Ottawa West Four Rivers Ontario Health Team

OWFR Admin Editor
Technical Reference

Architecture and REST API reference for the shared backend powering the Organizational Partners and Primary Care Partners editors.

Plugin version 2.0.0 April 2026
← All Guides
1

What this plugin does

The OWFR Admin Editor is a headless REST API backend plugin. It has no admin menu, no settings page, and no front-end output of its own. Its sole purpose is to provide the data layer for two specific front-end editors on the OWFR website:

When an authorized editor visits the Partners page on the live site, the plugin silently injects configuration data into the page footer, enabling the inline editing interface powered by the OWFR Partners plugin to read and write partner data through the REST API.

This is a shared infrastructure plugin. It is a dependency of the OWFR Partners plugin. If the Admin Editor plugin is deactivated, the inline partner editing functionality on the live site will stop working, even though the Partners plugin itself remains active.
2

What it manages (and what it does not)

As of version 2.0.0, the Admin Editor's scope is intentionally narrow. It was originally a more central shared backend, but card editing, tab management, and ordering for most content types have been moved into their respective standalone plugins.

Managed by this plugin

  • Organizational Partners data (owfr_partners_data)
  • Primary Care Partners data (owfr_pcp_data)
  • REST endpoints for reading and writing those two datasets
  • Footer config JSON for those two editors
  • WordPress Media Library enqueue for logged-in editors

Managed by standalone plugins

  • PCR (Primary Care Resources) card and tab editing
  • Services card and tab editing
  • LEP Resources card and tab editing
  • News Hub card editing
  • Events Calendar data
3

REST API endpoints

The plugin registers four REST routes: two for Organizational Partners and two for Primary Care Partners. All routes are under the owfr/v1 namespace.

Organizational Partners

GET /wp-json/owfr/v1/partners

Returns the full array of organizational partner records stored in wp_options.

  • Permission: Public (no authentication required)
  • Response: JSON array of partner objects
  • Returns empty array if no data has been saved yet
POST /wp-json/owfr/v1/partners

Replaces the entire organizational partners dataset with the submitted JSON array.

  • Permission: Requires edit_pages capability (Editor role or higher)
  • Body: JSON array of partner objects
  • Behavior: Full replacement, not a merge. The entire existing dataset is overwritten.
  • Sanitization: Each field is sanitized before storage (see Section 4)
  • Error: Returns HTTP 400 if the body is not a valid JSON array

Primary Care Partners

GET /wp-json/owfr/v1/pcp

Returns the full array of primary care partner records stored in wp_options.

  • Permission: Public (no authentication required)
  • Response: JSON array of primary care partner objects
  • Returns empty array if no data has been saved yet
POST /wp-json/owfr/v1/pcp

Replaces the entire primary care partners dataset with the submitted JSON array.

  • Permission: Requires edit_pages capability (Editor role or higher)
  • Body: JSON array of primary care partner objects
  • Behavior: Full replacement, not a merge.
  • Sanitization: Each field is sanitized before storage
  • Error: Returns HTTP 400 if the body is not a valid JSON array
POST requests require a valid wp_rest nonce. Write operations are authenticated using WordPress's standard REST nonce (wp_rest). The nonce is injected into the page footer by this plugin and consumed automatically by the JavaScript editor. Requests without a valid nonce will be rejected by WordPress regardless of the user's role.
4

Data model and storage

Both datasets are stored as serialized PHP arrays in the WordPress options table (wp_options). There are no custom database tables.

Dataset Option key Type
Organizational Partners owfr_partners_data Array of partner objects
Primary Care Partners owfr_pcp_data Array of partner objects

Partner object structure

Each partner object in either dataset contains the following fields. The same structure applies to both Organizational and Primary Care Partners.

Field Sanitization Description
id sanitize_key() A unique identifier for the partner record. URL-safe lowercase string.
name sanitize_text_field() The partner organization's display name. Records with an empty name are silently dropped on save.
desc sanitize_textarea_field() A short description of the partner. Supports line breaks but no HTML.
logo esc_url_raw() URL to the partner's logo image, typically from the WordPress Media Library.
url esc_url_raw() The partner's website URL.
bg sanitize_text_field() A background color value for the partner card (e.g., a hex color or CSS color name).
Full replacement on every save. The POST endpoints replace the entire dataset on every write. The JavaScript editor reads the current state, applies the user's change in memory, and then posts the complete updated array back. There is no partial update or field-level PATCH operation.
5

Permission model

Operation Required capability Default WordPress role
GET /partners (read) None (public) Any visitor
GET /pcp (read) None (public) Any visitor
POST /partners (write) edit_pages Editor or Administrator
POST /pcp (write) edit_pages Editor or Administrator
Footer config JSON injection edit_pages Editor or Administrator
Media Library enqueue edit_pages Editor or Administrator
No admin-only operations. Unlike the EDIA-R Toolkit and Resource Library, the Admin Editor uses edit_pages (Editor level) rather than manage_options (Administrator only). This means Editor-role staff can use the inline partner editors on the live site without needing full Administrator access.
7

WordPress Media Library enqueue

The plugin calls wp_enqueue_media() on the front end for any logged-in user with edit_pages. This loads the WordPress Media Library JavaScript and CSS, enabling the logo picker in the inline partner edit modals.

Without this enqueue, editors would not be able to open the Media Library picker to upload or select a partner logo. The Media Library assets are substantial in size, but they are only loaded for authenticated editors and never for regular site visitors.

This applies site-wide for editors, not only on the Partners page. wp_enqueue_media() is called on the wp_enqueue_scripts hook without a page check. Media Library assets are therefore loaded on every front-end page for logged-in editors. If this causes performance concerns, a page restriction can be added by the developer.
8

WordPress hooks used

Action
rest_api_init

Registers the four REST routes (/partners GET, /partners POST, /pcp GET, /pcp POST).

Action
wp_enqueue_scripts

Calls wp_enqueue_media() for any logged-in user with the edit_pages capability, enabling the front-end Media Library picker.

Action
wp_footer

Outputs the two JSON config blocks (#owfr-partners-config and #owfr-pcp-config) at priority 99, after all other footer content.

OWFR Admin Editor Plugin  |  Ottawa West Four Rivers Ontario Health Team  |  April 2026

← All Guides