Skip to content

REST API: Add Validation #1001

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
n7studios wants to merge 2 commits into
base: use-rest-api
Choose a base branch
from
+106 −1
Open

REST API: Add Validation #1001

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b74b6bf
REST API: Set required fields and validation
n7studios Jan 26, 2026
201dadd
Merge remote-tracking branch 'origin/use-rest-api' into use-rest-api-…
n7studios Jan 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions admin/class-convertkit-admin-refresh-resources.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,22 @@ public function register_routes() {
'/resources/refresh/(?P<resource>[a-zA-Z0-9-_]+)',
array(
'methods' => WP_REST_Server::CREATABLE,
'args' => array(
// Resource: Validate resource is included in the request, a valid resource
// and sanitize the resource.
'resource' => array(
'required' => true,
'validate_callback' => function ( $param ) {

return is_string( $param ) && in_array( $param, array( 'forms', 'landing_pages', 'tags', 'posts', 'products', 'restrict_content' ), true );

},
'sanitize_callback' => 'sanitize_text_field',
),
),
'callback' => array( $this, 'refresh_resources' ),

// Only refresh resources for users who can edit posts.
'permission_callback' => function () {
return current_user_can( 'edit_posts' );
},
Expand Down
1 change: 1 addition & 0 deletions includes/class-convertkit-gutenberg.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ public function register_routes() {
return rest_ensure_response( convertkit_get_blocks() );
},

// Only refresh resources for users who can edit posts.
'permission_callback' => function () {
return current_user_can( 'edit_posts' );
},
Expand Down
84 changes: 84 additions & 0 deletions includes/class-convertkit-output-restrict-content.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,52 @@ public function register_routes() {
'/restrict-content/subscriber-authentication',
array(
'methods' => WP_REST_Server::CREATABLE,
'args' => array(
// Email: Validate email is included in the request, is a valid email address
// and sanitize the email address.
'convertkit_email' => array(
'required' => true,
'validate_callback' => function ( $param ) {

return is_string( $param ) && is_email( $param );

},
'sanitize_callback' => 'sanitize_email',
),

// Post ID: Validate post ID is included in the request and is an integer.
'convertkit_post_id' => array(
'required' => true,
'validate_callback' => function ( $param ) {

return is_numeric( $param );

},
'sanitize_callback' => 'absint',
),

// Resource Type: Validate resource type is included in the request and is a string.
'convertkit_resource_type' => array(
'required' => true,
'validate_callback' => function ( $param ) {

return is_string( $param );

},
'sanitize_callback' => 'sanitize_text_field',
),

// Resource ID: Validate resource ID is included in the request and is an integer.
'convertkit_resource_id' => array(
'required' => true,
'validate_callback' => function ( $param ) {

return is_numeric( $param );

},
'sanitize_callback' => 'absint',
),
),
'callback' => function ( $request ) {

// Initialize classes that will be used.
Expand Down Expand Up @@ -181,6 +227,8 @@ public function register_routes() {
)
);
},

// No authentication required, as this is on the frontend site.
'permission_callback' => '__return_true',
)
);
Expand All @@ -191,6 +239,40 @@ public function register_routes() {
'/restrict-content/subscriber-verification',
array(
'methods' => WP_REST_Server::CREATABLE,
'args' => array(
// Post ID: Validate post ID is an integer if included in the request.
'convertkit_post_id' => array(
'required' => false,
'validate_callback' => function ( $param ) {

return is_numeric( $param );

},
'sanitize_callback' => 'absint',
),

// Token: Validate token is included in the request and is a string.
'token' => array(
'required' => true,
'validate_callback' => function ( $param ) {

return is_string( $param );

},
'sanitize_callback' => 'sanitize_text_field',
),

// Subscriber Code: Validate subscriber code is included in the request and is a string.
'subscriber_code' => array(
'required' => true,
'validate_callback' => function ( $param ) {

return is_string( $param );

},
'sanitize_callback' => 'sanitize_text_field',
),
),
'callback' => function ( $request ) {

// Initialize classes that will be used.
Expand Down Expand Up @@ -234,6 +316,8 @@ public function register_routes() {
)
);
},

// No authentication required, as this is on the frontend site.
'permission_callback' => '__return_true',
)
);
Expand Down
7 changes: 6 additions & 1 deletion tests/Integration/RESTAPITest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,12 @@ public function testRefreshResourcesWithInvalidResourceType()
$response = rest_get_server()->dispatch( $request );

// Assert response is unsuccessful.
$this->assertSame( 500, $response->get_status() );
$this->assertSame( 400, $response->get_status() );

// Assert response data has the expected keys and data.
$data = $response->get_data();
$this->assertEquals( 'rest_invalid_param', $data['code'] );
$this->assertEquals( 'Invalid parameter(s): resource', $data['message'] );
}

/**
Expand Down