From 77cc0710858f52a8a13ff90e8da5547600002421 Mon Sep 17 00:00:00 2001
From: adamsilverstein <adamsilverstein@earthboundhosting.com>
Date: Thu, 5 Mar 2026 13:49:52 +0700
Subject: [PATCH] REST API: Add finalize endpoint to
 WP_REST_Attachments_Controller

Add a `POST /wp/v2/media/{id}/finalize` endpoint that triggers the
`wp_generate_attachment_metadata` filter after client-side media
processing completes. This ensures server-side plugins (e.g., for
watermarking, CDN sync, custom sizes) can post-process attachments
when client-side processing is active.

The endpoint:
- Reuses `edit_media_item_permissions_check` for authorization
- Re-applies `wp_generate_attachment_metadata` with context 'update'
- Updates attachment metadata and returns the updated attachment
- Is only registered when client-side media processing is enabled

Props adamsilverstein.
See #62243.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../class-wp-rest-attachments-controller.php  | 79 ++++++++++++++++++
 .../rest-api/rest-attachments-controller.php  | 83 +++++++++++++++++++
 .../tests/rest-api/rest-schema-setup.php      |  1 +
 tests/qunit/fixtures/wp-api-generated.js      | 20 +++++
 4 files changed, 183 insertions(+)

diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
index 848b4e56d75a1..97f77c4404edf 100644
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
@@ -103,6 +103,26 @@ public function register_routes() {
 					'schema'      => array( $this, 'get_public_item_schema' ),
 				)
 			);
+
+			register_rest_route(
+				$this->namespace,
+				'/' . $this->rest_base . '/(?P<id>[\d]+)/finalize',
+				array(
+					array(
+						'methods'             => WP_REST_Server::CREATABLE,
+						'callback'            => array( $this, 'finalize_item' ),
+						'permission_callback' => array( $this, 'finalize_item_permissions_check' ),
+						'args'                => array(
+							'id' => array(
+								'description' => __( 'Unique identifier for the attachment.' ),
+								'type'        => 'integer',
+							),
+						),
+					),
+					'allow_batch' => $this->allow_batch,
+					'schema'      => array( $this, 'get_public_item_schema' ),
+				)
+			);
 		}
 	}
 
@@ -2176,4 +2196,63 @@ private static function filter_wp_unique_filename( $filename, $dir, $number, $at
 
