From a22859e48713321d712d8900267a9880a35250ce Mon Sep 17 00:00:00 2001
From: Soare Robert-Daniel <soare.robert.daniel@protonmail.com>
Date: Fri, 10 Oct 2025 12:07:33 +0300
Subject: [PATCH 1/3] fix: permission issues for move_image and PHPStan types

---
 inc/rest.php | 209 ++++++++++++++++++++++++++++++++-------------------
 phpstan.neon |   6 ++
 2 files changed, 138 insertions(+), 77 deletions(-)

diff --git a/inc/rest.php b/inc/rest.php
index b2acaf62..731e9b90 100644
--- a/inc/rest.php
+++ b/inc/rest.php
@@ -28,53 +28,67 @@ class Optml_Rest {
 	/**
 	 * Upload conflicts api.
 	 *
-	 * @var array upload_conflicts_api.
+	 * @var array{
+	 *     service_routes: RestRouteMap,
+	 *     image_routes: RestRouteMap,
+	 *     media_cloud_routes: RestRouteMap,
+	 *     conflict_routes: SimpleRouteMap,
+	 *     cache_routes: SimpleRouteMap,
+	 *     dam_routes: RestRouteMap,
+	 *     notification_dismiss_routes: RestRouteMap,
+	 *     optimization_routes: RestRouteMap
+	 * }
 	 */
 	public static $rest_routes = [
 		'service_routes' => [
-			'update_option' => 'POST', 'request_update' => 'GET', 'check_redirects' => 'POST_PUT_PATCH',
-				'connect' => [
-		'POST', 'args'  => [
-							'api_key' => [
-								'type'     => 'string',
-								'required' => true,
-							],
-						],
+			'update_option' => 'POST',
+			'request_update' => 'GET',
+			'check_redirects' => 'POST_PUT_PATCH',
+			'connect' => [
+				'POST',
+				'args'  => [
+					'api_key' => [
+						'type'     => 'string',
+						'required' => true,
 					],
-				'select_application' => [
-			'POST', 'args'  => [
-						'api_key' => [
-							'type'     => 'string',
-							'required' => true,
-						],
-						'application' => [
-							'type'     => 'string',
-							'required' => true,
-						],
 				],
+			],
+			'select_application' => [
+				'POST',
+				'args'  => [
+					'api_key' => [
+						'type'     => 'string',
+						'required' => true,
+					],
+					'application' => [
+						'type'     => 'string',
+						'required' => true,
+					],
 				],
-				'register_service' => [
-			'POST', 'args' => [
-						'email' => [
-							'type'     => 'string',
-							'required' => true,
-						],
+			],
+			'register_service' => [
+				'POST',
+				'args' => [
+					'email' => [
+						'type'     => 'string',
+						'required' => true,
 					],
-
 				],
-				'disconnect' => 'GET',
+			],
+			'disconnect' => 'GET',
 		],
 		'image_routes' => [
 			'poll_optimized_images' => 'GET',
 			'get_sample_rate' => 'POST',
 			'upload_onboard_images' => [
-				'POST', 'args'  => [
-						'offset' => [
-							'type'     => 'number',
-							'required' => false,
-							'default'  => 0,
-						],
+				'POST',
+				'args'  => [
+					'offset' => [
+						'type'     => 'number',
+						'required' => false,
+						'default'  => 0,
 					],
+				],
 			],
 		],
 		'media_cloud_routes' => [
@@ -93,7 +107,7 @@ class Optml_Rest {
 						'required' => true,
 					],
 				],
-				'permission_callback' => 'upload_files',
+				'permission_callback' => [ __CLASS__, 'can_move_image' ],
 			],
 		],
 		'conflict_routes' => [
@@ -158,43 +172,63 @@ public function __construct() {
 	}
 
