Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update admin screen access #1437

Merged
merged 3 commits into from
Sep 17, 2018
Merged

Update admin screen access #1437

merged 3 commits into from
Sep 17, 2018

Conversation

westonruter
Copy link
Member

@westonruter westonruter commented Sep 17, 2018
edited
Loading

While the AMP validation screens are generally available to users who can edit_posts, in reality this should be tightened up to just administrators, with authors then only able to access the amp_invalid_url screens with just the posts that they themselves were responsible for creating in the course of creating regular posts.

  • Only show reciprocal links on Invalid URLs and Error Index screens when user has authorization, respectively.
  • Do not show the recheck row action for invalid URLs if they do not have permission.
  • Hide AMP admin bar link if user doesn't have authorization.
  • Harmonize approach for adding wp-heading-inline links. See Improve URL Listing view #1397 (comment).
  • Allow non-admin users to access AMP settings screen, but let all fields be disabled so that they can only see how it is configured.
  • Do not give non-admins access to the Error Index screen.

@westonruter westonruter added this to the v1.0 milestone Sep 17, 2018
@westonruter
Copy link
Member Author

@postphotos this fixes the issue you noted when a non-admin tries to access AMP screens.

@kienstra
Copy link
Contributor

Approved

Hi @weston,
This PR looks good, and it's nice how it changes the capabilities for the validator.

This looked good, when testing it for an administrator, editor, and author.

authors-view-page

kienstra
kienstra approved these changes Sep 17, 2018
View reviewed changes
includes/options/class-amp-options-menu.php
@@ -553,14 +553,21 @@ public function render_screen() {
AMP_Options_Manager::check_supported_post_type_update_errors();
}
?>
<?php if ( ! current_user_can( 'manage_options' ) ) : ?>
<div class="notice notice-info">
<p><?php esc_html_e( 'You do not have permission to modify these settings. They are shown here for your reference. Please contact your administrator to make changes.', 'amp' ); ?></p>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea to display this notice.

includes/validation/class-amp-invalid-url-post-type.php
@@ -1019,12 +1052,19 @@ public static function handle_validate_request() {
if ( ! $post || self::POST_TYPE_SLUG !== $post->post_type ) {
throw new Exception( 'invalid_post' );
}
if ( ! current_user_can( 'edit_post', $post->ID ) ) {
throw new Exception( 'unauthorized' );
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea to check the capability here.

@westonruter westonruter merged commit 9444a75 into develop Sep 17, 2018
@westonruter westonruter deleted the update/admin-screen-access branch September 17, 2018 19:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kienstra kienstra kienstra approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.0
Development

Successfully merging this pull request may close these issues.
2 participants
@westonruter @kienstra