Address review feedback: remove filter after dispatch, use empty caps

obenland · claude · obenland · commit 1e4138d84b74 · 2026-04-07T09:07:52.000-05:00
- Remove the get_user_metadata filter via rest_post_dispatch so it
  doesn't persist beyond the request.
- Return an empty capabilities array instead of subscriber role —
  is_array() passes without granting any real capabilities.
- Assert the application password is actually deleted in the test.
- Fix closure spacing per WordPress coding standards.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/settings/rest-api.php b/settings/rest-api.php
@@ -496,6 +496,10 @@ function allow_application_password_management( $result, $server, $request ) {
 	}
 
 	add_filter( 'get_user_metadata', __NAMESPACE__ . '\treat_as_member_of_blog', 10, 3 );
+	add_filter( 'rest_post_dispatch', function( $response ) {
+		remove_filter( 'get_user_metadata', __NAMESPACE__ . '\treat_as_member_of_blog', 10 );
+		return $response;
+	} );
 
 	return $result;
 }
@@ -526,7 +530,8 @@ function treat_as_member_of_blog( $check, $user_id, $meta_key ) {
 	}
 
 	// Return a nested array: get_metadata() unwraps one level when $single is true.
-	return array( array( 'subscriber' => true ) );
+	// An empty capabilities array satisfies is_array() without granting any role.
+	return array( array() );
 }
 
 /**
diff --git a/tests/settings/test-application-passwords.php b/tests/settings/test-application-passwords.php
@@ -170,7 +170,7 @@ public function test_non_member_can_revoke_application_password() : void {
 		);
 
 		// Remove the user from the current blog to simulate profiles.wordpress.org.
-		$remove_user_callback = function ( $check, $user_id, $meta_key ) {
+		$remove_user_callback = function( $check, $user_id, $meta_key ) {
 			global $wpdb;
 
 			if ( $user_id !== self::$regular_user->ID ) {
@@ -206,6 +206,15 @@ public function test_non_member_can_revoke_application_password() : void {
 		remove_filter( 'get_user_metadata', $remove_user_callback, 9 );
 
 		$this->assertSame( 200, $response->get_status(), 'Non-member should be able to revoke their own application password.' );
+
+		$remaining_passwords = WP_Application_Passwords::get_user_application_passwords( self::$regular_user->ID );
+		$remaining_uuids     = wp_list_pluck( $remaining_passwords, 'uuid' );
+
+		$this->assertNotContains(
+			$item['uuid'],
+			$remaining_uuids,
+			'Application password should be removed after revocation.'
+		);
 	}
 
 	/**

Original file line number	Diff line number	Diff line change
`@@ -496,6 +496,10 @@ function allow_application_password_management( $result, $server, $request ) {`
`496`	`496`	`}`
`497`	`497`
`498`	`498`	`add_filter( 'get_user_metadata', __NAMESPACE__ . '\treat_as_member_of_blog', 10, 3 );`
	`499`	`+ add_filter( 'rest_post_dispatch', function( $response ) {`
	`500`	`+ remove_filter( 'get_user_metadata', __NAMESPACE__ . '\treat_as_member_of_blog', 10 );`
	`501`	`+ return $response;`
	`502`	`+ } );`
`499`	`503`
`500`	`504`	`return $result;`
`501`	`505`	`}`
`@@ -526,7 +530,8 @@ function treat_as_member_of_blog( $check, $user_id, $meta_key ) {`
`526`	`530`	`}`
`527`	`531`
`528`	`532`	`// Return a nested array: get_metadata() unwraps one level when $single is true.`
`529`		`- return array( array( 'subscriber' => true ) );`
	`533`	`+ // An empty capabilities array satisfies is_array() without granting any role.`
	`534`	`+ return array( array() );`
`530`	`535`	`}`
`531`	`536`
`532`	`537`	`/**`