-
Notifications
You must be signed in to change notification settings - Fork 655
Rethink how we work with meta #1425
Comments
Why not expose serialized data if it is an |
|
Right, that is a good thing. But we know the data type before we update, don't we? So check the stored value, if the current value is an |
What if you wanted to change the datatype from an array to an object? I don't know why - but I think JSON being lossy doesn't make this a good idea. |
An API consumer of any kind would never want to change the datatype because that would change what the server ( probably some plugin ) expects. The fact that they are both expressed the same way in JSON I think is a benefit. I'm just concerned that leaving out arrays especially is a huge loss. To flatten every array into individual meta rows would put a big strain on the DB. If it is decided not to support both because it is lossy, then why not just pick |
Realized a case where this might be impossible. When the value is set to an empty string, and then a client updates the value. Maybe only display serialized meta that is registered with |
I think for plugins it's reasonably easy to use |
Is there any reason not to support other object types (even if they are PHP objects) if, let's say, plugins registered them as @TimothyBJacobs says? I think it would be really good for plugins to be able to serialize objects as meta being able to get them trough the API if needed. |
See points 1, 3, and 4 from my list under Serialised Data; these still apply. If you only use arrays of scalars or more arrays, I think we can probably allow that, but it'll still be lossy. I think that's an OK tradeoff for now, but still need to consider it further. |
I read your points, but I still don't get why is a problem, let's say that plugin X has a class (a DTO, for example, as if it was an associative array) that is saving as a post meta and it wants to expose through the API so it can be read (or written) through it. Wouldn't make sense to allow that plugin to expose that meta key through the API so there is no need to do a single request to acces it instead of as many requests as properties had that class? |
Objects of any kind besides I do think arrays should be given a try, I'll try working on a patch. |
I'm very much in favor of more ways to expose meta information. I just started looking into this today in the hopes that it would help me create an API to interface with the Modern Tribe Events Calendar without having to roll too much of my own stuff. Sadly, the plugin is based on protected meta keys, so that's out. |
im with @TimothyBJacobs i think simple data structures (array,stdclass) should be allowed as serialized values. hacking around that limitation is a bit ugly here. maybe we can provide a global switch to allow sensitive data in maybe introduce a define('REST_META_SECURED', false) and check that variable in the few places |
@digitalkaoz I've removed your comment, as we can't officially support insecure code snippets. |
yeah sure, i thought i put enough security disclaimers aside ;) anyway, would love to see this switch implemented |
We'll be splitting out the meta endpoints into a separate plugin. |
Here's the separate plugin https://github.com/WP-API/wp-api-meta-endpoints |
But its still forbidden to get/save serialized data...so what is exactly Daniel Bachhuber notifications@github.com schrieb am Sa., 30. Jan. 2016
|
For those who are using the existing endpoints, as the meta endpoints have been removed from this core plugin. |
status code: 200, headers { |
anyone can help? |
Since we first implemented meta, we've been very restrictive. Meta available through the API is limited in the following ways:
_
) are not available at all.These restrictions apply to all meta fields, with no real way to enable exposing meta in any further extensive way.
We always wanted to start out with the most restrictive policy on meta and then open it up slowly depending on use cases. I think it's time we did that. :)
Serialised Data
Serialised data should still not be available. We cannot open access to serialised data:
stdClass
instance.Protected Meta
Rather than checking if meta fields are protected or not, we should leave this responsibility to the capabilities system. WP's meta-cap system already has meta capabilities for
add_post_meta
,edit_post_meta
, anddelete_post_meta
. Internally, these useis_protected_meta
by default, but allowregister_meta
to override this. This would allow overriding the protected meta system using WP's existing APIs, and would open meta up a bit more nicely. Bonus: we encourage use of theregister_meta
API, which is pretty neat.One notable missing part here is
read_post_meta
. @nacin and I have discussed this in the past, and we're in favour of adding this. In the meantime, we could easily add a shim on themap_meta_cap
filter.Authenticated Access
Assuming we change protected meta, internally these all still check
edit_post
on the post, since the existing meta-caps are all write-based. However, withread_post_meta
, we'd want to expose this publicly.Ideally, the system would have been designed with this in mind.
auth_callback
already receives the capability we're trying to use, so it'd be basically perfect. However, using the existing auth callback fromregister_meta
may be dangerous, as it usually relies onedit_post
.As a stop-gap, I'd suggest we check this, and check against a whitelist of meta keys to expose publicly. By default, this would be a blank array, but with the ability to add extra keys into it, similar to the
query_vars
filter.It's a suboptimal solution, but it does allow us to retrofit the system to allow this.
With this, you could expose meta by doing:
Anyone have anything they'd like to add? Anything I've overlooked here?
The text was updated successfully, but these errors were encountered: