From b585071268b167aaf796f1ea2b85b73007eb9caf Mon Sep 17 00:00:00 2001 From: Jorge Costa Date: Tue, 9 Jul 2024 13:24:57 +0100 Subject: [PATCH 1/3] Add: Permission checks to avoid 403 errors on non admin roles. --- .../edit-post/src/store/private-selectors.js | 6 ++- .../editor/src/components/blog-title/index.js | 6 ++- .../global-styles-provider/index.js | 42 +++++++++++++------ .../src/components/post-card-panel/index.js | 5 ++- .../post-content-information/index.js | 5 ++- .../editor/src/components/post-url/panel.js | 6 ++- .../src/components/posts-per-page/index.js | 6 ++- .../src/components/site-discussion/index.js | 6 ++- 8 files changed, 58 insertions(+), 24 deletions(-) diff --git a/packages/edit-post/src/store/private-selectors.js b/packages/edit-post/src/store/private-selectors.js index be23227d54a19..608ebc5ce5c11 100644 --- a/packages/edit-post/src/store/private-selectors.js +++ b/packages/edit-post/src/store/private-selectors.js @@ -12,8 +12,10 @@ export const getEditedPostTemplateId = createRegistrySelector( type: postType, slug, } = select( editorStore ).getCurrentPost(); - const { getSite, getEntityRecords } = select( coreStore ); - const siteSettings = getSite(); + const { getSite, getEntityRecords, canUser } = select( coreStore ); + const siteSettings = canUser( 'read', 'settings' ) + ? getSite() + : undefined; // First check if the current page is set as the posts page. const isPostsPage = +postId === siteSettings?.page_for_posts; if ( isPostsPage ) { diff --git a/packages/editor/src/components/blog-title/index.js b/packages/editor/src/components/blog-title/index.js index 4964ac3a0ec04..bf9439147ae5c 100644 --- a/packages/editor/src/components/blog-title/index.js +++ b/packages/editor/src/components/blog-title/index.js @@ -27,9 +27,11 @@ export default function BlogTitle() { const { editEntityRecord } = useDispatch( coreStore ); const { postsPageTitle, postsPageId, isTemplate, postSlug } = useSelect( ( select ) => { - const { getEntityRecord, getEditedEntityRecord } = + const { getEntityRecord, getEditedEntityRecord, canUser } = select( coreStore ); - const siteSettings = getEntityRecord( 'root', 'site' ); + const siteSettings = canUser( 'read', 'settings' ) + ? getEntityRecord( 'root', 'site' ) + : undefined; const _postsPageRecord = siteSettings?.page_for_posts ? getEditedEntityRecord( 'postType', diff --git a/packages/editor/src/components/global-styles-provider/index.js b/packages/editor/src/components/global-styles-provider/index.js index b7869e3413c3d..7b89b413d4aa2 100644 --- a/packages/editor/src/components/global-styles-provider/index.js +++ b/packages/editor/src/components/global-styles-provider/index.js @@ -33,17 +33,25 @@ export function mergeBaseAndUserConfigs( base, user ) { function useGlobalStylesUserConfig() { const { globalStylesId, isReady, settings, styles, _links } = useSelect( ( select ) => { - const { getEditedEntityRecord, hasFinishedResolution } = - select( coreStore ); + const { + getEditedEntityRecord, + hasFinishedResolution, + getUser, + getCurrentUser, + } = select( coreStore ); const _globalStylesId = select( coreStore ).__experimentalGetCurrentGlobalStylesId(); - const record = _globalStylesId - ? getEditedEntityRecord( - 'root', - 'globalStyles', - _globalStylesId - ) - : undefined; + const userId = getCurrentUser()?.id; + const canEditThemeOptions = + userId && getUser( userId )?.capabilities?.edit_theme_options; + const record = + _globalStylesId && canEditThemeOptions + ? getEditedEntityRecord( + 'root', + 'globalStyles', + _globalStylesId + ) + : undefined; let hasResolved = false; if ( @@ -126,9 +134,19 @@ function useGlobalStylesUserConfig() { function useGlobalStylesBaseConfig() { const baseConfig = useSelect( ( select ) => { - return select( - coreStore - ).