Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block Bindings: Don't show protected fields that are bound to blocks #59326

Merged
merged 9 commits into from
Feb 28, 2024
Merged

Block Bindings: Don't show protected fields that are bound to blocks #59326

Changes from 4 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
b1e87cf
Check if the meta field is protected
SantosGuillamot Feb 23, 2024
7734683
Check if the meta field is available in the REST API
SantosGuillamot Feb 23, 2024
f8eab39
Use `get_registered_meta_keys` function
SantosGuillamot Feb 23, 2024
1117928
Return empty string instead of null
SantosGuillamot Feb 23, 2024
8da1667
Return null if the bindings config is not correct
SantosGuillamot Feb 26, 2024
b667e5c
Return `null` when the field is unavailable or protected
SantosGuillamot Feb 27, 2024
8697058
Add tests for protected fields
SantosGuillamot Feb 27, 2024
5eda970
Update tests to match current behavior
SantosGuillamot Feb 28, 2024
471745d
Remove unnecessary `show_in_rest` conditional
SantosGuillamot Feb 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 16 additions & 3 deletions lib/compat/wordpress-6.5/block-bindings/post-meta.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,17 +15,30 @@
*/
function gutenberg_block_bindings_post_meta_callback( $source_attrs, $block_instance ) {
if ( empty( $source_attrs['key'] ) ) {
return null;
return '';
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the configuration for the block binding is incorrect, then we probably should return null to skip processing. In general, when returning null, the original value will stay in the block's saved HTML:

gutenberg/lib/compat/wordpress-6.5/blocks.php

Lines 202 to 205 in 702f78a

$block_binding_source = get_block_bindings_source( $block_binding['source'] );
if ( null === $block_binding_source ) {
continue;
}

https://github.com/WordPress/wordpress-develop/blob/716cf66fda28643c7178ac43ffe5d27f239a493b/src/wp-includes/class-wp-block.php#L271-L274

In other cases, we could replace the value with an empty string. It's really hard to tell what is the best way forward.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree. I just made the change for that conditional.

I don't know what we should do for the rest of the use cases, as you say. That's why I shared this comment.

Copy link
Contributor

@youknowriad youknowriad Feb 27, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feels to me like we should keep the block attribute value as is for all the use-cases where the field is unavailable or protected or anything. I see it as a fallback value.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not opposed to the idea. It would have certain implications, like we would have to come up with a good strategy for providing the fallback value serialized in the saved block. I raised a very similar concern in #58895 (comment) where the proposed implementation tries to keep in sync the external data with the block attribute. In that case, the fallback would be the last value present in the external source and it would remain the fallback value. So definitely, we should look at it all holistically.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At the moment for WP 6.5 the fallback value is going to be hardcoded in the HTML manually crafted in the Code Editor, so going with null should be safe as it would mean that the used on the front end sees the fallback value.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree it makes sense to keep it as a fallback value. I'll make the changes to adapt for that.

}

if ( empty( $block_instance->context['postId'] ) ) {
return null;
return '';
}
$post_id = $block_instance->context['postId'];
// If a post isn't public, we need to prevent unauthorized users from accessing the post meta.
$post = get_post( $post_id );
if ( ( ! is_post_publicly_viewable( $post ) && ! current_user_can( 'read_post', $post_id ) ) || post_password_required( $post ) ) {
return null;
return '';
}

// Check if the meta field is protected.
if ( is_protected_meta( $source_attrs['key'], 'post' ) ) {
return '';
}

// Check if the meta field is registered to be shown in REST.
$meta_keys = get_registered_meta_keys( 'post', $block_instance->context['postType'] );
// Add fields registered for all subtypes.
$meta_keys = array_merge( $meta_keys, get_registered_meta_keys( 'post', '' ) );
if ( empty( $meta_keys[ $source_attrs['key'] ]['show_in_rest'] ) || false === $meta_keys[ $source_attrs['key'] ]['show_in_rest'] ) {
SantosGuillamot marked this conversation as resolved.
Show resolved Hide resolved
return '';
}

return get_post_meta( $post_id, $source_attrs['key'], true );
Expand Down
Loading