Allow view access of template rest endpoint to anyone with the edit_post capability
#60317
Conversation
fabiankaegy
added
[Type] Enhancement
fabiankaegy
changed the title
edit_post capability
fabiankaegy
force-pushed
the
feature/change-template-rest-controller-to-allow-view-access
branch
from
2f032ee to
6836921
Compare
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
|
You need to make a more thorough check here, right now this won't account for users who have the ability not to edit posts, but other CPTs that use the block editor. See |
fabiankaegy
force-pushed
the
feature/change-template-rest-controller-to-allow-view-access
branch
from
6836921 to
b1efbfa
Compare
|
@TimothyBJacobs Thanks for much for your review :) I've updated the code to essentially match the example you've provided. |
fabiankaegy
deleted the
feature/change-template-rest-controller-to-allow-view-access
branch
…ost capability (WordPress#60317) Co-authored-by: fabiankaegy <fabiankaegy@git.wordpress.org> Co-authored-by: TimothyBJacobs <timothyblynjacobs@git.wordpress.org>
|
@fabiankaegy Could you handle small-typo-change in your backport PR? |
|
I added a backport in WordPress/wordpress-develop#6494 (Track Ticket) |
| if ( current_user_can( 'edit_posts' ) ) { | ||
| return true; | ||
| } | ||
| foreach ( get_post_types( array( 'show_in_rest' => true ), 'objects' ) as $post_type ) { | ||
| if ( current_user_can( $post_type->cap->edit_posts ) ) { | ||
| return true; | ||
| } | ||
| } |
There was a problem hiding this comment.
This change appears to have caused an unintended regression.
Currently, Gutenberg uses the following code to determine whether the site editor can be accessed, mainly using the command palette, and switches the link destination based on the result.
wp.data.select('core').canUser( 'read', 'templates' )With this PR, this code now returns true even for non-administrator users, which causes links that they are not allowed to access to be displayed in commands, etc.
See #61419
fabiankaegy
added
the
Needs Dev Note
Dev Note Draft:Allow view access of the template REST API endpoint to anyone with the
|
What?
Part of #60316 as requested in #58301 (comment)
Modify the template / template part rest endpoint to allow any user role with the
edit_postcapability to view entities.Why?
In order to render the block template in the locked template preview inside the post editor we need to be able to fetch the contents of any block templates / template parts for any user role that can edit a post.
How?
Overwriting the
get_items_permissions_checkandget_item_permissions_checkmethods of therest_controller_classof thewp_templatepost type to check whether the current user canedit_posts.Testing Instructions
Try making an authenticated rest request to the template rest endpoint with any user role that has the
edit_postcapability. -> The template should get returnedTry making an unauthenticated request and still get an unauthorized error