fix: Return false in permission callback blocks user

Author: matapatos

src/Endpoint.php

@@ -312,8 +312,8 @@ public function permissionCallback(WP_REST_Request $request): bool|WP_Error
             'endpoint' => $this,
             'request' => $request,
         ];
-        $result = $this->runHandlers($this->permissionHandlers, $dependencies);
-        if (is_wp_error($result)) {
+        $result = $this->runHandlers($this->permissionHandlers, $dependencies, isToReturnResult: true, isPermissionCallback: true);
+        if (is_wp_error($result) || $result === false) {
             return $result;
         }
 
@@ -371,7 +371,7 @@ protected function replaceSpecialValue(WP_REST_Request $request, string $value):
      *
      * @throws InvocationException
      */
-    protected function runHandlers(array $allHandlers, array $dependencies, bool $isToReturnResult = false): mixed
+    protected function runHandlers(array $allHandlers, array $dependencies, bool $isToReturnResult = false, bool $isPermissionCallback = false): mixed
     {
         $result = null;
         foreach ($allHandlers as $handler) {
@@ -388,6 +388,10 @@ protected function runHandlers(array $allHandlers, array $dependencies, bool $is
             if (is_wp_error($result) || $result instanceof WP_REST_Response) {
                 return $result;
             }
+
+            if ($isPermissionCallback && $result === false) {
+                return $result;
+            }
         }
 
         return $isToReturnResult ? $result : null;

tests/Integration/AppMultipleRoutersTest.php

@@ -63,6 +63,7 @@
             '/my-api/v1/my-actions/v2/middleware/on-request/(?P<action>\w+)',
             '/my-api/v1/my-actions/v2/middleware/on-response/(?P<action>\w+)',
             '/my-api/v1/my-actions/v2/permission/(?P<action>\w+)',
+            '/my-api/v1/my-actions/v2/bool/permission/(?P<action>\w+)',
         ])
         ->and($routes['/my-api/v1/my-posts/v1/(?P<ID>[\\d]+)'])
         ->toBeArray()
@@ -75,6 +76,9 @@
         ->toHaveCount(1)
         ->and($routes['/my-api/v1/my-actions/v2/permission/(?P<action>\w+)'])
         ->toBeArray()
+        ->toHaveCount(1)
+        ->and($routes['/my-api/v1/my-actions/v2/bool/permission/(?P<action>\w+)'])
+        ->toBeArray()
         ->toHaveCount(1);
 })->group('multiple');
 
@@ -134,7 +138,7 @@
     expect($response->get_status())->toBe(200);
 })->with(['on-request', 'on-response'])->group('multiple');
 
-test('Trigger no permissions in permission callback', function () {
+test('Trigger no permissions in permission callback - WP Error', function () {
     $request = new WP_REST_Request('GET', '/my-api/v1/my-actions/v2/permission/notAllowed');
     $response = $this->server->dispatch($request);
     expect($response->get_status())->toBe(403)
@@ -144,8 +148,20 @@
         ->toHaveProperty('data', ['status' => 403]);
 })->group('multiple');
 
-test('Trigger has permissions in permission callback', function () {
-    $request = new WP_REST_Request('GET', '/my-api/v1/my-actions/v2/permission/allowed');
+test('Trigger no permissions in permission callback - boolean', function () {
+    $request = new WP_REST_Request('GET', '/my-api/v1/my-actions/v2/bool/permission/notAllowed');
     $response = $this->server->dispatch($request);
-    expect($response->get_status())->toBe(200);
+    expect($response->get_status())->toBe(401)
+        ->and((object) $response->get_data())
+        ->toHaveProperty('code', 'rest_forbidden')
+        ->toHaveProperty('message', 'Sorry, you are not allowed to do that.')
+        ->toHaveProperty('data', ['status' => 401]);
 })->group('multiple');
+
+test('Trigger has permissions in permission callback', function (string $endpoint) {
+    $request = new WP_REST_Request('GET', $endpoint);
+    $response = $this->server->dispatch($request);
+    expect($response->get_status())->toBe(200);
+})
+    ->with(['/my-api/v1/my-actions/v2/permission/allowed', '/my-api/v1/my-actions/v2/bool/permission/allowed'])
+    ->group('multiple');

tests/Integration/Routers/ActionsRouter.php

@@ -43,4 +43,9 @@
 })
     ->permission($triggerPermissionCallback);
 
+$router->get('/bool/permission/(?P<action>\w+)', function (): bool {
+    return true;
+})
+    ->permission(fn (string $action) => $action === 'allowed');
+
 return $router;

tests/Unit/EndpointTest.php

@@ -342,11 +342,13 @@ public function hey(): void {}
     Helpers::setNonPublicClassProperty($mockedEndpoint, 'permissionHandlers', ['test-permission-handler']);
     $mockedEndpoint->shouldReceive('runHandlers')
         ->once()
-        ->with(['test-permission-handler'], Mockery::type('array'))
+        ->with(['test-permission-handler'], Mockery::type('array'), true, true)
         ->andReturn($returnValue);
     expect($mockedEndpoint->permissionCallback($req))
         ->toBe($returnValue ?? true);
-})->with([null, WpError::class])->group('endpoint', 'permission', 'permissionCallback');
+})
+    ->with([null, WpError::class, false, true])
+    ->group('endpoint', 'permission', 'permissionCallback');
 
 // callback