Automattic\WooCommerce\Api\Infrastructure
ResolverHelpers::build_authorization_error
Build the GraphQL error to throw when an authorization check fails.
Distinguishes the two HTTP-correct shapes:
- UNAUTHORIZED (401) when the principal is anonymous — the caller
could plausibly fix it by authenticating, so the response invites re-auth.
- FORBIDDEN (403) otherwise — the principal is recognised but
isn't allowed; re-authenticating wouldn't help.
- FORBIDDEN (403) otherwise — the principal is recognised but
The "anonymous" check is opt-in by convention: the principal's is_authenticated(): bool method, when present, decides. Principals that don't define it fall through to FORBIDDEN — generated resolvers still emit a coded error, just without the 401/403 distinction.
Used for class-level denials (operation-level "you cannot call this query/mutation"). For field-level denials that should carry a structured subject payload (type / field / attribute), see {@see self::build_field_authorization_error()}.
Method of the class: ResolverHelpers{}
No Hooks.
Returns
null. Nothing (null).
Usage
$result = ResolverHelpers::build_authorization_error( $principal ): Error;
- $principal(object) (required)
- The resolved request principal.
ResolverHelpers::build_authorization_error() ResolverHelpers::build authorization error code WC 10.9.1
public static function build_authorization_error( object $principal ): Error {
$is_anonymous = method_exists( $principal, 'is_authenticated' ) && ! $principal->is_authenticated();
return new Error(
$is_anonymous ? 'Authentication required.' : 'You do not have permission to perform this action.',
extensions: array( 'code' => $is_anonymous ? 'UNAUTHORIZED' : 'FORBIDDEN' )
);
}