Editor "Code Editor" mode allows pasting of blocks with "parent" outside of said parents

[albanyacademy]

Description

Code editor mode allows user to bypass inability to paste blocks outside of their specific parents.

Step-by-step reproduction instructions

1. Add a new post
2. See that you cannot add the core/query-pagination block by itself
3. Add a query block, and copy the pagination block by itself
4. Create a paragraph block, and paste in the copied pagination block.
5. Observe that nothing happens.
6. Go into "code editor" mode, and replace the post content with only the pagination block
7. Observe that the pagination block is now on the page, outside of its parent query block.
8. Observe that in the front-end, the pagination block does not show up on the page at all.

step 8 appears to be limited to any blocks that rely exclusively on server-side rendering, such as pagination and social-link. Blocks which save HTML content, such as list-item, are not affected by this.

Screenshots, screen recording, code snippet

https://www.screencast.com/t/kYGTu4Wp1ys

Environment info

Wordpress 6.2.2, no plugins installed.

Please confirm that you have searched existing issues in the repo.

Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

Yes

[stacimc]

Tested on GB trunk according to the testing instructions and confirmed the current behavior with List/List Item and Social Links/Social Link.

Code Editor	Appearance in block editor	Appearance on frontend

[ndiego]

Hi @albanyacademy, thanks for reporting. This is expected. The Code Editor should be considered a "power user" tool, and breaking things or using the block in unintended ways is possible.

That said, you can disable access to the Core Editor so users can not unintentionally break things. Here is some sample code that restricts Code Editor access to Administrators:

/**
 * Restrict access to the locking UI and the Code Editor
 * to Administrators.
 * 
 * @param array $settings Default editor settings.
 * @param WP_Block_Editor_Context $context The current block editor context.
 */
function example_theme_restrict_locking_ui( $settings, $context ) {
    $is_administrator = current_user_can( 'activate_plugins' );

    if ( ! $is_administrator ) {
        $settings[ 'canLockBlocks' ] = false;
        $settings[ 'codeEditingEnabled' ] = false;
    }

	return $settings;
}
add_filter( 'block_editor_settings_all', 'example_theme_restrict_locking_ui', 10, 2 );

[albanyacademy]

Thanks for the response, opened a feature ticket to address the lack of visual feedback.