 	/**
-	 * Method to register a specific rest route.
+	 * Method to register a specific REST route.
+	 *
+	 * @param string          $route                The route name.
+	 * @param string          $method               The route access method: GET, POST, POST_PUT_PATCH.
+	 * @param array           $args                 Optional arguments for route parameters.
+	 * @param string|callable $permission_callback Permission callback function or capability.
+	 *
+	 * @phpstan-param RestArgs $args                 Optional arguments for route parameters.
+	 *
+	 * @throws \InvalidArgumentException If method is invalid.
 	 *
-	 * @param string $route The route name.
-	 * @param string $method The route access method GET, POST, POST_PUT_PATCH.
-	 * @param array  $args Optional argument to include required args.
-	 * @param string $permission_callback Optional permission callback.
+	 * @return void
 	 */
-	private function reqister_route( $route, $method = 'GET', $args = [], $permission_callback = 'manage_options' ) {
-		$wp_method_constant = false;
-		if ( $method === 'GET' ) {
-			$wp_method_constant = \WP_REST_Server::READABLE;
-		}
-		if ( $method === 'POST' ) {
-			$wp_method_constant = \WP_REST_Server::CREATABLE;
-		}
-		if ( $method === 'POST_PUT_PATCH' ) {
-			$wp_method_constant = \WP_REST_Server::EDITABLE;
+	private function register_route( $route, $method = 'GET', $args = [], $permission_callback = 'manage_options' ) {
+		if ( empty( $route ) ) {
+			return;
 		}
-		if ( $wp_method_constant !== false ) {
-			$params = [
-				'methods'             => $wp_method_constant,
-				'permission_callback' => function_exists( $permission_callback ) ? $permission_callback : function () use ( $permission_callback ) {
-					return current_user_can( $permission_callback );
-				},
-				'callback'            => [ $this, $route ],
-			];
-			if ( ! empty( $args ) ) {
-				$params['args'] = $args;
-			}
-			register_rest_route(
-				$this->namespace,
-				'/' . $route,
-				[
-					$params,
-				]
+
+		$method_map = [
+			'GET'            => \WP_REST_Server::READABLE,
+			'POST'           => \WP_REST_Server::CREATABLE,
+			'POST_PUT_PATCH' => \WP_REST_Server::EDITABLE,
+		];
+
+		if ( ! isset( $method_map[ $method ] ) ) {
+			_doing_it_wrong(
+				__METHOD__,
+				sprintf( 'Invalid REST method: %s', esc_html( $method ) ),
+				'1.0.0'
 			);
+			return;
 		}
+
+		$permission = is_callable( $permission_callback )
+			? $permission_callback
+			: function () use ( $permission_callback ) {
+				if ( ! is_string( $permission_callback ) ) {
+					return false;
+				}
+				return current_user_can( $permission_callback );
+			};
+
+		$params = [
+			'methods'             => $method_map[ $method ],
+			'permission_callback' => $permission,
+			'callback'            => [ $this, $route ],
+		];
+
+		if ( ! empty( $args ) ) {
+			$params['args'] = $args;
+		}
+
+		register_rest_route(
+			$this->namespace,
+			'/' . $route,
+			[ $params ]
+		);
 	}
 
 	/**
@@ -219,9 +253,9 @@ public function register() {
 	public function register_service_routes() {
 		foreach ( self::$rest_routes['service_routes'] as $route => $details ) {
 			if ( is_array( $details ) ) {
-				$this->reqister_route( $route, $details[0], $details['args'] );
+				$this->register_route( $route, $details[0], $details['args'] );
 			} else {
-				$this->reqister_route( $route, $details );
+				$this->register_route( $route, $details );
 			}
 		}
 	}
@@ -232,9 +266,9 @@ public function register_service_routes() {
 	public function register_image_routes() {
 		foreach ( self::$rest_routes['image_routes'] as $route => $details ) {
 			if ( is_array( $details ) ) {
-				$this->reqister_route( $route, $details[0], $details['args'] );
+				$this->register_route( $route, $details[0], $details['args'] );
 			} else {
-				$this->reqister_route( $route, $details );
+				$this->register_route( $route, $details );
 			}
 		}
 	}
@@ -246,7 +280,7 @@ public function register_media_offload_routes() {
 
