PluginProbe ʕ •ᴥ•ʔ
WooCommerce / 10.9.2
WooCommerce v10.9.2
11.0.0-beta.1 10.9.4 10.9.3 10.9.2 10.9.1 10.9.0 10.9.0-rc.1 10.9.0-beta.2 10.9.0-beta.1 10.8.1 10.8.0 10.8.0-rc.1 10.8.0-beta.2 10.8.0-beta.1 7.8.0-beta.1 7.8.0-beta.2 7.8.0-rc.1 7.8.0-rc.2 7.8.1 7.8.2 7.8.3 7.8.4 7.9.0 7.9.0-beta.1 7.9.0-beta.2 7.9.0-rc.2 7.9.0-rc.3 7.9.1 7.9.2 8.0.0 8.0.0-beta.1 8.0.0-beta.2 8.0.0-rc.1 8.0.0-rc.2 8.0.1 8.0.2 8.0.3 8.0.4 8.0.5 8.1.0 8.1.0-beta.1 8.1.0-rc.1 8.1.0-rc.2 8.1.1 8.1.2 8.1.3 8.1.4 8.2.0 8.2.0-beta.1 8.2.0-rc.1 8.2.0-rc.2 8.2.1 8.2.2 8.2.3 8.2.4 8.2.5 8.3.0 8.3.0-beta.1 8.3.0-rc.1 8.3.0-rc.2 8.3.1 8.3.2 8.3.3 8.3.4 8.4.0 8.4.0-beta.1 8.4.0-rc.1 8.4.1 8.4.2 8.4.3 8.5.0 8.5.0-beta.1 8.5.0-rc.1 8.5.1 8.5.2 8.5.3 8.5.4 8.5.5 8.6.0 8.6.0-beta.1 8.6.0-rc.1 8.6.1 8.6.2 8.6.3 8.6.4 8.7.0 8.7.0-beta.1 8.7.0-beta.2 8.7.0-rc.1 8.7.1 8.7.2 8.7.3 8.8.0 8.8.0-beta.1 8.8.0-rc.1 8.8.1 8.8.2 8.8.3 8.8.4 8.8.5 8.8.6 8.8.7 8.9.0 8.9.0-beta.1 8.9.0-rc.1 8.9.1 8.9.2 8.9.3 8.9.4 8.9.5 9.0.0 9.0.0-beta.1 9.0.0-beta.2 9.0.0-rc.1 9.0.1 9.0.2 9.0.3 9.0.4 9.1.0 9.1.0-beta.1 9.1.0-rc.1 9.1.1 9.1.2 9.1.3 9.1.4 9.1.5 9.1.6 9.2.0 9.2.0-beta.1 9.2.0-rc.1 9.2.1 9.2.2 9.2.3 9.2.4 9.2.5 9.3.0 9.3.0-beta.1 9.3.0-rc.1 9.3.1 9.3.2 9.3.3 9.3.4 9.3.5 9.3.6 9.4.0 9.4.0-beta.1 9.4.0-beta.2 9.4.0-rc.1 9.4.0-rc.2 9.4.0-rc.3 9.4.0-rc.4 9.4.1 9.4.2 9.4.3 9.4.4 9.4.5 9.5.0 9.5.0-beta.1 9.5.0-beta.2 9.5.0-rc.1 9.5.1 9.5.2 9.5.3 9.5.4 9.6.0 9.6.0-beta.1 9.6.0-beta.2 9.6.0-rc.1 9.6.1 9.6.2 9.6.3 9.6.4 9.7.0 9.7.0-beta.1 9.7.0-rc.1 9.7.1 9.7.2 9.7.3 9.8.0 9.8.0-beta.1 9.8.0-rc.1 9.8.1 9.8.2 9.8.3 9.8.4 9.8.5 9.8.6 9.8.7 9.9.0 9.9.0-beta.1 9.9.0-rc.1 9.9.1 9.9.2 9.9.3 9.9.4 9.9.5 9.9.6 9.9.7 3.7.3 7.1.2 3.8.0 7.2.0 3.8.0-beta.1 7.2.0-beta.1 3.8.0-rc.1 7.2.0-beta.2 3.8.0-rc.2 7.2.0-rc.1 3.8.1 7.2.0-rc.2 3.8.2 7.2.1 3.8.3 7.2.2 3.9.0 7.2.3 3.9.0-beta.1 7.2.4 3.9.0-beta.2 7.3.0 3.9.0-rc.1 7.3.0-beta.1 3.9.0-rc.2 7.3.0-beta.2 3.9.0-rc.3 7.3.0-rc.1 3.9.0-rc.4 7.3.0-rc.2 3.9.1 7.3.1 3.9.2 7.4.0 3.9.3 7.4.0-beta.1 3.9.4 7.4.0-beta.2 3.9.5 7.4.0-rc.1 4.0.0 7.4.0-rc.2 4.0.0-beta.1 7.4.1 4.0.0-rc.1 7.4.2 4.0.0-rc.2 7.5.0 4.0.1 7.5.0-beta.1 