This repository was archived by the owner on Nov 21, 2025. It is now read-only.
This repository was archived by the owner on Nov 21, 2025. It is now read-only.
A feature that has no permission access should never be eligible. #87
Description
/**
* Determines if the feature is eligible to run.
*
* @since 0.1.0
* @return bool True if the feature is eligible, false otherwise.
*/
public function is_eligible() {
if ( ! is_callable( $this->is_eligible ) ) {
return true;
}
return call_user_func( $this->is_eligible );
}The rest endpoints currently expose features even if permission_callbacks for that feature will fail.
This might be documented as the expected behavior, but it results in poor UX, where a client will receive information about a feature, that will always fail.
I can see checking the permission_callback being an issue for rest_alias routes, since the rest controllers might be relying on the WP_Request_Object being passed into that callback. And of course, the request to /wp/v2/features is not the same request as when the feature is run.
Both of these feel wrong. Maybe each feature should have a mandatory permission callback, even if it just superficially validates for rest_alias routes?