Merge pull request #133 from Automattic/add/permissions

feat: improved permissions
Automattic · Apr 24, 2020 · 32fe5d7 · 32fe5d7
2 parents 4f3f334 + a564813
commit 32fe5d7
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 9 deletions.
diff --git a/includes/class-newspack-newsletters.php b/includes/class-newspack-newsletters.php
@@ -135,6 +135,9 @@ public static function remove_other_editor_modifications() {
 	 * Register the custom post type.
 	 */
 	public static function register_cpt() {
+		if ( ! current_user_can( 'edit_others_posts' ) ) {
+			return;
+		}
 		$labels = [
 			'name'               => _x( 'Newsletters', 'post type general name', 'newspack-newsletters' ),
 			'singular_name'      => _x( 'Newsletter', 'post type singular name', 'newspack-newsletters' ),
@@ -244,7 +247,7 @@ public static function rest_api_init() {
 			[
 				'methods'             => \WP_REST_Server::READABLE,
 				'callback'            => [ __CLASS__, 'api_mailchimp_data' ],
-				'permission_callback' => [ __CLASS__, 'api_permissions_check' ],
+				'permission_callback' => [ __CLASS__, 'api_authoring_permissions_check' ],
 				'args'                => [
 					'id' => [
 						'sanitize_callback' => 'absint',
@@ -258,7 +261,7 @@ public static function rest_api_init() {
 			[
 				'methods'             => \WP_REST_Server::EDITABLE,
 				'callback'            => [ __CLASS__, 'api_test_mailchimp_campaign' ],
-				'permission_callback' => [ __CLASS__, 'api_permissions_check' ],
+				'permission_callback' => [ __CLASS__, 'api_authoring_permissions_check' ],
 				'args'                => [
 					'id'         => [
 						'sanitize_callback' => 'absint',
@@ -275,7 +278,7 @@ public static function rest_api_init() {
 			[
 				'methods'             => \WP_REST_Server::EDITABLE,
 				'callback'            => [ __CLASS__, 'api_set_mailchimp_list' ],
-				'permission_callback' => [ __CLASS__, 'api_permissions_check' ],
+				'permission_callback' => [ __CLASS__, 'api_authoring_permissions_check' ],
 				'args'                => [
 					'id'      => [
 						'sanitize_callback' => 'absint',
@@ -292,7 +295,7 @@ public static function rest_api_init() {
 			[
 				'methods'             => \WP_REST_Server::EDITABLE,
 				'callback'            => [ __CLASS__, 'api_set_mailchimp_interest' ],
-				'permission_callback' => [ __CLASS__, 'api_permissions_check' ],
+				'permission_callback' => [ __CLASS__, 'api_authoring_permissions_check' ],
 				'args'                => [
 					'id'          => [
 						'sanitize_callback' => 'absint',
@@ -309,7 +312,7 @@ public static function rest_api_init() {
 			[
 				'methods'             => \WP_REST_Server::EDITABLE,
 				'callback'            => [ __CLASS__, 'api_set_campaign_settings' ],
-				'permission_callback' => [ __CLASS__, 'api_permissions_check' ],
+				'permission_callback' => [ __CLASS__, 'api_authoring_permissions_check' ],
 				'args'                => [
 					'id'        => [
 						'sanitize_callback' => 'absint',
@@ -329,7 +332,7 @@ public static function rest_api_init() {
 			[
 				'methods'             => \WP_REST_Server::READABLE,
 				'callback'            => [ __CLASS__, 'api_get_keys' ],
-				'permission_callback' => [ __CLASS__, 'api_permissions_check' ],
+				'permission_callback' => [ __CLASS__, 'api_administration_permissions_check' ],
 			]
 		);
 		\register_rest_route(
@@ -338,7 +341,7 @@ public static function rest_api_init() {
 			[
 				'methods'             => \WP_REST_Server::EDITABLE,
 				'callback'            => [ __CLASS__, 'api_set_keys' ],
-				'permission_callback' => [ __CLASS__, 'api_permissions_check' ],
+				'permission_callback' => [ __CLASS__, 'api_administration_permissions_check' ],
 				'args'                => [
 					'mailchimp_api_key'   => [
 						'sanitize_callback' => 'sanitize_text_field',
@@ -748,12 +751,12 @@ public static function mailchimp_api_key() {
 	}
 
 	/**
-	 * Check capabilities for using API.
+	 * Check capabilities for using the API for administration tasks.
 	 *
 	 * @param WP_REST_Request $request API request object.
 	 * @return bool|WP_Error
 	 */
-	public static function api_permissions_check( $request ) {
+	public static function api_administration_permissions_check( $request ) {
 		if ( ! current_user_can( 'manage_options' ) ) {
 			return new \WP_Error(
 				'newspack_rest_forbidden',
@@ -766,6 +769,25 @@ public static function api_permissions_check( $request ) {
 		return true;
 	}
 
+	/**
+	 * Check capabilities for using the API for authoring tasks.
+	 *
+	 * @param WP_REST_Request $request API request object.
+	 * @return bool|WP_Error
+	 */
+	public static function api_authoring_permissions_check( $request ) {
+		if ( ! current_user_can( 'edit_others_posts' ) ) {
+			return new \WP_Error(
+				'newspack_rest_forbidden',
+				esc_html__( 'You cannot use this resource.', 'newspack' ),
+				[
+					'status' => 403,
+				]
+			);
+		}
+		return true;
+	}
+
 	/**
 	 * Callback for CPT save. Will sync with Mailchimp.
 	 *

diff --git a/src/components/template-modal/screens/api-keys/index.js b/src/components/template-modal/screens/api-keys/index.js
@@ -38,6 +38,20 @@ export default ( { onSetupStatus } ) => {
 			.catch( handleErrors );
 	};
 	const handleErrors = error => {
+		if ( 'newspack_rest_forbidden' === error.code ) {
+			setInFlight( false );
+			setErrors( {
+				newspack_newsletters_invalid_keys_mailchimp: __(
+					'Only administrators can set Mailchimp API keys.',
+					'newspack-newsletters'
+				),
+				newspack_newsletters_invalid_keys_mjml: __(
+					'Only administrators can set MJML credentials.',
+					'newspack-newsletters'
+				),
+			} );
+			return;
+		}
 		const allErrors = { [ error.code ]: error.message };
 		( error.additional_errors || [] ).forEach(
 			additionalError => ( allErrors[ additionalError.code ] = additionalError.message )