 			$permission = isset( $details['permission_callback'] ) ? $details['permission_callback'] : 'manage_options';
 			$args       = isset( $details['args'] ) ? $details['args'] : [];
-			$this->reqister_route( $route, is_array( $details ) ? $details[0] : $details, $args, $permission );
+			$this->register_route( $route, is_array( $details ) ? $details[0] : $details, $args, $permission );
 		}
 	}
 
@@ -256,7 +290,7 @@ public function register_media_offload_routes() {
 	 */
 	public function register_conflict_routes() {
 		foreach ( self::$rest_routes['conflict_routes'] as $route => $details ) {
-			$this->reqister_route( $route, $details );
+			$this->register_route( $route, $details );
 		}
 	}
 
@@ -265,7 +299,7 @@ public function register_conflict_routes() {
 	 */
 	public function register_cache_routes() {
 		foreach ( self::$rest_routes['cache_routes'] as $route => $details ) {
-			$this->reqister_route( $route, $details );
+			$this->register_route( $route, $details );
 		}
 	}
 
@@ -278,7 +312,7 @@ public function register_dam_routes() {
 		foreach ( self::$rest_routes['dam_routes'] as $route => $details ) {
 			$permission = isset( $details['permission_callback'] ) ? $details['permission_callback'] : 'manage_options';
 			$args       = isset( $details['args'] ) ? $details['args'] : [];
-			$this->reqister_route( $route, $details[0], $args, $permission );
+			$this->register_route( $route, $details[0], $args, $permission );
 		}
 	}
 
@@ -289,7 +323,7 @@ public function register_dam_routes() {
 	 */
 	public function register_notification_routes() {
 		foreach ( self::$rest_routes['notification_dismiss_routes'] as $route => $details ) {
-			$this->reqister_route( $route, $details[0], isset( $details['args'] ) ? $details['args'] : [] );
+			$this->register_route( $route, $details[0], isset( $details['args'] ) ? $details['args'] : [] );
 		}
 	}
 
@@ -1051,7 +1085,7 @@ function ( $url ) {
 	 */
 	public function register_optimization_routes() {
 		foreach ( self::$rest_routes['optimization_routes'] as $route => $details ) {
-			$this->reqister_route( $route, $details[0], $details['args'], $details['permission_callback'] );
+			$this->register_route( $route, $details[0], $details['args'], $details['permission_callback'] );
 		}
 	}
 
@@ -1063,7 +1097,7 @@ public function register_optimization_routes() {
 	 * @return WP_REST_Response
 	 */
 	public function move_image( WP_REST_Request $request ) {
-		$id = $request->get_param( 'id' );
+		$id     = $request->get_param( 'id' );
 		$action = $request->get_param( 'action' );
 
 		if ( $request->get_param( 'status' ) === 'start' ) {
@@ -1087,4 +1121,25 @@ public function move_image( WP_REST_Request $request ) {
 
 		return $this->response( [ $id,$action ], $result );
 	}
+
+	/**
+	 * Check if user can move image to/from cloud.
+	 *
+	 * @param WP_REST_Request $request Rest request.
+	 * @phpstan-param WP_REST_Request<array{id: int, action: string}> $request Rest request.
+	 * @return bool True if user can move image, false otherwise.
+	 */
+	public static function can_move_image( WP_REST_Request $request ) {
+
+		if ( ! current_user_can( 'upload_files' ) ) {
+			return false;
+		}
+
+		$id = $request->get_param( 'id' );
+		if ( ! current_user_can( 'edit_post', $id ) ) {
+			return false;
+		}
+
+		return true;
+	}
 }
diff --git a/phpstan.neon b/phpstan.neon
index 0c753549..9bbf3c9a 100644
--- a/phpstan.neon
+++ b/phpstan.neon
@@ -18,6 +18,12 @@ parameters:
 		- OPTML_DEBUG_MEDIA
 		- ABSPATH
 		- WPINC
+	typeAliases:
+		RestArgConfig: 'array{type: string, required: bool, default?: mixed}'
+		RestArgs: 'array<string, RestArgConfig>'
+		RestRouteConfig: 'array{0: string, args?: RestArgs, permission_callback?: callable|string}'
+		RestRouteMap: 'array<string, string|RestRouteConfig>'
+		SimpleRouteMap: 'array<string, string>'
 includes:
 	- %currentWorkingDirectory%/vendor/szepeviktor/phpstan-wordpress/extension.neon
 	- %currentWorkingDirectory%/phpstan-baseline.neon
\ No newline at end of file

