Forms: Add REST API endpoint for exporting responses

This replaces the legacy AJAX-based export with a REST API endpoint.

Changes:
- Add new `/wp/v2/feedback/export` REST endpoint
- Remove legacy AJAX handler `wp_ajax_feedback_export`
- Remove deprecated `download_feedback_as_csv()` method
- Update dashboard export hook to use REST API with @wordpress/api-fetch
- Properly handle permission checks with WP_Error responses
- Support filtering by selected items, search, status, date ranges, and source

Author: lezama

projects/packages/forms/src/contact-form/class-contact-form-endpoint.php

@@ -255,6 +255,43 @@ public function register_routes() {
 				'callback'            => array( $this, 'get_forms_config' ),
 			)
 		);
+
+		register_rest_route(
+			$this->namespace,
+			$this->rest_base . '/export',
+			array(
+				'methods'             => \WP_REST_Server::CREATABLE,
+				'permission_callback' => array( $this, 'export_permissions_check' ),
+				'callback'            => array( $this, 'export_responses' ),
+				'args'                => array(
+					'selected' => array(
+						'type'    => 'array',
+						'items'   => array( 'type' => 'integer' ),
+						'default' => array(),
+					),
+					'post'     => array(
+						'type'    => 'string',
+						'default' => 'all',
+					),
+					'search'   => array(
+						'type'    => 'string',
+						'default' => '',
+					),
+					'status'   => array(
+						'type'    => 'string',
+						'default' => 'publish,draft',
+					),
+					'before'   => array(
+						'type'    => 'string',
+						'default' => '',
+					),
+					'after'    => array(
+						'type'    => 'string',
+						'default' => '',
+					),
+				),
+			)
+		);
 	}
 
 	/**
@@ -1070,4 +1107,158 @@ public function get_forms_config( WP_REST_Request $request ) { // phpcs:ignore V
 