4.0.2 7.5.0-beta.2 4.0.3 7.5.0-rc.1 4.0.4 7.5.1 4.1.0 7.5.2 4.1.0-beta.1 7.6.0 4.1.0-beta.2 7.6.0-beta.1 4.1.0-rc.1 7.6.0-beta.2 4.1.0-rc.2 7.6.0-rc.1 4.1.1 7.6.0-rc.2 4.1.2 7.6.0-rc.3 4.1.3 7.6.1 4.1.4 7.6.2 4.2.0 7.7.0 4.2.0-RC.1 7.7.0-beta.1 4.2.0-RC.2 7.7.0-beta.2 4.2.0-beta.1 7.7.0-rc.1 4.2.1 7.7.1 4.2.2 7.7.2 4.2.3 7.7.3 4.2.4 7.8.0 4.2.5 4.3.0 4.3.0-beta.1 4.3.0-rc.1 4.3.0-rc.2 4.3.0-rc.3 4.3.1 4.3.2 4.3.3 4.3.4 4.3.5 4.3.6 4.4.0 4.4.0-beta.1 4.4.0-rc.1 4.4.1 4.4.2 4.4.3 4.4.4 4.5.0 4.5.0-beta.1 4.5.0-rc.1 4.5.0-rc.3 4.5.1 4.5.2 4.5.3 4.5.4 4.5.5 4.6.0 4.6.0-beta.1 4.6.0-rc.1 4.6.1 4.6.2 4.6.3 4.6.4 4.6.5 4.7.0 4.7.0-beta.1 4.7.0-beta.2 4.7.0-rc.1 4.7.1 4.7.1-beta.1 4.7.2 4.7.3 4.7.4 4.8.0 4.8.0-beta.1 4.8.0-rc.1 4.8.0-rc.2 4.8.1 4.8.2 4.8.3 4.9.0 4.9.0-beta.1 4.9.0-rc.1 4.9.0-rc.2 4.9.1 4.9.2 4.9.3 4.9.4 4.9.5 5.0.0 5.0.0-beta.1 5.0.0-beta.2 5.0.0-rc.1 5.0.0-rc.2 5.0.0-rc.3 5.0.1 5.0.2 5.0.3 5.1.0 5.1.0-beta.1 5.1.0-rc.1 trunk 5.1.1 10.0.0 5.1.2 10.0.0-rc.1 5.1.3 10.0.0-rc.2 5.2.0 10.0.1 5.2.0-beta.1 10.0.2 5.2.0-rc.1 10.0.3 5.2.0-rc.2 10.0.4 5.2.1 10.0.5 5.2.2 10.0.6 5.2.3 10.1.0 5.2.4 10.1.0-rc.1 5.2.5 10.1.0-rc.2 5.3.0 10.1.0-rc.3 5.3.0-beta.1 10.1.0-rc.4 5.3.0-rc.1 10.1.1 5.3.0-rc.2 10.1.2 5.3.1 10.1.3 5.3.2 10.1.4 5.3.3 10.2.0 5.4.0 10.2.0-beta.1 5.4.0-beta.1 10.2.0-beta.2 5.4.0-rc.1 10.2.0-rc.1 5.4.1 10.2.1 5.4.2 10.2.2 5.4.3 10.2.3 5.4.4 10.2.4 5.4.5 10.3.0 5.5.0 10.3.0-beta.1 5.5.0-beta.1 10.3.0-beta.2 5.5.0-rc.1 10.3.0-rc.1 5.5.0-rc.2 10.3.0-rc.2 5.5.1 10.3.1 5.5.2 10.3.2 5.5.3 10.3.3 5.5.4 10.3.4 5.5.5 10.3.5 5.6.0 10.3.6 5.6.0-beta.1 10.3.7 5.6.0-rc.1 10.3.8 5.6.0-rc.2 10.4.0 5.6.1 10.4.0-beta.1 5.6.2 10.4.0-beta.2 5.6.3 10.4.0-rc.1 5.7.0 10.4.1 5.7.0-beta.1 10.4.2 5.7.0-rc.1 10.4.3 5.7.1 10.4.4 5.7.2 10.5.0 5.7.3 10.5.0-beta.1 5.8.0 10.5.0-beta.2 5.8.0-beta.1 10.5.0-rc.1 5.8.0-beta.2 10.5.0-rc.2 5.8.0-rc.1 10.5.0-rc.3 5.8.1 10.5.1 5.8.2 10.5.2 5.9.0 10.5.3 5.9.0-beta.1 10.6.0 5.9.0-rc.1 10.6.0-beta.1 5.9.0-rc.2 10.6.0-beta.2 5.9.1 10.6.0-rc.1 5.9.2 10.6.1 6.0.0 10.6.2 6.0.0-beta.1 10.7.0 6.0.0-rc.1 10.7.0-beta.1 6.0.1 10.7.0-beta.2 6.0.2 10.7.0-rc.1 