-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Global Styles: Hide Custom CSS setting for users without 'edit_css' cap #46815
Conversation
lib/compat/wordpress-6.2/class-gutenberg-rest-global-styles-controller-6-2.php
Show resolved
Hide resolved
if ( current_user_can( 'edit_css' ) ) { | ||
$rels[] = 'https://api.w.org/action-edit-css'; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I couldn't find documentation on how these URLs are generated/created. So I need to double-check if https://api.w.org/action-edit-css
is the correct format.
Size Change: +58 B (0%) Total Size: 1.33 MB
ℹ️ View Unchanged
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Works nicely for me
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @Mamaduka!
I think we should consider the KSES filters as well, since right now the Custom CSS feature doesn't work for users with the edit_css
cap if those filters are active (see #46651 (comment)).
You can follow these instructions to observe the differences:
- Enable the KSES filters with
add_action( 'init', 'kses_init_filters' );
- Activate the Twenty Twenty-One theme
- Go to Appearance > Customize > Additional CSS
- Add some CSS code
- Save the changes
- ✅ Note how the CSS code is correctly saved
- Now activate the Twenty Twenty-Three theme
- Go to Appearance > Editor
- Open the Styles sidebar
- Select "Custom CSS"
- Add some CSS code
- Save the changes
⚠️ Note how the changes are reverted
I think @glendaviesnz already solved that in #46666 (likely in this commit: 5d32940)
Flaky tests detected in 5b06a2d. 🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/3931818666
|
I think it was handled in this commit according to the commit message: 5d32940.
It's an opt-in behavior (so it's up to plugins or devs to do so), but it's useful for example to remove invalid styles from Global Styles or to remove invalid HTML from posts. |
Okay, I think I've better understood the logic now. We want to modify If you don't mind, I would like to address that separately. This PR handles the UI portion of the capability checks and how core processes the data is unrelated to it. |
While I generally like tackling issues in smaller and separate PRs, I'm not sure we should expose the Global Styles' Custom CSS feature in the UI until it works well for all scenarios. Right now, the feature doesn't work in one of these scenarios, as opposed to the Customizer's Custom CSS feature:
I'm ok addressing the remaining scenario in a separate PR, but I don't think we should merge this PR until that's solved. Otherwise, users with the Alternatively, you could keep the experimental flag check and remove that in a separate PR. That way, it should be fine to merge this PR. |
I've no strong preference. I can create PR for |
760cb95
to
cfb76dd
Compare
cfb76dd
to
6c9f3e3
Compare
Currently in customizer a user needs This is the reason I added the |
@glendaviesnz, the Customizer uses Core links:
|
Yeah, I agree we should mimic what the Customizer does, so +1 on using The idea of adding a filter that allows plugins to customize the capability check sounds interesting, but I think it's fine to do so on a separate PR (and AFAICS the Customizer doesn't have anything like that, so it's totally ok to don't offer such filter for now). |
Thanks for the extra detail - I had missed the fact that it was mapped in my initial look at this. I have closed my draft PR now in favor of this one. Thanks for picking this up. |
6c9f3e3
to
b550122
Compare
I rebased on top of the current |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lovely! This works now as expected for all possible scenarios. Thanks for working on #47062 first!
b550122
to
5b06a2d
Compare
…al_Styles_Controller`. Updates the Global Styles endpoint to expose the `'edit_css'` capability via action links. References: * [WordPress/gutenberg#46815 Gutenberg PR 46815] Part of an effort to hide custom CSS setting for users without `'edit_css'` capability. Follow-up to [52342], [52051]. Props mamaduka, dsas, glendaviesnz, mmtr86, talldanwp, timothyblynjacobs. Fixes #57526. git-svn-id: https://develop.svn.wordpress.org/trunk@55177 602fd350-edb4-49c9-b593-d223f7449a82
…al_Styles_Controller`. Updates the Global Styles endpoint to expose the `'edit_css'` capability via action links. References: * [WordPress/gutenberg#46815 Gutenberg PR 46815] Part of an effort to hide custom CSS setting for users without `'edit_css'` capability. Follow-up to [52342], [52051]. Props mamaduka, dsas, glendaviesnz, mmtr86, talldanwp, timothyblynjacobs. Fixes #57526. Built from https://develop.svn.wordpress.org/trunk@55177 git-svn-id: http://core.svn.wordpress.org/trunk@54710 1a063a9b-81f0-0310-95a4-ce76da25c4cd
…al_Styles_Controller`. Updates the Global Styles endpoint to expose the `'edit_css'` capability via action links. References: * [WordPress/gutenberg#46815 Gutenberg PR 46815] Part of an effort to hide custom CSS setting for users without `'edit_css'` capability. Follow-up to [52342], [52051]. Props mamaduka, dsas, glendaviesnz, mmtr86, talldanwp, timothyblynjacobs. Fixes #57526. Built from https://develop.svn.wordpress.org/trunk@55177 git-svn-id: https://core.svn.wordpress.org/trunk@54710 1a063a9b-81f0-0310-95a4-ce76da25c4cd
…al_Styles_Controller`. Updates the Global Styles endpoint to expose the `'edit_css'` capability via action links. References: * [WordPress/gutenberg#46815 Gutenberg PR 46815] Part of an effort to hide custom CSS setting for users without `'edit_css'` capability. Follow-up to [52342], [52051]. Props mamaduka, dsas, glendaviesnz, mmtr86, talldanwp, timothyblynjacobs. Fixes #57526. Built from https://develop.svn.wordpress.org/trunk@55177 git-svn-id: http://core.svn.wordpress.org/trunk@54710 1a063a9b-81f0-0310-95a4-ce76da25c4cd
What?
See #46651.
PR adds a capability check before displaying the Custom CSS setting and removes this feature behind the experimental flag.
Why?
The changes from users without
unfiltered_html
capabilities aren't persistent, and the feature looks broken. It also matches the behavior of the "Additional CSS" setting in Customizer.How?
The Global Styles endpoint now has a new action listed in link relations for users with
edit_css
caps. The client uses this action to check the required permissions.The
edit_css
is a mapped capability, which in Core defaults tounfiltered_html
. See the permission section of this make post for more details - https://make.wordpress.org/core/2016/11/26/extending-the-custom-css-editor/.Testing Instructions
wp-config.php
-define( 'DISALLOW_UNFILTERED_HTML', true );
Screenshot