From ae45ab8fae814164773704783b6dd76092c5ad00 Mon Sep 17 00:00:00 2001
From: Soare Robert-Daniel <soare.robert.daniel@protonmail.com>
Date: Fri, 10 Oct 2025 12:33:00 +0300
Subject: [PATCH 2/3] chore: add more types for phpstan

---
 inc/rest.php          |  40 +++++++++-
 inc/settings.php      |   6 ++
 phpstan-baseline.neon | 181 +++---------------------------------------
 3 files changed, 57 insertions(+), 170 deletions(-)

diff --git a/inc/rest.php b/inc/rest.php
index 731e9b90..9b410e86 100644
--- a/inc/rest.php
+++ b/inc/rest.php
@@ -164,6 +164,8 @@ class Optml_Rest {
 
 	/**
 	 * Optml_Rest constructor.
+	 *
+	 * @return void
 	 */
 	public function __construct() {
 		$this->namespace = OPTML_NAMESPACE . '/v1';
@@ -233,6 +235,8 @@ private function register_route( $route, $method = 'GET', $args = [], $permissio
 
 	/**
 	 * Register rest routes.
+	 *
+	 * @return void
 	 */
 	public function register() {
 
@@ -249,6 +253,8 @@ public function register() {
 
 	/**
 	 * Method to register service specific routes.
+	 *
+	 * @return void
 	 */
 	public function register_service_routes() {
 		foreach ( self::$rest_routes['service_routes'] as $route => $details ) {
@@ -262,6 +268,8 @@ public function register_service_routes() {
 
 	/**
 	 * Method to register image specific routes.
+	 *
+	 * @return void
 	 */
 	public function register_image_routes() {
 		foreach ( self::$rest_routes['image_routes'] as $route => $details ) {
@@ -274,6 +282,8 @@ public function register_image_routes() {
 	}
 	/**
 	 * Method to register media offload specific routes.
+	 *
+	 * @return void
 	 */
 	public function register_media_offload_routes() {
 		foreach ( self::$rest_routes['media_cloud_routes'] as $route => $details ) {
@@ -287,6 +297,8 @@ public function register_media_offload_routes() {
 
 	/**
 	 * Method to register conflicts specific routes.
+	 *
+	 * @return void
 	 */
 	public function register_conflict_routes() {
 		foreach ( self::$rest_routes['conflict_routes'] as $route => $details ) {
@@ -296,6 +308,8 @@ public function register_conflict_routes() {
 
