Abilities API: Harden ability schema preparation for REST responses

gziolo · gziolo · commit b226691d4b1d · 2026-05-28T08:14:31.000Z
Merge `normalize_schema_empty_object_defaults()` and `strip_internal_schema_keywords()` into a single recursive `prepare_schema_for_response()` helper on `WP_REST_Abilities_V1_List_Controller`. Empty object defaults now normalize to `stdClass` at every depth — not just the top level — so nested `{}` defaults serialize consistently alongside the existing internal-keyword stripping. Follow-up to [62221], [61244]. Props gziolo, westonruter. See #64955. git-svn-id: https://develop.svn.wordpress.org/trunk@62427 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-abilities-v1-list-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-abilities-v1-list-controller.php
@@ -188,27 +188,6 @@ public function get_item_permissions_check( $request ) {
 		return current_user_can( 'read' );
 	}
 
-	/**
-	 * Normalizes schema empty object defaults.
-	 *
-	 * Converts empty array defaults to objects when the schema type is 'object'
-	 * to ensure proper JSON serialization as {} instead of [].
-	 *
-	 * @since 6.9.0
-	 *
-	 * @param array<string, mixed> $schema The schema array.
-	 * @return array<string, mixed> The normalized schema.
-	 */
-	private function normalize_schema_empty_object_defaults( array $schema ): array {
-		if ( isset( $schema['type'] ) && 'object' === $schema['type'] && isset( $schema['default'] ) ) {
-			$default = $schema['default'];
-			if ( is_array( $default ) && empty( $default ) ) {
-				$schema['default'] = (object) $default;
-			}
-		}
-		return $schema;
-	}
-
 	/**
 	 * WordPress-internal schema keywords to strip from REST responses.
 	 *
@@ -222,19 +201,42 @@ private function normalize_schema_empty_object_defaults( array $schema ): array
 	);
 
 	/**
-	 * Recursively removes WordPress-internal keywords from a schema.
+	 * Determines whether the value is an associative array.
+	 *
+	 * @since 7.1.0
+	 *
+	 * @param mixed $value Value.
+	 * @return bool Whether it is associative array.
+	 *
+	 * @phpstan-assert-if-true array<string, mixed> $value
+	 */
+	private function is_associative_array( $value ): bool {
+		return is_array( $value ) && ! wp_is_numeric_array( $value );
+	}
+
+	/**
+	 * Transforms an ability schema for REST response output.
 	 *
 	 * Ability schemas may include WordPress-internal properties like
 	 * `sanitize_callback`, `validate_callback`, and `arg_options` that are
 	 * used server-side but are not valid JSON Schema keywords. This method
 	 * removes those specific keys so they are not exposed in REST responses.
+	 * It also converts empty array defaults to objects when the schema type is
+	 * 'object' to ensure proper JSON serialization as {} instead of [].
 	 *
-	 * @since 7.0.0
+	 * @since 7.1.0
 	 *
 	 * @param array<string, mixed> $schema The schema array.
-	 * @return array<string, mixed> The schema without WordPress-internal keywords.
+	 * @return array<string, mixed> The transformed schema.
 	 */
-	private function strip_internal_schema_keywords( array $schema ): array {
+	private function prepare_schema_for_response( array $schema ): array {
+		if ( isset( $schema['type'] ) && 'object' === $schema['type'] && isset( $schema['default'] ) ) {
+			$default = $schema['default'];
+			if ( is_array( $default ) && empty( $default ) ) {
+				$schema['default'] = (object) $default;
+			}
+		}
+
 		$schema = array_diff_key( $schema, self::INTERNAL_SCHEMA_KEYWORDS );
 
 		// Sub-schema maps: keys are user-defined, values are sub-schemas.
@@ -243,39 +245,39 @@ private function strip_internal_schema_keywords( array $schema ): array {
 		foreach ( array( 'properties', 'patternProperties', 'definitions', 'dependencies' ) as $keyword ) {
 			if ( isset( $schema[ $keyword ] ) && is_array( $schema[ $keyword ] ) ) {
 				foreach ( $schema[ $keyword ] as $key => $child_schema ) {
-					if ( is_array( $child_schema ) && ! wp_is_numeric_array( $child_schema ) ) {
-						$schema[ $keyword ][ $key ] = $this->strip_internal_schema_keywords( $child_schema );
+					if ( $this->is_associative_array( $child_schema ) ) {
+						$schema[ $keyword ][ $key ] = $this->prepare_schema_for_response( $child_schema );
 					}
 				}
 			}
 		}
 
 		// Single sub-schema keywords.
 		foreach ( array( 'not', 'additionalProperties', 'additionalItems' ) as $keyword ) {
-			if ( isset( $schema[ $keyword ] ) && is_array( $schema[ $keyword ] ) ) {
-				$schema[ $keyword ] = $this->strip_internal_schema_keywords( $schema[ $keyword ] );
+			if ( isset( $schema[ $keyword ] ) && $this->is_associative_array( $schema[ $keyword ] ) ) {
+				$schema[ $keyword ] = $this->prepare_schema_for_response( $schema[ $keyword ] );
 			}
 		}
 