6.1.0 3.0.0 6.1.0-beta.1 3.0.1 6.1.0-rc.1 3.0.2 6.1.0-rc.2 3.0.3 6.1.1 3.0.4 6.1.2 3.0.5 6.1.3 3.0.6 6.2.0 3.0.7 6.2.0-beta.1 3.0.8 6.2.0-rc.1 3.0.9 6.2.0-rc.2 3.1.0 6.2.1 3.1.1 6.2.2 3.1.2 6.2.3 3.2.0 6.3.0 3.2.1 6.3.0-beta.1 3.2.2 6.3.0-rc.1 3.2.3 6.3.0-rc.2 3.2.4 6.3.1 3.2.5 6.3.2 3.2.6 6.4.0 3.3.0 6.4.0-beta.1 3.3.1 6.4.0-rc.1 3.3.2 6.4.1 3.3.2-rc.1 6.4.2 3.3.3 6.5.0 3.3.4 6.5.0-beta.1 3.3.5 6.5.0-rc.1 3.3.6 6.5.0-rc.2 3.4.0 6.5.1 3.4.0-beta.1 6.5.2 3.4.0-rc.2 6.6.0 3.4.1 6.6.0-beta.1 3.4.2 6.6.0-rc.1 3.4.3 6.6.0-rc.2 3.4.4 6.6.1 3.4.5 6.6.2 3.4.6 6.7.0 3.4.7 6.7.0-beta.1 3.4.8 6.7.0-beta.2 3.5.0 6.7.0-rc.1 3.5.0-beta.1 6.7.1 3.5.0-rc.1 6.8.0 3.5.0-rc.2 6.8.0-beta.1 3.5.1 6.8.0-beta.2 3.5.10 6.8.0-rc.1 3.5.2 6.8.1 3.5.3 6.8.2 3.5.4 6.8.3 3.5.5 6.9.0 3.5.6 6.9.0-beta.1 3.5.7 6.9.0-beta.2 3.5.8 6.9.0-rc.1 3.5.9 6.9.1 3.6.0 6.9.2 3.6.0-beta.1 6.9.3 3.6.0-rc.1 6.9.4 3.6.0-rc.2 6.9.5 3.6.0-rc.3 7.0.0 3.6.1 7.0.0-beta.1 3.6.2 7.0.0-beta.2 3.6.3 7.0.0-beta.3 3.6.4 7.0.0-rc.1 3.6.5 7.0.0-rc.2 3.6.6 7.0.1 3.6.7 7.0.2 3.7.0 7.1.0 3.7.0-beta.1 7.1.0-beta.1 3.7.0-rc.1 7.1.0-beta.2 3.7.0-rc.2 7.1.0-rc.1 3.7.1 7.1.0-rc.2 3.7.2 7.1.1
woocommerce / vendor / wordpress / mcp-adapter / includes / Abilities / ExecuteAbilityAbility.php
woocommerce / vendor / wordpress / mcp-adapter / includes / Abilities Last commit date
DiscoverAbilitiesAbility.php 7 months ago ExecuteAbilityAbility.php 7 months ago GetAbilityInfoAbility.php 7 months ago McpAbilityHelperTrait.php 7 months ago
ExecuteAbilityAbility.php
223 lines
1 <?php
2 /**
3 * Ability for executing WordPress abilities.
4 *
5 * @package McpAdapter
6 */
7
8 declare( strict_types=1 );
9
10 namespace WP\MCP\Abilities;
11
12 /**
13 * Execute Ability - Executes a WordPress ability with provided parameters.
14 *
15 * This ability provides the primary execution layer for running any registered
16 * WordPress ability through the MCP protocol.
17 *
18 * SECURITY CONSIDERATIONS:
19 * - This ability has openWorldHint=true, allowing execution of any registered ability
20 * - Only abilities with mcp.public=true metadata can be executed via default MCP server.