 	/**
 	 * Method to register cache specific routes.
+	 *
+	 * @return void
 	 */
 	public function register_cache_routes() {
 		foreach ( self::$rest_routes['cache_routes'] as $route => $details ) {
@@ -331,6 +345,7 @@ public function register_notification_routes() {
 	 * Clear Cache request.
 	 *
 	 * @param WP_REST_Request $request clear cache rest request.
+	 * @phpstan-param WP_REST_Request<array{type?: string}> $request
 	 *
 	 * @return WP_Error|WP_REST_Response
 	 */
@@ -350,6 +365,7 @@ public function clear_cache_request( WP_REST_Request $request ) {
 	 * Connect to optimole service.
 	 *
 	 * @param WP_REST_Request $request connect rest request.
+	 * @phpstan-param WP_REST_Request<array{api_key: string, application?: string}> $request
 	 *
 	 * @return WP_Error|WP_REST_Response
 	 */
@@ -392,6 +408,7 @@ public function connect( WP_REST_Request $request ) {
 	 * Select application.
 	 *
 	 * @param WP_REST_Request $request Rest request.
+	 * @phpstan-param WP_REST_Request<array{api_key: string, application?: string}> $request
 	 *
 	 * @return WP_REST_Response
 	 */
@@ -420,7 +437,8 @@ public function select_application( WP_REST_Request $request ) {
 	/**
 	 * Wrapper for api response.
 	 *
-	 * @param mixed $data data from api.
+	 * @param mixed      $data data from api.
+	 * @param string|int $code Response code.
 	 *
 	 * @return WP_REST_Response
 	 */
@@ -432,6 +450,7 @@ private function response( $data, $code = 'success' ) {
 	 * Connect to optimole service.
 	 *
 	 * @param WP_REST_Request $request connect rest request.
+	 * @phpstan-param WP_REST_Request<array{email: string, auto_connect?: string}> $request
 	 *
 	 * @return WP_Error|WP_REST_Response
 	 */
@@ -510,6 +529,7 @@ public function register_service( WP_REST_Request $request ) {
 	 * Return image samples.
 	 *
 	 * @param WP_REST_Request $request Rest request.
+	 * @phpstan-param WP_REST_Request<array{quality?: int, force?: string}> $request
 	 *
 	 * @return WP_REST_Response Image urls.
 	 */
@@ -558,6 +578,9 @@ public function get_sample_rate( WP_REST_Request $request ) {
 	/**
 	 * Crawl & upload initial load.
 	 *
+	 * @param WP_REST_Request $request Rest request.
+	 * @phpstan-param WP_REST_Request<array{offset?: int}> $request
+	 *
 	 * @return WP_REST_Response If there are more posts left to receive.
 	 */
 	public function upload_onboard_images( WP_REST_Request $request ) {
@@ -615,7 +638,7 @@ public function upload_onboard_images( WP_REST_Request $request ) {
 	/**
 	 * Return sample image data.
 	 *
-	 * @return array Image data.
+	 * @return array{url: string, width: string|int, height: string|int, id: int} Image data.
 	 */
 	private function fetch_sample_image() {
 		$accepted_mimes = [ 'image/jpeg' ];
@@ -666,6 +689,8 @@ private function fetch_sample_image() {
 	 * Disconnect from optimole service.
 	 *
 	 * @param WP_REST_Request $request disconnect rest request.
+	 *
+	 * @return void
 	 */
 	public function disconnect( WP_REST_Request $request ) {
 		$settings = new Optml_Settings();
@@ -677,6 +702,7 @@ public function disconnect( WP_REST_Request $request ) {
 	 * Get optimized images from API.
 	 *
 	 * @param WP_REST_Request $request rest request.
+	 * @phpstan-param WP_REST_Request<array{api_key?: string}> $request
 	 *
 	 * @return WP_REST_Response
 	 */
@@ -732,6 +758,7 @@ public function poll_conflicts( WP_REST_Request $request ) {
 	 * Dismiss conflict.
 	 *
 	 * @param WP_REST_Request $request rest request.
+	 * @phpstan-param WP_REST_Request<array{conflictID?: string}> $request
 	 *
 	 * @return WP_REST_Response
 	 */
@@ -770,6 +797,7 @@ public function request_update( WP_REST_Request $request ) {
 	 * Update options method.
 	 *
 	 * @param WP_REST_Request $request option update rest request.
+	 * @phpstan-param WP_REST_Request<array{settings?: array<string, mixed>}> $request
 	 *
 	 * @return WP_REST_Response
 	 */
@@ -790,6 +818,7 @@ public function update_option( WP_REST_Request $request ) {
 	 * Update options method.
 	 *
 	 * @param WP_REST_Request $request option update rest request.
+	 * @phpstan-param WP_REST_Request<array{images?: array<string, array{src?: list<string>, ignoredUrls?: int}>}> $request
 	 *
 	 * @return WP_REST_Response
 	 */
@@ -852,6 +881,7 @@ public function check_redirects( WP_REST_Request $request ) {
 	 * Get total number of images.
 	 *
 	 * @param WP_REST_Request $request rest request object.
+	 * @phpstan-param WP_REST_Request<array{action?: string, refresh?: bool}> $request
 	 *
 	 * @return WP_REST_Response
 	 */
@@ -912,6 +942,7 @@ public function get_offload_conflicts( WP_REST_Request $request ) {
 	 * Insert images request.
 	 *
 	 * @param WP_REST_Request $request insert images rest request.
+	 * @phpstan-param WP_REST_Request<array{images?: array<mixed>}> $request
 	 *
 	 * @return WP_REST_Response
 	 */
@@ -931,6 +962,7 @@ public function insert_images( WP_REST_Request $request ) {
 	 * Dismiss a notification (set the notification key to 'yes').
 	 *
 	 * @param WP_REST_Request $request the incoming request.
+	 * @phpstan-param WP_REST_Request<array{key?: string}> $request
 	 *
 	 * @return WP_REST_Response
 	 */
@@ -954,6 +986,7 @@ public function dismiss_notice( WP_REST_Request $request ) {
 	 * Store optimization data.
 	 *
 	 * @param WP_REST_Request $request Rest request.
+	 * @phpstan-param WP_REST_Request<array{d: int, a: array<mixed>, u: string, t?: int, h?: string, pu?: string, b?: array<string, array<string, list<string>>>, l?: array{i?: string, s?: string, u?: list<string>}, m?: array<int, array{w: int, h: int}>, s?: array<int, list<array{w: int, h: int, d: int, s: string, b: int}>>, c?: array<int, bool>}> $request
 	 *
 	 * @return WP_REST_Response
 	 */
@@ -1082,6 +1115,8 @@ function ( $url ) {
 