 		return $filename;
 	}
+
+	/**
+	 * Checks if a given request has access to finalize an attachment.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @param WP_REST_Request $request Full details about the request.
+	 * @return true|WP_Error True if the request has access, WP_Error object otherwise.
+	 */
+	public function finalize_item_permissions_check( $request ) {
+		return $this->edit_media_item_permissions_check( $request );
+	}
+
+	/**
+	 * Finalizes an attachment after client-side media processing.
+	 *
+	 * Triggers the 'wp_generate_attachment_metadata' filter so that
+	 * server-side plugins can process the attachment after all client-side
+	 * operations (upload, thumbnail generation, sideloads) are complete.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @param WP_REST_Request $request Full details about the request.
+	 * @return WP_REST_Response|WP_Error Response object on success, WP_Error object on failure.
+	 */
+	public function finalize_item( WP_REST_Request $request ) {
+		$attachment_id = $request['id'];
+
+		$post = $this->get_post( $attachment_id );
+
+		if ( is_wp_error( $post ) ) {
+			return $post;
+		}
+
+		$metadata = wp_get_attachment_metadata( $attachment_id );
+
+		if ( ! is_array( $metadata ) ) {
+			$metadata = array();
+		}
+
+		/** This filter is documented in wp-admin/includes/image.php */
+		$metadata = apply_filters( 'wp_generate_attachment_metadata', $metadata, $attachment_id, 'update' );
+
+		wp_update_attachment_metadata( $attachment_id, $metadata );
+
+		$response_request = new WP_REST_Request(
+			WP_REST_Server::READABLE,
+			rest_get_route_for_post( $attachment_id )
+		);
+
+		$response_request['context'] = 'edit';
+
+		if ( isset( $request['_fields'] ) ) {
+			$response_request['_fields'] = $request['_fields'];
+		}
+
+		return $this->prepare_item_for_response( get_post( $attachment_id ), $response_request );
+	}
+
 }
diff --git a/tests/phpunit/tests/rest-api/rest-attachments-controller.php b/tests/phpunit/tests/rest-api/rest-attachments-controller.php
index 93cd4211c93ba..70b039856b700 100644
--- a/tests/phpunit/tests/rest-api/rest-attachments-controller.php
+++ b/tests/phpunit/tests/rest-api/rest-attachments-controller.php
@@ -3343,4 +3343,87 @@ public function test_sideload_scaled_unique_filename_conflict() {
 		$basename = wp_basename( $new_file );
 		$this->assertMatchesRegularExpression( '/canola-scaled-\d+\.jpg$/', $basename, 'Scaled filename should have numeric suffix when file conflicts with a different attachment.' );
 	}
+
+	/**
+	 * Tests that the finalize endpoint triggers wp_generate_attachment_metadata.
+	 *
+	 * @ticket 62243
+	 * @requires function imagejpeg
+	 */
+	public function test_finalize_item() {
+		wp_set_current_user( self::$author_id );
+
+		// Create an attachment.
+		$request = new WP_REST_Request( 'POST', '/wp/v2/media' );
+		$request->set_header( 'Content-Type', 'image/jpeg' );
+		$request->set_header( 'Content-Disposition', 'attachment; filename=canola.jpg' );
+		$request->set_body( file_get_contents( self::$test_file ) );
+		$response      = rest_get_server()->dispatch( $request );
+		$attachment_id = $response->get_data()['id'];
+
+		$this->assertSame( 201, $response->get_status() );
+
+		// Track whether wp_generate_attachment_metadata filter fires.
+		$filter_called = false;
+		$filter_context = null;
+		add_filter(
+			'wp_generate_attachment_metadata',
+			function ( $metadata, $id, $context ) use ( &$filter_called, &$filter_context ) {
+				$filter_called  = true;
+				$filter_context = $context;
+				return $metadata;
+			},
+			10,
+			3
+		);
+
+		// Call the finalize endpoint.
+		$request  = new WP_REST_Request( 'POST', "/wp/v2/media/{$attachment_id}/finalize" );
+		$response = rest_get_server()->dispatch( $request );
+
+		$this->assertSame( 200, $response->get_status(), 'Finalize endpoint should return 200.' );
+		$this->assertTrue( $filter_called, 'wp_generate_attachment_metadata filter should have been called.' );
+		$this->assertSame( 'update', $filter_context, 'Filter context should be "update".' );
+	}
+
+	/**
+	 * Tests that the finalize endpoint requires authentication.
+	 *
+	 * @ticket 62243
+	 * @requires function imagejpeg
+	 */
+	public function test_finalize_item_requires_auth() {
+		wp_set_current_user( self::$author_id );
+
+		// Create an attachment.
+		$request = new WP_REST_Request( 'POST', '/wp/v2/media' );
+		$request->set_header( 'Content-Type', 'image/jpeg' );
+		$request->set_header( 'Content-Disposition', 'attachment; filename=canola.jpg' );
+		$request->set_body( file_get_contents( self::$test_file ) );
+		$response      = rest_get_server()->dispatch( $request );
+		$attachment_id = $response->get_data()['id'];
+
+		// Try finalizing without authentication.
+		wp_set_current_user( 0 );
+
+		$request  = new WP_REST_Request( 'POST', "/wp/v2/media/{$attachment_id}/finalize" );
+		$response = rest_get_server()->dispatch( $request );
+
+		$this->assertErrorResponse( 'rest_cannot_edit_image', $response, 401 );
+	}
+
+	/**
+	 * Tests that the finalize endpoint returns error for invalid attachment ID.
+	 *
+	 * @ticket 62243
+	 */
+	public function test_finalize_item_invalid_id() {
+		wp_set_current_user( self::$author_id );
+
+		$request  = new WP_REST_Request( 'POST', '/wp/v2/media/999999/finalize' );
+		$response = rest_get_server()->dispatch( $request );
+
+		$this->assertErrorResponse( 'rest_post_invalid_id', $response, 404 );
+	}
+
 }
diff --git a/tests/phpunit/tests/rest-api/rest-schema-setup.php b/tests/phpunit/tests/rest-api/rest-schema-setup.php
index 0e0e00b934359..ca8080fafa71e 100644
--- a/tests/phpunit/tests/rest-api/rest-schema-setup.php
+++ b/tests/phpunit/tests/rest-api/rest-schema-setup.php
@@ -110,6 +110,7 @@ public function test_expected_routes_in_schema() {
 			'/wp/v2/media/(?P<id>[\\d]+)/post-process',
 			'/wp/v2/media/(?P<id>[\\d]+)/edit',
 			'/wp/v2/media/(?P<id>[\\d]+)/sideload',
+			'/wp/v2/media/(?P<id>[\\d]+)/finalize',
 			'/wp/v2/blocks',
 			'/wp/v2/blocks/(?P<id>[\d]+)',
 			'/wp/v2/blocks/(?P<id>[\d]+)/autosaves',
diff --git a/tests/qunit/fixtures/wp-api-generated.js b/tests/qunit/fixtures/wp-api-generated.js
index 487fb2067a978..e2db70db8e7e3 100644
--- a/tests/qunit/fixtures/wp-api-generated.js
+++ b/tests/qunit/fixtures/wp-api-generated.js
@@ -3718,6 +3718,26 @@ mockedApiResponse.Schema = {
                 }
             ]
         },
+        "/wp/v2/media/(?P<id>[\\d]+)/finalize": {
+            "namespace": "wp/v2",
+            "methods": [
+                "POST"
+            ],
+            "endpoints": [
+                {
+                    "methods": [
+                        "POST"
+                    ],
+                    "args": {
+                        "id": {
+                            "description": "Unique identifier for the attachment.",
+                            "type": "integer",
+                            "required": false
+                        }
+                    }
+                }
+            ]
+        },
         "/wp/v2/menu-items": {
             "namespace": "wp/v2",
             "methods": [