API parameters filtered due to init hook order (empty response)

  • Resolved webairstudio

    (@webairstudio)


    7 months, 2 weeks ago

    • Plugin: Stock Locations for WooCommerce
    • Versions affected: 3.0.1 (reproduced), still occurs after 3.0.2
    • Component: Public GET endpoint slw-api

    The endpoint /?slw-api… returns an empty payload:

    Array ( [response] => )

    even for valid requests (e.g. setting stock). Root cause: on the init hook, the API handler runs before $slw_api_valid_keys is initialized, so incoming GET parameters (including format=json) are filtered out. The code falls back to pree($response) with [‘response’=>false].

    3.0.2 adds a null/empty guard for $slw_api_valid_keys, which prevents notices but doesn’t solve the ordering issue; with an empty whitelist, parameters are still discarded.

    Steps to reproduce

    1. Enable SLW API and add the caller to “Validate API requests”.
    2. Request: /?slw-api&value=125&action=set&item=stock&format=json&product_id=<valid_id>&location_id=<valid_location_id>
    3. Observe: HTML Array([response] => ) (or JSON {“response”:false} if format slipped through).

    Expected

    • $slw_api_valid_keys is initialized before filtering; format=json is honored; action=set&item=stock updates _stock_at_{location_id} and returns a meaningful boolean in response.

    Actual

    • API handler executes before whitelist initialization; parameters are dropped; format=json ignored; response remains empty/false.

    Root cause

    • Both whitelist initialization and API handler are attached to init with default priority (10). File load order leads to the API handler running earlier in some environments.

    Proposed fix

    • Ensure deterministic ordering on init by setting explicit priorities:

    1) File: wp-content/plugins/stock-locations-for-woocommerce/stock-locations-for-woocommerce.php

    Make the hook that initializes $slw_api_valid_keys run earlier:

    add_action('init', function() use (&$slw_woocommerce_product_form_hooks, &$slw_api_valid_keys, &$slw_widgets_arr) {
        // ... defines $slw_api_valid_keys = array(...);
    }, 5); // earlier than default

    2) File: wp-content/plugins/stock-locations-for-woocommerce/inc/functions-api.php

    Make the public API handler run later:

    add_action('init', function(){
        if(isset($_GET['slw-api'])){
            // ... existing handler logic ...
        }
    }, 11); // later than default

    This guarantees that $slw_api_valid_keys is populated before request filtering and that format=json is consistently respected.

    • This topic was modified 7 months, 2 weeks ago by webairstudio.
    • This topic was modified 7 months, 2 weeks ago by webairstudio.
Viewing 1 replies (of 1 total)
  • Plugin Author Fahad Mahmood

    (@fahadmahmood)

    3 months ago

    The current version already uses the init action hook with priority 100, so this issue has been addressed. I have tested it, and everything is working as expected. Closing this thread.

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.