 	/**
 	 * Method to register above fold data routes.
+	 *
+	 * @return void
 	 */
 	public function register_optimization_routes() {
 		foreach ( self::$rest_routes['optimization_routes'] as $route => $details ) {
@@ -1093,6 +1128,7 @@ public function register_optimization_routes() {
 	 * Move image.
 	 *
 	 * @param WP_REST_Request $request Rest request.
+	 * @phpstan-param WP_REST_Request<array{id: int, action: string, status?: string}> $request
 	 *
 	 * @return WP_REST_Response
 	 */
diff --git a/inc/settings.php b/inc/settings.php
index aabae225..51e37ce9 100644
--- a/inc/settings.php
+++ b/inc/settings.php
@@ -221,6 +221,12 @@ private function is_allowed( $key ) {
 	 * Auto connect action.
 	 */
 	public function auto_connect() {
+
+		/**
+		 * Connect rest request.
+		 *
+		 * @var WP_REST_Request<array{api_key: string, application?: string}>
+		 */
 		$request = new WP_REST_Request( 'POST' );
 		$request->set_param( 'api_key', constant( 'OPTIML_API_KEY' ) );
 		Optml_Main::instance()->rest->connect( $request );
diff --git a/phpstan-baseline.neon b/phpstan-baseline.neon
index f73d7054..9530f1e8 100644
--- a/phpstan-baseline.neon
+++ b/phpstan-baseline.neon
@@ -515,6 +515,7 @@ parameters:
 			identifier: missingType.iterableValue
 			count: 1
 			path: inc/app_replacer.php
+
 		-
 			message: '#^Method Optml_App_Replacer\:\:get_media_optimized_url\(\) has parameter \$resize with no value type specified in iterable type array\.$#'
 			identifier: missingType.iterableValue
@@ -544,6 +545,7 @@ parameters:
 			identifier: missingType.return
 			count: 1
 			path: inc/app_replacer.php
+
 		-
 			message: '#^Method Optml_App_Replacer\:\:parse_dimensions_from_filename\(\) return type has no value type specified in iterable type array\.$#'
 			identifier: missingType.iterableValue
@@ -1521,6 +1523,7 @@ parameters:
 			identifier: missingType.iterableValue
 			count: 1
 			path: inc/dam.php
+
 		-
 			message: '#^Method Optml_Dam\:\:get_dam_imported_attachments\(\) has parameter \$images with no value type specified in iterable type array\.$#'
 			identifier: missingType.iterableValue
@@ -1568,6 +1571,7 @@ parameters:
 			identifier: missingType.iterableValue
 			count: 1
 			path: inc/dam.php
+
 		-
 			message: '#^Method Optml_Dam\:\:replace_dam_url_args\(\) has parameter \$args with no value type specified in iterable type array\.$#'
 			identifier: missingType.iterableValue
@@ -2119,6 +2123,7 @@ parameters:
 			identifier: missingType.iterableValue
 			count: 1
 			path: inc/media_offload.php
+
 		-
 			message: '#^Method Optml_Media_Offload\:\:get_image_id_from_content\(\) return type has no value type specified in iterable type array\.$#'
 			identifier: missingType.iterableValue
@@ -2286,6 +2291,7 @@ parameters:
 			identifier: missingType.parameter
 			count: 1
 			path: inc/media_offload.php
+
 		-
 			message: '#^Method Optml_Media_Offload\:\:pre_filter_rest_content\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
 			identifier: missingType.generics
@@ -2501,6 +2507,7 @@ parameters:
 			identifier: missingType.return
 			count: 1
 			path: inc/media_rename/attachment_edit.php
+
 		-
 			message: '#^Method Optml_Attachment_Model\:\:get_all_image_sizes_paths\(\) return type has no value type specified in iterable type array\.$#'
 			identifier: missingType.iterableValue
@@ -2512,6 +2519,7 @@ parameters:
 			identifier: missingType.iterableValue
 			count: 1
 			path: inc/media_rename/attachment_model.php
+
 		-
 			message: '#^Method Optml_Attachment_Model\:\:get_attachment_metadata\(\) return type has no value type specified in iterable type array\.$#'
 			identifier: missingType.iterableValue
@@ -2529,6 +2537,7 @@ parameters:
 			identifier: missingType.return
 			count: 1
 			path: inc/media_rename/attachment_model.php
+
 		-
 			message: '#^Method Optml_Attachment_Model\:\:size_to_dimension\(\) has parameter \$image_meta with no value type specified in iterable type array\.$#'
 			identifier: missingType.iterableValue
@@ -2613,204 +2622,36 @@ parameters:
 			count: 1
 			path: inc/media_rename/attachment_replace.php
 