21 * - Requires proper WordPress capability checks for secure operation
22 * - Caller identity verification is enforced through WordPress authentication
23 *
24 * @see https://github.com/your-repo/mcp-adapter/docs/security.md for detailed security configuration
25 */
26 final class ExecuteAbilityAbility {
27 use McpAbilityHelperTrait;
28
29 /**
30 * Register the ability.
31 */
32 public static function register(): void {
33 wp_register_ability(
34 'mcp-adapter/execute-ability',
35 array(
36 'label' => 'Execute Ability',
37 'description' => 'Execute a WordPress ability with the provided parameters. This is the primary execution layer that can run any registered ability.',
38 'category' => 'mcp-adapter',
39 'input_schema' => array(
40 'type' => 'object',
41 'properties' => array(
42 'ability_name' => array(
43 'type' => 'string',
44 'description' => 'The full name of the ability to execute',
45 ),
46 'parameters' => array(
47 'type' => 'object',
48 'description' => 'Parameters to pass to the ability',
49 ),
50 ),
51 'required' => array( 'ability_name', 'parameters' ),
52 'additionalProperties' => false,
53 ),
54 'output_schema' => array(
55 'type' => 'object',
56 'properties' => array(
57 'success' => array( 'type' => 'boolean' ),
58 'data' => array(
59 'description' => 'The result data from the ability execution',
60 ),
61 'error' => array(
62 'type' => 'string',
63 'description' => 'Error message if execution failed',
64 ),
65 ),
66 'required' => array( 'success' ),
67 ),
68 'permission_callback' => array( self::class, 'check_permission' ),
69 'execute_callback' => array( self::class, 'execute' ),
70 'meta' => array(
71 'annotations' => array(
72 'priority' => '1.0',
73 'readOnlyHint' => false,
74 'openWorldHint' => true,
75 ),
76 ),
77 )
78 );
79 }
80
81 /**
82 * Check permissions for executing abilities.
83 *
84 * Validates user capabilities, caller identity, and MCP exposure restrictions.
85 *
86 * @param array $input Input parameters containing ability_name and parameters.
87 *
88 * @return bool|\WP_Error True if the user has permission to execute the specified ability.