 		// Items: single schema or tuple array of schemas.
-		if ( isset( $schema['items'] ) ) {
-			if ( wp_is_numeric_array( $schema['items'] ) ) {
+		if ( isset( $schema['items'] ) && is_array( $schema['items'] ) ) {
+			if ( $this->is_associative_array( $schema['items'] ) ) {
+				$schema['items'] = $this->prepare_schema_for_response( $schema['items'] );
+			} else {
 				foreach ( $schema['items'] as $index => $item_schema ) {
-					if ( is_array( $item_schema ) ) {
-						$schema['items'][ $index ] = $this->strip_internal_schema_keywords( $item_schema );
+					if ( $this->is_associative_array( $item_schema ) ) {
+						$schema['items'][ $index ] = $this->prepare_schema_for_response( $item_schema );
 					}
 				}
-			} elseif ( is_array( $schema['items'] ) ) {
-				$schema['items'] = $this->strip_internal_schema_keywords( $schema['items'] );
 			}
 		}
 
 		// Array-of-schemas keywords.
 		foreach ( array( 'anyOf', 'oneOf', 'allOf' ) as $keyword ) {
 			if ( isset( $schema[ $keyword ] ) && is_array( $schema[ $keyword ] ) ) {
 				foreach ( $schema[ $keyword ] as $index => $sub_schema ) {
-					if ( is_array( $sub_schema ) ) {
-						$schema[ $keyword ][ $index ] = $this->strip_internal_schema_keywords( $sub_schema );
+					if ( $this->is_associative_array( $sub_schema ) ) {
+						$schema[ $keyword ][ $index ] = $this->prepare_schema_for_response( $sub_schema );
 					}
 				}
 			}
@@ -299,12 +301,8 @@ public function prepare_item_for_response( $ability, $request ) {
 			'label'         => $ability->get_label(),
 			'description'   => $ability->get_description(),
 			'category'      => $ability->get_category(),
-			'input_schema'  => $this->strip_internal_schema_keywords(
-				$this->normalize_schema_empty_object_defaults( $ability->get_input_schema() )
-			),
-			'output_schema' => $this->strip_internal_schema_keywords(
-				$this->normalize_schema_empty_object_defaults( $ability->get_output_schema() )
-			),
+			'input_schema'  => $this->prepare_schema_for_response( $ability->get_input_schema() ),
+			'output_schema' => $this->prepare_schema_for_response( $ability->get_output_schema() ),
 			'meta'          => $ability->get_meta(),
 		);
 
diff --git a/tests/phpunit/tests/rest-api/wpRestAbilitiesV1ListController.php b/tests/phpunit/tests/rest-api/wpRestAbilitiesV1ListController.php
@@ -890,6 +890,62 @@ public function test_internal_schema_keywords_stripped_from_response(): void {
 		$this->assertSame( 'string', $data['output_schema']['type'] );
 	}
 
+	/**
+	 * Test that nested empty object defaults are prepared as objects in REST response schemas.
+	 *
+	 * @ticket 64955
+	 */
+	public function test_nested_empty_object_schema_defaults_prepared_for_response(): void {
+		$this->register_test_ability(
+			'test/nested-object-defaults',
+			array(
+				'label'               => 'Test Nested Object Defaults',
+				'description'         => 'Tests preparing nested empty object defaults.',
+				'category'            => 'general',
+				'input_schema'        => array(
+					'type'       => 'object',
+					'properties' => array(
+						'settings' => array(
+							'type'       => 'object',
+							'default'    => array(),
+							'properties' => array(
+								'options' => array(
+									'type'    => 'object',
+									'default' => array(),
+								),
+							),
+						),
+					),
+				),
+				'output_schema'       => array(
+					'type'       => 'object',
+					'properties' => array(
+						'result' => array(
+							'type'    => 'object',
+							'default' => array(),
+						),
+					),
+				),
+				'execute_callback'    => static function (): array {
+					return array();
+				},
+				'permission_callback' => '__return_true',
+				'meta'                => array( 'show_in_rest' => true ),
+			)
+		);
+
+		$request  = new WP_REST_Request( 'GET', '/wp-abilities/v1/abilities/test/nested-object-defaults' );
+		$response = $this->server->dispatch( $request );
+
+		$this->assertSame( 200, $response->get_status() );
+
+		$data = $response->get_data();
+
+		$this->assertEquals( new stdClass(), $data['input_schema']['properties']['settings']['default'] );
+		$this->assertEquals( new stdClass(), $data['input_schema']['properties']['settings']['properties']['options']['default'] );
+		$this->assertEquals( new stdClass(), $data['output_schema']['properties']['result']['default'] );
+	}
+
 	/**
 	 * Test that internal schema keywords are stripped from nested sub-schema locations.
 	 *