 		return rest_ensure_response( $config );
 	}
+
+	/**
+	 * Checks if a given request has permissions to export responses.
+	 *
+	 * @param WP_REST_Request $request The request object.
+	 * @return bool|WP_Error True if the request can export, error object otherwise.
+	 */
+	public function export_permissions_check( $request ) { //phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
+		if ( is_super_admin() ) {
+			return true;
+		}
+
+		if ( ! is_user_member_of_blog( get_current_user_id(), get_current_blog_id() ) ) {
+			return new WP_Error(
+				'rest_user_not_member',
+				__( 'Sorry, you are not a member of this site.', 'jetpack-forms' ),
+				array( 'status' => rest_authorization_required_code() )
+			);
+		}
+
+		if ( ! current_user_can( 'export' ) ) {
+			return new WP_Error(
+				'rest_user_cannot_export',
+				__( 'Sorry, you are not allowed to export form responses on this site.', 'jetpack-forms' ),
+				array( 'status' => rest_authorization_required_code() )
+			);
+		}
+
+		return true;
+	}
+
+	/**
+	 * Export form responses to CSV.
+	 *
+	 * @param WP_REST_Request $request The request object.
+	 * @return WP_REST_Response|WP_Error The response containing CSV data or error.
+	 */
+	public function export_responses( $request ) {
+		$selected = $request->get_param( 'selected' );
+		$post_id  = $request->get_param( 'post' );
+		$search   = $request->get_param( 'search' );
+		$status   = $request->get_param( 'status' );
+		$before   = $request->get_param( 'before' );
+		$after    = $request->get_param( 'after' );
+
+		$query_args = array(
+			'post_type'        => 'feedback',
+			'posts_per_page'   => -1,
+			'post_status'      => array( 'publish', 'draft' ),
+			'order'            => 'ASC',
+			'suppress_filters' => false,
+		);
+
+		if ( $status && $status !== 'publish,draft' ) {
+			$query_args['post_status'] = explode( ',', $status );
+		}
+
+		if ( $post_id && $post_id !== 'all' ) {
+			$query_args['post_parent'] = intval( $post_id );
+		}
+
+		if ( $search ) {
+			$query_args['s'] = $search;
+		}
+
+		if ( ! empty( $selected ) ) {
+			$query_args['post__in'] = array_map( 'intval', $selected );
+		}
+
+		if ( $before || $after ) {
+			$date_query = array();
+			if ( $before ) {
+				$date_query['before'] = $before;
+			}
+			if ( $after ) {
+				$date_query['after'] = $after;
+			}
+			$query_args['date_query'] = array( $date_query );
+		}
+
+		$feedback_posts = get_posts( $query_args );
+
+		if ( empty( $feedback_posts ) ) {
+			return new WP_Error( 'no_responses', __( 'No responses found', 'jetpack-forms' ), array( 'status' => 404 ) );
+		}
+
+		$data       = array();
+		$all_fields = array();
+
+		foreach ( $feedback_posts as $post ) {
+			$post_data = array(
+				'ID'           => $post->ID,
+				'Date'         => get_the_date( 'Y-m-d H:i:s', $post ),
+				'Author Name'  => get_post_meta( $post->ID, '_feedback_author', true ),
+				'Author Email' => get_post_meta( $post->ID, '_feedback_author_email', true ),
+				'Author URL'   => get_post_meta( $post->ID, '_feedback_author_url', true ),
+				'IP Address'   => get_post_meta( $post->ID, '_feedback_ip', true ),
+				'Contact Form' => get_the_title( $post->post_parent ),
+			);
+
+			$all_meta = get_post_meta( $post->ID );
+			foreach ( $all_meta as $key => $value ) {
+				if ( strpos( $key, '_' ) === 0 ) {
+					continue;
+				}
+				$post_data[ $key ] = is_array( $value ) && count( $value ) === 1 ? $value[0] : ( is_array( $value ) ? implode( ', ', $value ) : $value );
+			}
+
+			$all_fields = array_merge( $all_fields, array_keys( $post_data ) );
+			$data[]     = $post_data;
+		}
+
+		$all_fields = array_unique( $all_fields );
+		$csv_data   = array( $all_fields );
+
+		foreach ( $data as $post_data ) {
+			$row = array();
+			foreach ( $all_fields as $field ) {
+				$row[] = isset( $post_data[ $field ] ) ? $post_data[ $field ] : '';
+			}
+			$csv_data[] = $row;
+		}
+
+		$csv_content = '';
+		foreach ( $csv_data as $row ) {
+			$csv_content .= '"' . implode( '","', array_map( 'esc_attr', $row ) ) . '"' . "\n";
+		}
+
+		if ( ! empty( $post_id ) && $post_id !== 'all' ) {
+			$filename = sprintf(
+				'%s - %s.csv',
+				\Automattic\Jetpack\Forms\ContactForm\Util::get_export_filename( get_the_title( (int) $post_id ) ),
+				gmdate( 'Y-m-d H:i' )
+			);
+		} else {
+			$filename = sprintf(
+				'%s - %s.csv',
+				\Automattic\Jetpack\Forms\ContactForm\Util::get_export_filename(),
+				gmdate( 'Y-m-d H:i' )
+			);
+		}
+
+		return new WP_REST_Response(
+			$csv_content,
+			200,
+			array(
+				'Content-Type'        => 'text/csv; charset=utf-8',
+				'Content-Disposition' => 'attachment; filename="' . $filename . '"',
+				'Cache-Control'       => 'no-cache, no-store, must-revalidate',
+				'Pragma'              => 'no-cache',
+				'Expires'             => '0',
+			)
+		);
+	}
 }

projects/packages/forms/src/contact-form/class-contact-form-plugin.php

@@ -211,9 +211,7 @@ protected function __construct() {
 		add_filter( 'wp_privacy_personal_data_exporters', array( $this, 'register_personal_data_exporter' ) );
 		add_filter( 'wp_privacy_personal_data_erasers', array( $this, 'register_personal_data_eraser' ) );
 
-		// Export to CSV feature
 		if ( is_admin() ) {
-			add_action( 'wp_ajax_feedback_export', array( $this, 'download_feedback_as_csv' ) );
 			add_action( 'wp_ajax_create_new_form', array( $this, 'create_new_form' ) );
 		}
 		add_action( 'admin_menu', array( $this, 'admin_menu' ) );
@@ -2756,84 +2754,6 @@ function ( $selected ) {
 		return $this->get_export_feedback_data( $feedbacks );
 	}
 