89 * @phpstan-return bool|\WP_Error
90 */
91 public static function check_permission( $input = array() ) {
92 $ability_name = $input['ability_name'] ?? '';
93
94 if ( empty( $ability_name ) ) {
95 return new \WP_Error( 'missing_ability_name', 'Ability name is required' );
96 }
97
98 // Validate user authentication and capabilities
99 $user_check = self::validate_user_access();
100 if ( is_wp_error( $user_check ) ) {
101 return $user_check;
102 }
103
104 // Check MCP exposure restrictions
105 $exposure_check = self::check_ability_mcp_exposure( $ability_name );
106 if ( is_wp_error( $exposure_check ) ) {
107 return $exposure_check;
108 }
109
110 // Get the target ability
111 $ability = wp_get_ability( $ability_name );
112 if ( ! $ability ) {
113 return new \WP_Error( 'ability_not_found', "Ability '{$ability_name}' not found" );
114 }
115
116 // Check if the user has permission to execute the target ability
117 $parameters = empty( $input['parameters'] ) ? null : $input['parameters'];
118 $permission_result = $ability->check_permissions( $parameters );
119
120 // Return WP_Error as-is, or convert other values to boolean
121 if ( is_wp_error( $permission_result ) ) {
122 return $permission_result;
123 }
124
125 return (bool) $permission_result;
126 }
127
128 /**
129 * Validate user authentication and basic capabilities for execute ability.
130 *
131 * @return bool|\WP_Error True if valid, WP_Error if validation fails.
132 */
133 private static function validate_user_access() {
134 // Verify caller identity - ensure user is authenticated
135 if ( ! is_user_logged_in() ) {
136 return new \WP_Error( 'authentication_required', 'User must be authenticated to access this ability' );
137 }
138
139 // Check basic capability requirement - allow customization via filter
140 $required_capability = apply_filters( 'mcp_adapter_execute_ability_capability', 'read' );
141 // phpcs:ignore WordPress.WP.Capabilities.Undetermined -- Capability is determined dynamically via filter
142 if ( ! current_user_can( $required_capability ) ) {
143 return new \WP_Error(
144 'insufficient_capability',
145 sprintf( 'User lacks required capability: %s', $required_capability )
146 );
147 }
148
149 return true;
150 }
151
152 /**
153 * Execute the ability execution functionality.
154 *
155 * Enforces security checks before executing any ability.
156 *
157 * @param array $input Input parameters containing ability_name and parameters.
158 *
159 * @return array Array containing execution results.
160 */
161 public static function execute( $input = array() ): array {
162 $ability_name = $input['ability_name'] ?? '';
163 $parameters = empty( $input['parameters'] ) ? null : $input['parameters'];
164
165 if ( empty( $ability_name ) ) {
166 return array(
167 'success' => false,
168 'error' => 'Ability name is required',
169 );
170 }
171
172 // Enforce security checks before execution
173 // Note: WordPress will have already called check_permission, but we double-check
174 // as an additional security layer for direct method calls
175 $permission_check = self::check_permission( $input );
176 if ( is_wp_error( $permission_check ) ) {
177 return array(
178 'success' => false,
179 'error' => $permission_check->get_error_message(),
180 );
181 }
182
183 if ( ! $permission_check ) {
184 return array(
185 'success' => false,
186 'error' => 'Permission denied for ability execution',
187 );
188 }
189
190 $ability = wp_get_ability( $ability_name );
191
192 if ( ! $ability ) {
193 return array(
194 'success' => false,
195 'error' => "Ability '{$ability_name}' not found",
196 );
197 }
198
199 try {
200 // Execute the ability
201 $result = $ability->execute( $parameters );
202
203 // Check if the result is a WP_Error
204 if ( is_wp_error( $result ) ) {
205 return array(
206 'success' => false,
207 'error' => $result->get_error_message(),
208 );
209 }
210
211 return array(
212 'success' => true,
213 'data' => $result,
214 );
215 } catch ( \Throwable $e ) {
216 return array(
217 'success' => false,
218 'error' => $e->getMessage(),
219 );
220 }
221 }
222 }
223