From 855c081931a6b4960f38a42bc2da7cc2f0e1c0eb Mon Sep 17 00:00:00 2001
From: Rachel Baker <rachelbaker@git.wordpress.org>
Date: Sat, 2 Jul 2016 23:02:45 +0000
Subject: [PATCH] REST API: Reverse order of setting sanitization/validation,
 validating prior to sanitizing.

Fixes mistake in the current behavior, where the sanitization callback ran before the validation callback. Now the validation callback will run before the sanitization.

Props schlessera, rachelbaker.
See #37247.
Fixes #37192.




git-svn-id: https://develop.svn.wordpress.org/trunk@37943 602fd350-edb4-49c9-b593-d223f7449a82
---
 .../rest-api/class-wp-rest-server.php         |  4 +-
 tests/phpunit/tests/rest-api/rest-server.php  | 45 +++++++++++++++++++
 2 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/rest-api/class-wp-rest-server.php b/src/wp-includes/rest-api/class-wp-rest-server.php
index cb19242bf1..2c49c8fc69 100644
--- a/src/wp-includes/rest-api/class-wp-rest-server.php
+++ b/src/wp-includes/rest-api/class-wp-rest-server.php
@@ -853,8 +853,6 @@ class WP_REST_Server {
 					$request->set_url_params( $args );
 					$request->set_attributes( $handler );
 
-					$request->sanitize_params();
-
 					$defaults = array();
 
 					foreach ( $handler['args'] as $arg => $options ) {
@@ -869,6 +867,8 @@ class WP_REST_Server {
 					if ( is_wp_error( $check_required ) ) {
 						$response = $check_required;
 					}
+
+					$request->sanitize_params();
 				}
 
 				if ( ! is_wp_error( $response ) ) {
diff --git a/tests/phpunit/tests/rest-api/rest-server.php b/tests/phpunit/tests/rest-api/rest-server.php
index 2140965e68..88ae9b7814 100644
--- a/tests/phpunit/tests/rest-api/rest-server.php
+++ b/tests/phpunit/tests/rest-api/rest-server.php
@@ -940,6 +940,51 @@ class Tests_REST_Server extends WP_Test_REST_TestCase {
 		}
 	}
 
+	/**
+	 * Make sure that a sanitization that transforms the argument type will not
+	 * cause the validation to fail.
+	 *
+	 * @ticket 37192
+	 */
+	public function test_rest_validate_before_sanitization() {
+		register_rest_route( 'test-ns', '/test', array(
+			'methods'  => array( 'GET' ),
+			'callback' => '__return_null',
+			'args' => array(
+				'someinteger' => array(
+					'validate_callback' => array( $this, '_validate_as_integer_123' ),
+					'sanitize_callback' => 'absint',
+				),
+				'somestring'  => array(
+					'validate_callback' => array( $this, '_validate_as_string_foo' ),
+					'sanitize_callback' => 'absint',
+				),
+			),
+		) );
+
+		$request = new WP_REST_Request( 'GET', '/test-ns/test' );
+		$request->set_query_params( array( 'someinteger' => 123, 'somestring' => 'foo' ) );
+		$response = $this->server->dispatch( $request );
+
+		$this->assertEquals( 200, $response->get_status() );
+	}
+
+	public function _validate_as_integer_123( $value, $request, $key ) {
+		if ( ! is_int( $value ) ) {
+			return new WP_Error( 'some-error', 'This is not valid!' );
+		}
+
+		return true;
+	}
+
+	public function _validate_as_string_foo( $value, $request, $key ) {
+		if ( ! is_string( $value ) ) {
+			return new WP_Error( 'some-error', 'This is not valid!' );
+		}
+
+		return true;
+	}
+
 	/**
 	 * @return array {
 	 *     @type array {