REST API: Log doing_it_wrong notices to debug.log#10537
REST API: Log doing_it_wrong notices to debug.log#10537ilclaudio wants to merge 5 commits intoWordPress:trunkfrom
Conversation
|
Hi @ilclaudio! 👋 Thank you for your contribution to WordPress! 💖 It looks like this is your first pull request to No one monitors this repository for new pull requests. Pull requests must be attached to a Trac ticket to be considered for inclusion in WordPress Core. To attach a pull request to a Trac ticket, please include the ticket's full URL in your pull request description. Pull requests are never merged on GitHub. The WordPress codebase continues to be managed through the SVN repository that this GitHub repository mirrors. Please feel free to open pull requests to work on any contribution you are making. More information about how GitHub pull requests can be used to contribute to WordPress can be found in the Core Handbook. Please include automated tests. Including tests in your pull request is one way to help your patch be considered faster. To learn about WordPress' test suites, visit the Automated Testing page in the handbook. If you have not had a chance, please review the Contribute with Code page in the WordPress Core Handbook. The Developer Hub also documents the various coding standards that are followed:
Thank you, |
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Unlinked AccountsThe following contributors have not linked their GitHub and WordPress.org accounts: @claudiobat. Contributors, please read how to link your accounts to ensure your work is properly credited in WordPress releases. Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
|
It looks like one of the GitHub Actions jobs failed due to a transient network issue (curl error 7 while downloading from packagist.org) and not because of my code changes. |
src/wp-includes/rest-api.php
Outdated
| // Prevent PHP's trigger_error() to avoid corrupting JSON responses. | ||
| return false; |
There was a problem hiding this comment.
Will it, though? During REST API responses, the PHP display_errors config option is set to 0:
wordpress-develop/src/wp-includes/load.php
Lines 638 to 647 in 3d811f2
Therefore, why not just remove the doing_it_wrong_trigger_error filter altogether?
There was a problem hiding this comment.
Thanks for the insight! You're right.
Since wp_debug_mode() already sets display_errors = 0 for REST requests, trigger_error() won't corrupt the response.
I'll simplify the fix by removing the doing_it_wrong_trigger_error filter altogether.
I'll try to push an update shortly.
There was a problem hiding this comment.
Thanks for the insight! You're right. Since wp_debug_mode() already sets display_errors = 0 for REST requests, trigger_error() won't corrupt the response. I'll simplify the fix by removing the doing_it_wrong_trigger_error filter altogether. I'll try to push an update shortly.
I tested your suggestion and it works, but the resulting log entries contain raw HTML markup which makes the log harder to read and produces a stacktrace.
My original approach produces a cleaner output.
Should we keep the manual error_log() call to sanitize the message, or is there another approach you'd suggest?
However I'll try to debug better the problem.
There was a problem hiding this comment.
I tested removing the filter as you suggested, but the resulting log entries contain raw HTML markup and an automatic PHP stack trace, which makes the log harder to read.
I've reverted my previous code and I've updated the patch to add explicit logging inside rest_handle_doing_it_wrong() instead, which it seems it is already the designated handler for this case.
Using wp_strip_all_tags() produces clean, readable output:
"[24-Mar-2026 23:16:23 UTC] REST API - Function register_rest_route was called incorrectly. The REST API route definition for test/v1/example is missing the required permission_callback argument. For REST API routes that are intended to be public, use __return_true as the permission callback."
I also confirmed that the failing tests (WP_Test_REST_Sync_Server and test_get_items_only_fetches_ids_for_head_requests) are pre-existing issues in trunk unrelated to this patch.
Re-run! |
|
@ilclaudio There's some feedback provided in this PR. |
|
Hi @juanmaguitar I have only proposed a patch but I'm not responsible to include it into the official code. I honestly don't know what else to do. |
|
@ilclaudio, first of all thank for proposing this patch for the ticket :) There's some feedback on the PR provided by @westonruter that still needs to be addressed
A response to that comment would be helpful to move forward with this PR |
ilclaudio
force-pushed
the
fix/64260-rest-doing-it-wrong-log
branch
2 times, most recently
from
84fe789 to
563e9f6
Compare
ilclaudio
force-pushed
the
fix/64260-rest-doing-it-wrong-log
branch
from
563e9f6 to
0a06f41
Compare
Sorry for the late reply, feedback addressed. |
src/wp-includes/rest-api.php
Outdated
| sprintf( | ||
| 'REST API - Function %1$s was called incorrectly. %2$s', | ||
| $function_name, | ||
| wp_strip_all_tags( $message ) | ||
| ) |
There was a problem hiding this comment.