-		-
-			message: '#^Method Optml_Rest\:\:check_redirects\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
-			identifier: missingType.generics
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:clear_cache_request\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
-			identifier: missingType.generics
-			count: 1
-			path: inc/rest.php
-
 		-
 			message: '#^Method Optml_Rest\:\:clear_offload_errors\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
 			identifier: missingType.generics
 			count: 1
 			path: inc/rest.php
 
-		-
-			message: '#^Method Optml_Rest\:\:connect\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
-			identifier: missingType.generics
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:disconnect\(\) has no return type specified\.$#'
-			identifier: missingType.return
-			count: 1
-			path: inc/rest.php
-
 		-
 			message: '#^Method Optml_Rest\:\:disconnect\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
 			identifier: missingType.generics
 			count: 1
 			path: inc/rest.php
 
-		-
-			message: '#^Method Optml_Rest\:\:dismiss_conflict\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
-			identifier: missingType.generics
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:dismiss_notice\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
-			identifier: missingType.generics
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:fetch_sample_image\(\) return type has no value type specified in iterable type array\.$#'
-			identifier: missingType.iterableValue
-			count: 1
-			path: inc/rest.php
-
 		-
 			message: '#^Method Optml_Rest\:\:get_offload_conflicts\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
 			identifier: missingType.generics
 			count: 1
 			path: inc/rest.php
 
-		-
-			message: '#^Method Optml_Rest\:\:get_sample_rate\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
-			identifier: missingType.generics
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:insert_images\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
-			identifier: missingType.generics
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:move_image\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
-			identifier: missingType.generics
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:number_of_images_and_pages\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
-			identifier: missingType.generics
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:optimizations\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
-			identifier: missingType.generics
-			count: 1
-			path: inc/rest.php
-
 		-
 			message: '#^Method Optml_Rest\:\:poll_conflicts\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
 			identifier: missingType.generics
 			count: 1
 			path: inc/rest.php
 
