-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add: Permission checks to avoid 403 errors on non admin roles. #63296
Add: Permission checks to avoid 403 errors on non admin roles. #63296
Conversation
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.
To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
_globalStylesId | ||
) | ||
: undefined; | ||
const userId = getCurrentUser()?.id; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally, we would do canUser( 'read', 'global_styles' ) but this is not working even for admins so it is probably another bug we should check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's add inline comments here. It's probably worth opening an issue for REST API changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @Mamaduka, thank you for the review. I added comments and created an issue as suggested.
Size Change: +182 B (+0.01%) Total Size: 1.75 MB
ℹ️ View Unchanged
|
const userId = getCurrentUser()?.id; | ||
const canEditThemeOptions = | ||
userId && getUser( userId )?.capabilities?.edit_theme_options; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here: Let's add a comment regarding getUser( userId )?.capabilities?.edit_theme_options
usage.
990eba6
to
a203f63
Compare
Thanks, @jorgefilipecosta! It looks like we missed a spot in Additionally, it might be a good idea to start using the new syntax for |
a203f63
to
c1f467b
Compare
Hi @Mamaduka,
Nice catch the check was added there.
I updated to the new syntax. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @jorgefilipecosta!
Tested with the author role and couldn't spot any 403 errors.
…ress#63296) Co-authored-by: jorgefilipecosta <jorgefilipecosta@git.wordpress.org> Co-authored-by: Mamaduka <mamaduka@git.wordpress.org>
Warning: Type of PR label mismatch To merge this PR, it requires exactly 1 label indicating the type of PR. Other labels are optional and not being checked here.
Read more about Type labels in Gutenberg. Don't worry if you don't have the required permissions to add labels; the PR reviewer should be able to help with the task. |
Fixes: #60987
Adds permission checks for site settings and global styles retrieval on the editor package to avoid 403 HTTP request errors currently happening when a non-admin role like an editor loads the post editor.
Testing Instructions for Keyboard
With a user whose role is editor, I created a new page and verified on the browser console that there are no 403 HTTP requests (on trunk there are).