-	/**
-	 * Download exported data as CSV
-	 */
-	public function download_feedback_as_csv() {
-		// phpcs:ignore WordPress.Security.NonceVerification.Missing -- verification is done on get_feedback_entries_from_post function
-		$post_data = wp_unslash( $_POST );
-		$data      = $this->get_feedback_entries_from_post();
-
-		if ( empty( $data ) ) {
-			return;
-		}
-
-		// Check if we want to download all the feedbacks or just a certain contact form
-		if ( ! empty( $post_data['post'] ) && $post_data['post'] !== 'all' ) {
-			$filename = sprintf(
-				'%s - %s.csv',
-				Util::get_export_filename( get_the_title( (int) $post_data['post'] ) ),
-				gmdate( 'Y-m-d H:i' )
-			);
-		} else {
-			$filename = sprintf(
-				'%s - %s.csv',
-				Util::get_export_filename(),
-				gmdate( 'Y-m-d H:i' )
-			);
-		}
-
-		/**
-		 * Extract field names from `$data` for later use.
-		 */
-		$fields = array_keys( $data );
-
-		/**
-		 * Count how many rows will be exported.
-		 */
-		$row_count = count( reset( $data ) );
-
-		// Forces the download of the CSV instead of echoing
-		header( 'Content-Disposition: attachment; filename=' . $filename );
-		header( 'Pragma: no-cache' );
-		header( 'Expires: 0' );
-		header( 'Content-Type: text/csv; charset=utf-8' );
-
-		$output = fopen( 'php://output', 'w' );
-
-		/**
-		 * Print CSV headers
-		 */
-		// @todo When we drop support for PHP <7.4, consider passing empty-string for `$escape` here for better spec compatibility.
-		fputcsv( $output, $fields, ',', '"', '\\' );
-
-		/**
-		 * Print rows to the output.
-		 */
-		for ( $i = 0; $i < $row_count; $i++ ) {
-
-			$current_row = array();
-
-			/**
-			 * Put all the fields in `$current_row` array.
-			 */
-			foreach ( $fields as $single_field_name ) {
-				$current_row[] = $this->esc_csv( $data[ $single_field_name ][ $i ] );
-			}
-
-			/**
-			 * Output the complete CSV row
-			 */
-			// @todo When we drop support for PHP <7.4, consider passing empty-string for `$escape` here for better spec compatibility.
-			fputcsv( $output, $current_row, ',', '"', '\\' );
-		}
-
-		fclose( $output ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_fclose
-
-		$this->record_tracks_event( 'forms_export_responses', array( 'format' => 'csv' ) );
-		exit( 0 );
-	}
-
 	/**
 	 * Create a new page with a Form block
 	 */

projects/packages/forms/src/dashboard/hooks/use-export-responses.ts

@@ -3,14 +3,14 @@
  */
 import jetpackAnalytics from '@automattic/jetpack-analytics';
 import { useBreakpointMatch } from '@automattic/jetpack-components';
+import apiFetch from '@wordpress/api-fetch';
 import { store as coreStore } from '@wordpress/core-data';
 import { useSelect } from '@wordpress/data';
 import { useState, useCallback, useEffect } from '@wordpress/element';
 import { __ } from '@wordpress/i18n';
 /**
  * Internal dependencies
  */
-import { config } from '..';
 import { store as dashboardStore } from '../store';
 
 type ExportHookReturn = {
@@ -19,7 +19,7 @@ type ExportHookReturn = {
 	closeModal: () => void;
 	autoConnectGdrive: boolean;
 	userCanExport: boolean;
-	onExport: ( action: string, nonceName: string ) => Promise< Response >;
+	onExport: () => Promise< Response >;
 	selectedResponsesCount: number;
 	currentStatus: string;
 	exportLabel: string;
@@ -75,25 +75,26 @@ export default function useExportResponses(): ExportHookReturn {
 		return { selected: getSelectedResponsesFromCurrentDataset(), currentQuery: getCurrentQuery() };
 	}, [] );
 
-	const onExport = useCallback(
-		( action: string, nonceName: string ) => {
-			const data = new FormData();
-			data.append( 'action', action );
-			data.append( nonceName, config( 'exportNonce' ) );
-			selected.forEach( ( id: string ) => data.append( 'selected[]', id ) );
-			data.append( 'post', currentQuery.parent || 'all' );
-			data.append( 'search', currentQuery.search || '' );
-			data.append( 'status', currentQuery.status );
-
-			if ( currentQuery.before && currentQuery.after ) {
-				data.append( 'before', currentQuery.before );
-				data.append( 'after', currentQuery.after );
-			}
-
-			return fetch( window.ajaxurl, { method: 'POST', body: data } );
-		},
-		[ currentQuery, selected ]
-	);
+	const onExport = useCallback( () => {
+		const exportData = {
+			selected: selected.map( id => parseInt( id, 10 ) ),
+			post: currentQuery.parent ? String( currentQuery.parent ) : 'all',
+			search: currentQuery.search || '',
+			status: currentQuery.status || 'publish,draft',
+		};
+
+		if ( currentQuery.before && currentQuery.after ) {
+			exportData.before = currentQuery.before;
+			exportData.after = currentQuery.after;
+		}
+
+		return apiFetch( {
+			path: '/wp/v2/feedback/export',
+			method: 'POST',
+			data: exportData,
+			parse: false,
+		} );
+	}, [ currentQuery, selected ] );
 
 	useEffect( () => {
 		const url = new URL( window.location.href );