-		-
-			message: '#^Method Optml_Rest\:\:poll_optimized_images\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
-			identifier: missingType.generics
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:register\(\) has no return type specified\.$#'
-			identifier: missingType.return
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:register_cache_routes\(\) has no return type specified\.$#'
-			identifier: missingType.return
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:register_conflict_routes\(\) has no return type specified\.$#'
-			identifier: missingType.return
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:register_image_routes\(\) has no return type specified\.$#'
-			identifier: missingType.return
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:register_media_offload_routes\(\) has no return type specified\.$#'
-			identifier: missingType.return
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:register_optimization_routes\(\) has no return type specified\.$#'
-			identifier: missingType.return
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:register_service\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
-			identifier: missingType.generics
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:register_service_routes\(\) has no return type specified\.$#'
-			identifier: missingType.return
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:reqister_route\(\) has no return type specified\.$#'
-			identifier: missingType.return
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:reqister_route\(\) has parameter \$args with no value type specified in iterable type array\.$#'
-			identifier: missingType.iterableValue
-			count: 1
-			path: inc/rest.php
-
 		-
 			message: '#^Method Optml_Rest\:\:request_update\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
 			identifier: missingType.generics
 			count: 1
 			path: inc/rest.php
 
-		-
-			message: '#^Method Optml_Rest\:\:response\(\) has parameter \$code with no type specified\.$#'
-			identifier: missingType.parameter
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:select_application\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
-			identifier: missingType.generics
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:update_option\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
-			identifier: missingType.generics
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Method Optml_Rest\:\:upload_onboard_images\(\) has parameter \$request with generic class WP_REST_Request but does not specify its types\: T$#'
-			identifier: missingType.generics
-			count: 1
-			path: inc/rest.php
-
-		-
-			message: '#^Property Optml_Rest\:\:\$rest_routes type has no value type specified in iterable type array\.$#'
-			identifier: missingType.iterableValue
-			count: 1
-			path: inc/rest.php
-
 		-
 			message: '#^Method Optml_Settings\:\:auto_connect\(\) has no return type specified\.$#'
 			identifier: missingType.return
@@ -2960,6 +2801,7 @@ parameters:
 			identifier: missingType.iterableValue
 			count: 1
 			path: inc/tag_replacer.php
+
 		-
 			message: '#^Method Optml_Tag_Replacer\:\:init\(\) has no return type specified\.$#'
 			identifier: missingType.return
@@ -2971,6 +2813,7 @@ parameters:
 			identifier: missingType.parameter
 			count: 1
 			path: inc/tag_replacer.php
+
 		-
 			message: '#^Method Optml_Tag_Replacer\:\:parse_dimensions_from_tag\(\) has parameter \$args with no value type specified in iterable type array\.$#'
 			identifier: missingType.iterableValue
@@ -3072,6 +2915,7 @@ parameters:
 			identifier: missingType.iterableValue
 			count: 1
 			path: inc/url_replacer.php
+
 		-
 			message: '#^Method Optml_Url_Replacer\:\:init\(\) has no return type specified\.$#'
 			identifier: missingType.return
@@ -3101,6 +2945,7 @@ parameters:
 			identifier: missingType.parameter
 			count: 1
 			path: inc/url_replacer.php
+
 		-
 			message: '#^Method Optml_Url_Replacer\:\:size_to_dimension\(\) has parameter \$image_meta with no value type specified in iterable type array\.$#'
 			identifier: missingType.iterableValue

From 30b2d0cb34b2d0a168f6a63a59bc1f256298a7a9 Mon Sep 17 00:00:00 2001
From: Soare Robert-Daniel <soare.robert.daniel@protonmail.com>
Date: Fri, 10 Oct 2025 12:59:25 +0300
Subject: [PATCH 3/3] chore: check for object type

---
 inc/rest.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/inc/rest.php b/inc/rest.php
index 9b410e86..f2a24aaa 100644
--- a/inc/rest.php
+++ b/inc/rest.php
@@ -1172,7 +1172,11 @@ public static function can_move_image( WP_REST_Request $request ) {
 		}
 
 		$id = $request->get_param( 'id' );
-		if ( ! current_user_can( 'edit_post', $id ) ) {
+
+		if (
+			get_post_type( $id ) !== 'attachment' ||
+			! current_user_can( 'edit_post', $id )
+		) {
 			return false;
 		}