@@ -236,6 +236,44 @@ private static function get_user_output_schema(): array {
 		);
 	}
 
+	/**
+	 * Normalizes capabilities into an object with boolean values.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @param mixed $capabilities Capabilities map.
+	 * @return object Normalized capabilities.
+	 */
+	private static function normalize_capabilities( $capabilities ): object {
+		$normalized = array();
+
+		foreach ( (array) $capabilities as $capability => $granted ) {
+			$normalized[ (string) $capability ] = rest_sanitize_boolean( $granted );
+		}
+
+		return (object) $normalized;
+	}
+
+	/**
+	 * Normalizes a list of values into an array of strings.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @param mixed $values Values to normalize.
+	 * @return array<int, string> Normalized string list.
+	 */
+	private static function normalize_string_list( $values ): array {
+		$normalized = array();
+
+		foreach ( (array) $values as $value ) {
+			if ( null === $value || is_scalar( $value ) || ( is_object( $value ) && is_callable( array( $value, '__toString' ) ) ) ) {
+				$normalized[] = (string) $value;
+			}
+		}
+
+		return $normalized;
+	}
+
 	/**
 	 * Finds a user by id, username, or email from input parameters.
 	 *
@@ -300,42 +338,47 @@ public static function check_get_user_permission( array $input = array() ): bool
 	 */
 	public static function execute_get_user( array $input = array() ) {
 		$input                = is_array( $input ) ? $input : array();
-		$include_capabilities = ! empty( $input['include_capabilities'] ) && ( true === $input['include_capabilities'] || 'true' === $input['include_capabilities'] );
+		$include_capabilities = array_key_exists( 'include_capabilities', $input ) ? rest_sanitize_boolean( $input['include_capabilities'] ) : false;
 
 		$user = self::find_user( $input );
 
 		if ( ! $user || ! $user->exists() ) {
 			return new WP_Error( 'user_not_found', __( 'User not found.' ), array( 'status' => 404 ) );
 		}
 
+		$user_id                        = (int) $user->ID;
 		$can_view_sensitive_user_fields = self::can_view_sensitive_user_fields( $user );
 
 		$result = array(
-			'id'           => $user->ID,
-			'display_name' => $user->display_name,
-			'description'  => $user->description,
-			'url'          => $user->user_url,
-			'link'         => get_author_posts_url( $user->ID, $user->user_nicename ),
-			'slug'         => $user->user_nicename,
+			'id'           => $user_id,
+			'display_name' => (string) $user->display_name,
+			'description'  => (string) $user->description,
+			'url'          => (string) $user->user_url,
+			'link'         => (string) get_author_posts_url( $user_id, $user->user_nicename ),
+			'slug'         => (string) $user->user_nicename,
 			'avatar_urls'  => rest_get_avatar_urls( $user ),
 		);
 
 		if ( $can_view_sensitive_user_fields ) {
-			$result['username']        = $user->user_login;
-			$result['email']           = $user->user_email;
-			$result['first_name']      = $user->first_name;
-			$result['last_name']       = $user->last_name;
-			$result['nickname']        = $user->nickname;
-			$result['registered_date'] = gmdate( 'c', strtotime( $user->user_registered ) );
-			$result['locale']          = get_user_locale( $user );
+			$result['username']   = (string) $user->user_login;
+			$result['email']      = (string) $user->user_email;
+			$result['first_name'] = (string) $user->first_name;
+			$result['last_name']  = (string) $user->last_name;
+			$result['nickname']   = (string) $user->nickname;
+			$result['locale']     = (string) get_user_locale( $user );
+
+			$registered_timestamp = strtotime( (string) $user->user_registered );
+			if ( false !== $registered_timestamp ) {
+				$result['registered_date'] = gmdate( 'c', $registered_timestamp );
+			}
 		}
 
 		if ( self::can_view_user_roles( $user ) ) {
-			$result['roles'] = array_values( $user->roles );
+			$result['roles'] = self::normalize_string_list( $user->roles );
 		}
 
 		if ( $include_capabilities && $can_view_sensitive_user_fields ) {
-			$result['capabilities'] = (object) $user->allcaps;
+			$result['capabilities'] = self::normalize_capabilities( $user->allcaps );
 		}
 
 		return $result;

tests/phpunit/tests/abilities-api/wpRegisterCoreAbilities.php

@@ -154,6 +154,108 @@ public function test_core_get_current_user_info_returns_user_data(): void {
 		$this->assertSame( get_userdata( $user_id )->display_name, $result['display_name'] );
 	}
 
