"Move to Trash" button doesn't respect 'delete_post' capability

[danielbachhuber]

Describe the bug

When a user cannot delete a post (as defined by the delete_post meta capability), the "Move to Trash" button still displays. My expectation is that the "Move to Trash" button wouldn't display.

To reproduce

1. Add the following code snippet to a mu-plugin:

add_filter(
	'map_meta_cap',
	function( $caps, $cap, $user_id, $args ) {
		if ( 'delete_post' === $cap ) {
			$caps = [ 'do_not_allow' ];
		}
		return $caps;
	},
	10,
	4
);

2. Active the Classic Editor plugin and view an existing post. The 'Move to Trash' link isn't present:

3. Deactivate the Classic Editor plugin and open the same post in the Block Editor. The 'Move to Trash' link is present, even though the REST API errors when you attempt to trash the post:

Suggested fix

Similar to the work done for #6361, we'll need to create some new wp:action-delete JSON Hyper Schema targetSchema response data for posts.

After this, the PostTrash component in @wordpress/editor will need to be updated to respect the presence of the wp:action-delete metadata.

[talldan]

@danielbachhuber, PR #12378 landed a canUser selector, which checks the allows header for specific REST resources:
https://github.com/WordPress/gutenberg/pull/12378/files#diff-2160e838a834521e1936ebd1908bd2b7R162

Could it be an option (bad pun) to use that when solving this issue?

I did a brief bit of testing in my console and it looks like canUser mostly works, but when calling it as a contributor and attempting to check if I had the ability to DELETE another user's post, a 403 (Forbidden) was returned by the endpoint and the selector returns undefined. That would have to be fixed.

[danielbachhuber]

Could it be an option (bad pun) to use that when solving this issue?

Yep, I think that could work too, and would be preferred. Good suggestion!

[talldan]

Resolved in #23174