Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow view access of template rest endpoint to anyone with the edit_post capability #60317

Conversation

fabiankaegy
Copy link
Member

@fabiankaegy fabiankaegy commented Mar 29, 2024

What?

Part of #60316 as requested in #58301 (comment)

Modify the template / template part rest endpoint to allow any user role with the edit_post capability to view entities.

Why?

In order to render the block template in the locked template preview inside the post editor we need to be able to fetch the contents of any block templates / template parts for any user role that can edit a post.

How?

Overwriting the get_items_permissions_check and get_item_permissions_check methods of the rest_controller_class of the wp_template post type to check whether the current user can edit_posts.

Testing Instructions

Try making an authenticated rest request to the template rest endpoint with any user role that has the edit_post capability. -> The template should get returned
Try making an unauthenticated request and still get an unauthorized error

@fabiankaegy fabiankaegy added [Type] Enhancement A suggestion for improvement. REST API Interaction Related to REST API labels Mar 29, 2024
@fabiankaegy fabiankaegy self-assigned this Mar 29, 2024
@fabiankaegy fabiankaegy changed the title allow view access of template rest endpoint to anyone with the edit_post capability Allow view access of template rest endpoint to anyone with the edit_post capability Mar 29, 2024
@fabiankaegy fabiankaegy force-pushed the feature/change-template-rest-controller-to-allow-view-access branch from 2f032ee to 6836921 Compare March 29, 2024 22:52
Copy link

github-actions bot commented Mar 29, 2024

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: fabiankaegy <fabiankaegy@git.wordpress.org>
Co-authored-by: TimothyBJacobs <timothyblynjacobs@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@TimothyBJacobs
Copy link
Member

You need to make a more thorough check here, right now this won't account for users who have the ability not to edit posts, but other CPTs that use the block editor. See WP_REST_Block_Types_Controller::check_read_permission for an example.

@fabiankaegy fabiankaegy force-pushed the feature/change-template-rest-controller-to-allow-view-access branch from 6836921 to b1efbfa Compare March 30, 2024 14:07
@fabiankaegy
Copy link
Member Author

@TimothyBJacobs Thanks for much for your review :) I've updated the code to essentially match the example you've provided.

@fabiankaegy fabiankaegy enabled auto-merge (squash) March 30, 2024 14:28
@fabiankaegy fabiankaegy merged commit 5e8a210 into trunk Mar 30, 2024
58 checks passed
@fabiankaegy fabiankaegy deleted the feature/change-template-rest-controller-to-allow-view-access branch March 30, 2024 14:40
@github-actions github-actions bot added this to the Gutenberg 18.1 milestone Mar 30, 2024
@fabiankaegy fabiankaegy linked an issue Apr 3, 2024 that may be closed by this pull request
4 tasks
cbravobernal pushed a commit to garridinsi/gutenberg that referenced this pull request Apr 9, 2024
…ost capability (WordPress#60317)

Co-authored-by: fabiankaegy <fabiankaegy@git.wordpress.org>
Co-authored-by: TimothyBJacobs <timothyblynjacobs@git.wordpress.org>
@ellatrix
Copy link
Member

ellatrix commented May 1, 2024

@fabiankaegy Could you handle small-typo-change in your backport PR?

@fabiankaegy
Copy link
Member Author

I added a backport in WordPress/wordpress-develop#6494 (Track Ticket)

Comment on lines +26 to +33
if ( current_user_can( 'edit_posts' ) ) {
return true;
}
foreach ( get_post_types( array( 'show_in_rest' => true ), 'objects' ) as $post_type ) {
if ( current_user_can( $post_type->cap->edit_posts ) ) {
return true;
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change appears to have caused an unintended regression.

Currently, Gutenberg uses the following code to determine whether the site editor can be accessed, mainly using the command palette, and switches the link destination based on the result.

wp.data.select('core').canUser( 'read', 'templates' )

With this PR, this code now returns true even for non-administrator users, which causes links that they are not allowed to access to be displayed in commands, etc.

See #61419

@fabiankaegy fabiankaegy added the Needs Dev Note Requires a developer note for a major WordPress release cycle label May 29, 2024
@juanmaguitar juanmaguitar mentioned this pull request May 29, 2024
49 tasks
@fabiankaegy
Copy link
Member Author

Dev Note Draft:

Allow view access of the template REST API endpoint to anyone with the edit_post capability

Before WordPress 6.6 the templates and template-parts REST API endpoints were restricted to only be viewed/edited by anyone with the edit_theme_options capability (Administrators). WordPress 6.6 changes the permission checks to allow any user role with the edit_post capability to view these endpoints. Editing is still restricted to the edit_theme_options capability.

This change is because the post editor now includes the ability to preview a post's template while editing the post. In WordPress 6.5, this option was limited to administrators only. However, WordPress 6.6 now supports previewing the template for all user roles.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Needs Dev Note Requires a developer note for a major WordPress release cycle REST API Interaction Related to REST API [Type] Enhancement A suggestion for improvement.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add ability to preview template in post editor for non administrators
4 participants