+	/**
+	 * Tests boolean-like include_capabilities values for the get-user ability.
+	 * @ticket 64146
+	 */
+	public function test_core_get_user_include_capabilities_accepts_boolean_like_values(): void {
+		$user_id = self::factory()->user->create( array( 'role' => 'subscriber' ) );
+
+		wp_set_current_user( $user_id );
+
+		$ability = wp_get_ability( 'core/get-user' );
+
+		$result = $ability->execute(
+			array(
+				'id'                   => $user_id,
+				'include_capabilities' => '1',
+			)
+		);
+		$this->assertIsArray( $result );
+		$this->assertArrayHasKey( 'capabilities', $result );
+
+		$result = $ability->execute(
+			array(
+				'id'                   => $user_id,
+				'include_capabilities' => 1,
+			)
+		);
+		$this->assertIsArray( $result );
+		$this->assertArrayHasKey( 'capabilities', $result );
+
+		$result = $ability->execute(
+			array(
+				'id'                   => $user_id,
+				'include_capabilities' => '0',
+			)
+		);
+		$this->assertIsArray( $result );
+		$this->assertArrayNotHasKey( 'capabilities', $result );
+	}
+
+	/**
+	 * Tests get-user output is normalized to the declared schema types.
+	 * @ticket 64146
+	 */
+	public function test_core_get_user_output_is_normalized_to_schema_types(): void {
+		$user_id = self::factory()->user->create( array( 'role' => 'subscriber' ) );
+
+		wp_set_current_user( $user_id );
+
+		$ability = wp_get_ability( 'core/get-user' );
+
+		$capability_filter = static function ( $allcaps, $caps, $args, $user ) use ( $user_id ) {
+			if ( $user_id === (int) $user->ID ) {
+				$allcaps['custom_capability_flag'] = '1';
+			}
+
+			return $allcaps;
+		};
+		add_filter( 'user_has_cap', $capability_filter, 10, 4 );
+
+		try {
+			$result = $ability->execute(
+				array(
+					'id'                   => $user_id,
+					'include_capabilities' => 1,
+				)
+			);
+		} finally {
+			remove_filter( 'user_has_cap', $capability_filter, 10 );
+		}
+
+		$this->assertIsArray( $result );
+		$this->assertIsInt( $result['id'] );
+		$this->assertIsString( $result['display_name'] );
+		$this->assertIsString( $result['description'] );
+		$this->assertIsString( $result['url'] );
+		$this->assertIsString( $result['link'] );
+		$this->assertIsString( $result['slug'] );
+		$this->assertIsString( $result['username'] );
+		$this->assertIsString( $result['email'] );
+		$this->assertIsString( $result['first_name'] );
+		$this->assertIsString( $result['last_name'] );
+		$this->assertIsString( $result['nickname'] );
+		$this->assertIsString( $result['locale'] );
+		$this->assertIsString( $result['registered_date'] );
+		$this->assertNotFalse( rest_parse_date( $result['registered_date'] ) );
+
+		$this->assertIsArray( $result['roles'] );
+		foreach ( $result['roles'] as $role ) {
+			$this->assertIsString( $role );
+		}
+
+		$this->assertIsArray( $result['avatar_urls'] );
+		foreach ( $result['avatar_urls'] as $avatar_url ) {
+			$this->assertIsString( $avatar_url );
+		}
+
+		$this->assertIsObject( $result['capabilities'] );
+		$this->assertObjectHasProperty( 'custom_capability_flag', $result['capabilities'] );
+		$this->assertIsBool( $result['capabilities']->custom_capability_flag );
+		$this->assertTrue( $result['capabilities']->custom_capability_flag );
+	}
+
 	/**
 	 * Tests executing the environment info ability.
 	 * @ticket 64146