Add core/content ability#739
Open
jorgefilipecosta wants to merge 9 commits into
Open
Conversation
Add the core/settings ability, matching the equivalent WordPress core change. Read-only; returns settings flagged show_in_abilities as a flat name => value map, filterable by group or by name, gated on manage_options. The Settings class is kept near-identical to core's WP_Settings_Abilities and registers at priority 11, unregistering any core-provided copy first so the plugin wins when both are present. A generic Show_In_Abilities component seeds the show_in_abilities flag onto a curated set of core settings so the ability returns data on a stock site. Includes a Playwright e2e spec that drives the ability through the @wordpress/abilities client. Keeps the output schema free of unsupported formats and per-property defaults so the client-side validator accepts it and does not inject defaults into filtered results.
…ent enabled The @wordpress/abilities client modules are only added to the editor's import map when an AI experiment is enabled (its script declares them as module_dependencies). Enable Excerpt Generation and drive the test from a new post instead of skipping when the client is unavailable.
'settings' reads more naturally than 'slugs' for an ability about settings:
executeAbility( 'core/settings', { settings: [ 'blogname' ] } ).
Add an e2e sample plugin that registers a setting with show_in_abilities, map it in .wp-env.test.json, and assert the core/settings ability returns it.
✅ WordPress Plugin Check Report
📊 ReportAll checks passed! No errors or warnings found. 🤖 Generated by WordPress Plugin Check Action • Learn more about Plugin Check |
jorgefilipecosta
changed the title
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
jorgefilipecosta
force-pushed
the
add/core-content-ability
branch
from
3330d86 to
83e1dc4
Compare
The .mcp.json file holds developer-local MCP server config (xdebug, chrome-devtools) and should not be in version control. Remove it from the repo and add it to .gitignore; the file is kept locally.
The e2e global setup deletes all `post` entries, so querying `post_type: 'post'` for the field-limiting test returned zero posts in clean CI and failed the `posts.length > 0` assertion. Seed published posts via `requestUtils.createPost` in a `beforeAll` (tracking their IDs) and remove only those in `afterAll`, then query `post` as before.
Re-applied on top of the current branch tip (a prior push of these changes was
overwritten by a force-push). Mirrors the core/settings review fixes that apply here:
- Memoize the exposed post types so the input schema and the permission/execute
callbacks derive from a single walk of the registered post types.
- Default the input schema to an empty object so the type:object default serializes as {}.
- Use __() instead of esc_html__(), and @SInCE x.x.x per CONTRIBUTING.md.
- Harden input/value handling (type guards, capability resolver, non-negative int
helper, dynamic-property annotation) so the new code passes PHPStan at level max.
The `content` ability-category fallback is kept on purpose: unlike `site`, `content`
is a new category not present on the plugin's minimum WordPress (7.0).
jorgefilipecosta
force-pushed
the
add/core-content-ability
branch
from
d1db766 to
88df83c
Compare
gziolo
reviewed
Jun 18, 2026
| // Expose curated core objects to the Abilities API, then register the | ||
| // `core/settings` and `core/content` abilities (overriding any core-provided copies). | ||
| Show_In_Abilities::register(); | ||
| Settings_Ability::init(); |
Member
There was a problem hiding this comment.
Some changes leaked from another PR with the core/settings ability.
Member
|
Nice work so far! A few things to iron out:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds the read-only
core/contentability to the plugin, mirroring the WordPress coreWP_Content_Abilitiesimplementation (see the companion core PR) so the two stay in sync. It overrides any core-provided copy.Retrieves one or more posts of a post type exposed to abilities: fetch a single post by
idorslug, or query multiple posts filtered bypost_type,status,author,parent, with afieldsselector andpage/per_pagepagination. Output is{ posts, total, total_pages }.core PR WordPress/wordpress-develop#12195.
Security
Defense in depth: a coarse status/capability gate plus an authoritative per-post
read_postcheck on every row; default statuspublish; password-protected content withheld from non-editors; uniform not-found responses to avoid leaking post existence.Show_In_Abilities
WordPress core does not yet ship the
show_in_abilitiesflag this ability reads, so a self-containedShow_In_Abilitiescomponent polyfills it onto curated core post types (post,page). It is structured exactly like the settings polyfill from thecore/settingsPR (#691), so the two merge cleanly.This PR is independent of #691 and can be reviewed/merged on its own.
Tests
PHPUnit integration tests for the ability and the polyfill, plus an e2e spec (
tests/e2e/specs/abilities/core-content.spec.js) backed by a sample-content plugin that registers an ability-exposed post type.