Is this missing important formatting for the log file? Namely, it is not including "PHP Notice: " at the beginning. This is key when grepping through the log file. See https://github.com/php/php-src/blob/a979e9f897a90a580e883b1f39ce5673686ffc67/main/main.c#L1460
It also seems the $version is not being included. Shouldn't $string be used here?
There was a problem hiding this comment.
Thank you for the review and the suggestion.
I have fixed the notification message with the PHP Notice: prefix, as you suggested.
To be fully aligned with PHP's native error log format, I believe debug_backtrace() would be needed, which seems a bit heavy-handed to me.
But I will implement it if it's necessary.
The log currently looks like this:
[26-Mar-2026 09:23:55 UTC] PHP Notice: register_rest_route (since 5.5.0; The REST API route definition for test/v1/example is missing the required permission_callback argument. For REST API routes that are intended to be public, use __return_true as the permission callback.)
There was a problem hiding this comment.
Note that debug_backtrace() is being used elsewhere in core:
See also wp_debug_backtrace_summary()
There was a problem hiding this comment.
Hi @westonruter I tested three approaches as suggested (the endpoint should only return "true") :
- Removing the doing_it_wrong_trigger_error filter:
This corrupts the REST response, the notice is output before the HTTP headers are sent, causing Cannot modify header information warnings and injecting raw HTML into the JSON response. The display_errors = 0 set in wp_debug_mode() is not yet active at this point in the request lifecycle.
Example:
**Output calling the endpoint:
Notice: Function register_rest_route was called incorrectly. The REST API route definition for test/v1/example is missing the required permission_callback argument. For REST API routes that are intended to be public, use __return_true as the permission callback. Please see Debugging in WordPress for more information. (This message was added in version 5.5.0.) in /var/www/src/wp-includes/functions.php on line 6173
Warning: Cannot modify header information - headers already sent by (output started at /var/www/src/wp-includes/functions.php:6173) in /var/www/src/wp-includes/rest-api/class-wp-rest-server.php on line 1
.....
true
**Log message:
[06-Apr-2026 15:39:07 UTC] PHP Notice: Function register_rest_route was called incorrectly. The REST API route definition for test/v1/example is missing the required permission_callback argument. For REST API routes that are intended to be public, use __return_true as the permission callback. Please see Debugging in WordPress for more information. (This message was added in version 5.5.0.) in /var/www/src/wp-includes/functions.php on line 6173
- Using debug_backtrace():
Produces a clean, actionable log entry pointing directly to the plugin or theme file responsible:
Example:
**Output calling the endpoint: true
**Log message:
[06-Apr-2026 15:57:29 UTC] PHP Notice: register_rest_route (since 5.5.0; The REST API route definition for test/v1/example is missing the required permission_callback argument. For REST API routes that are intended to be public, use __return_true as the permission callback.) in /var/www/src/wp-content/plugins/rest-api-test/reast-api-test.php on line 8
- Using wp_debug_backtrace_summary():
Produces a verbose function call chain but no file or line information appears in the trace but the developer still has to search for the actual file manually.
Example:
**Output calling the endpoint: true
**Log message:
[06-Apr-2026 15:51:44 UTC] PHP Notice: register_rest_route (since 5.5.0; The REST API route definition for test/v1/example is missing the required permission_callback argument. For REST API routes that are intended to be public, use __return_true as the permission callback.) Backtrace: require_once('_index.php'), require('wp-blog-header.php'), wp, WP->main, WP->parse_request, do_action_ref_array('parse_request'), WP_Hook->do_action, WP_Hook->apply_filters, rest_api_loaded, rest_get_server, do_action('rest_api_init'), WP_Hook->do_action, WP_Hook->apply_filters, {closure}, register_rest_route, _doing_it_wrong, do_action('doing_it_wrong_run'), WP_Hook->do_action, WP_Hook->apply_filters, rest_handle_doing_it_wrong
The code to implement 2) is a bit more complex than the code to implement 3), but it produces more actionable output, so I've pushed solution 2). Let me know if you'd prefer a different approach.
Use debug_backtrace() to find and append the first plugin or theme file responsible for the incorrect usage to the error_log() message.
4 participants
Fixes #64260. The doing_it_wrong_trigger_error filter was preventing all doing_it_wrong notices from being logged during REST requests. This change ensures notices are written to debug.log while still preventing trigger_error() from interfering with REST responses.
Now the error is filterd but in the debug.log file you can see a meeesage like this:
[21-Nov-2025 14:01:41 UTC] REST API - Doing it wrong: register_rest_route - The REST API route definition for
test/v1/exampleis missing the requiredpermission_callbackargument. For REST API routes that are intended to be public, use__return_trueas the permission callback. (This message was added in version 5.5.0.)Trac ticket: https://core.trac.wordpress.org/ticket/64260