__experimentalGetCurrentThemeBaseGlobalStyles(); + const { + getCurrentUser, + getUser, + __experimentalGetCurrentThemeBaseGlobalStyles, + } = select( coreStore ); + const userId = getCurrentUser()?.id; + const canEditThemeOptions = + userId && getUser( userId )?.capabilities?.edit_theme_options; + + return ( + canEditThemeOptions && + __experimentalGetCurrentThemeBaseGlobalStyles() + ); }, [] ); return [ !! baseConfig, baseConfig ]; diff --git a/packages/editor/src/components/post-card-panel/index.js b/packages/editor/src/components/post-card-panel/index.js index 5aebfb650bfdb..80cfbaf60efec 100644 --- a/packages/editor/src/components/post-card-panel/index.js +++ b/packages/editor/src/components/post-card-panel/index.js @@ -36,8 +36,11 @@ export default function PostCardPanel( { actions } ) { getCurrentPostId, __experimentalGetTemplateInfo, } = select( editorStore ); + const { canUser } = select( coreStore ); const { getEditedEntityRecord } = select( coreStore ); - const siteSettings = getEditedEntityRecord( 'root', 'site' ); + const siteSettings = canUser( 'read', 'settings' ) + ? getEditedEntityRecord( 'root', 'site' ) + : undefined; const _type = getCurrentPostType(); const _id = getCurrentPostId(); const _record = getEditedEntityRecord( 'postType', _type, _id ); diff --git a/packages/editor/src/components/post-content-information/index.js b/packages/editor/src/components/post-content-information/index.js index 7597a6b4697dc..d60ec83b332e6 100644 --- a/packages/editor/src/components/post-content-information/index.js +++ b/packages/editor/src/components/post-content-information/index.js @@ -25,8 +25,11 @@ export default function PostContentInformation() { const { postContent } = useSelect( ( select ) => { const { getEditedPostAttribute, getCurrentPostType, getCurrentPostId } = select( editorStore ); + const { canUser } = select( coreStore ); const { getEntityRecord } = select( coreStore ); - const siteSettings = getEntityRecord( 'root', 'site' ); + const siteSettings = canUser( 'read', 'settings' ) + ? getEntityRecord( 'root', 'site' ) + : undefined; const postType = getCurrentPostType(); const _id = getCurrentPostId(); const isPostsPage = +_id === siteSettings?.page_for_posts; diff --git a/packages/editor/src/components/post-url/panel.js b/packages/editor/src/components/post-url/panel.js index 64ba1357221da..4e24af9862bb9 100644 --- a/packages/editor/src/components/post-url/panel.js +++ b/packages/editor/src/components/post-url/panel.js @@ -61,8 +61,10 @@ export default function PostURLPanel() { function PostURLToggle( { isOpen, onClick } ) { const { slug, isFrontPage, postLink } = useSelect( ( select ) => { const { getCurrentPostId, getCurrentPost } = select( editorStore ); - const { getEditedEntityRecord } = select( coreStore ); - const siteSettings = getEditedEntityRecord( 'root', 'site' ); + const { getEditedEntityRecord, canUser } = select( coreStore ); + const siteSettings = canUser( 'read', 'settings' ) + ? getEditedEntityRecord( 'root', 'site' ) + : undefined; const _id = getCurrentPostId(); return { slug: select( editorStore ).getEditedPostSlug(), diff --git a/packages/editor/src/components/posts-per-page/index.js b/packages/editor/src/components/posts-per-page/index.js index d62d250d9f3d3..59ecff6c70be0 100644 --- a/packages/editor/src/components/posts-per-page/index.js +++ b/packages/editor/src/components/posts-per-page/index.js @@ -24,8 +24,10 @@ export default function PostsPerPage() { const { postsPerPage, isTemplate, postSlug } = useSelect( ( select ) => { const { getEditedPostAttribute, getCurrentPostType } = select( editorStore ); - const { getEditedEntityRecord } = select( coreStore ); - const siteSettings = getEditedEntityRecord( 'root', 'site' ); + const { getEditedEntityRecord, canUser } = select( coreStore ); + const siteSettings = canUser( 'read', 'settings' ) + ? getEditedEntityRecord( 'root', 'site' ) + : undefined; return { isTemplate: getCurrentPostType() === TEMPLATE_POST_TYPE, postSlug: getEditedPostAttribute( 'slug' ), diff --git a/packages/editor/src/components/site-discussion/index.js b/packages/editor/src/components/site-discussion/index.js index e4bd60db3f8a7..017a691da3c60 100644 --- a/packages/editor/src/components/site-discussion/index.js +++ b/packages/editor/src/components/site-discussion/index.js @@ -55,8 +55,10 @@ export default function SiteDiscussion() { ( select ) => { const { getEditedPostAttribute, getCurrentPostType } = select( editorStore ); - const { getEditedEntityRecord } = select( coreStore ); - const siteSettings = getEditedEntityRecord( 'root', 'site' ); + const { getEditedEntityRecord, canUser } = select( coreStore ); + const siteSettings = canUser( 'read', 'settings' ) + ? getEditedEntityRecord( 'root', 'site' ) + : undefined; return { isTemplate: getCurrentPostType() === TEMPLATE_POST_TYPE, postSlug: getEditedPostAttribute( 'slug' ), From 1444714e9f7e5a8f2499e59123e881452568f4b0 Mon Sep 17 00:00:00 2001 From: Jorge Costa Date: Thu, 11 Jul 2024 15:16:59 +0100 Subject: [PATCH 2/3] add comments --- .../src/components/global-styles-provider/index.js | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/packages/editor/src/components/global-styles-provider/index.js b/packages/editor/src/components/global-styles-provider/index.js index 7b89b413d4aa2..62e390cba25ae 100644 --- a/packages/editor/src/components/global-styles-provider/index.js +++ b/packages/editor/src/components/global-styles-provider/index.js @@ -41,9 +41,14 @@ function useGlobalStylesUserConfig() { } = select( coreStore ); const _globalStylesId = select( coreStore ).__experimentalGetCurrentGlobalStylesId(); + + // Doing canUser( 'read', 'global_styles' ) returns false even for users with the capability. + // See: https://github.com/WordPress/gutenberg/issues/63438 + // So we need to check the user capabilities directly. const userId = getCurrentUser()?.id; const canEditThemeOptions = userId && getUser( userId )?.capabilities?.edit_theme_options; + const record = _globalStylesId && canEditThemeOptions ? getEditedEntityRecord( @@ -139,6 +144,10 @@ function useGlobalStylesBaseConfig() { getUser, __experimentalGetCurrentThemeBaseGlobalStyles, } = select( coreStore ); + + // Doing canUser( 'read', 'global_styles' ) returns false even for users with the capability. + // See: https://github.com/WordPress/gutenberg/issues/63438 + // So we need to check the user capabilities directly. const userId = getCurrentUser()?.id; const canEditThemeOptions = userId && getUser( userId )?.capabilities?.edit_theme_options; From c1f467be791ed78035c878892a2bcfb5cc4599cd Mon Sep 17 00:00:00 2001 From: Jorge Costa Date: Thu, 11 Jul 2024 15:52:39 +0100 Subject: [PATCH 3/3] enhacements --- packages/edit-post/src/store/private-selectors.js | 5 ++++- packages/editor/src/components/blog-title/index.js | 5 ++++- .../editor/src/components/post-card-panel/index.js | 5 ++++- .../src/components/post-content-information/index.js | 5 ++++- packages/editor/src/components/post-template/hooks.js | 10 ++++++++-- packages/editor/src/components/post-url/panel.js | 5 ++++- packages/editor/src/components/posts-per-page/index.js | 5 ++++- .../editor/src/components/site-discussion/index.js | 5 ++++- 8 files changed, 36 insertions(+), 9 deletions(-) diff --git a/packages/edit-post/src/store/private-selectors.js b/packages/edit-post/src/store/private-selectors.js index 608ebc5ce5c11..c151f935d68d5 100644 --- a/packages/edit-post/src/store/private-selectors.js +++ b/packages/edit-post/src/store/private-selectors.js @@ -13,7 +13,10 @@ export const getEditedPostTemplateId = createRegistrySelector( slug, } = select( editorStore ).getCurrentPost(); const { getSite, getEntityRecords, canUser } = select( coreStore ); - const siteSettings = canUser( 'read', 'settings' ) + const siteSettings = canUser( 'read', { + kind: 'root', + name: 'site', + } ) ? getSite() : undefined; // First check if the current page is set as the posts page. diff --git a/packages/editor/src/components/blog-title/index.js b/packages/editor/src/components/blog-title/index.js index bf9439147ae5c..1356edf9724e1 100644 --- a/packages/editor/src/components/blog-title/index.js +++ b/packages/editor/src/components/blog-title/index.js @@ -29,7 +29,10 @@ export default function BlogTitle() { ( select ) => { const { getEntityRecord, getEditedEntityRecord, canUser } = select( coreStore ); - const siteSettings = canUser( 'read', 'settings' ) + const siteSettings = canUser( 'read', { + kind: 'root', + name: 'site', + } ) ? getEntityRecord( 'root', 'site' ) : undefined; const _postsPageRecord = siteSettings?.page_for_posts diff --git a/packages/editor/src/components/post-card-panel/index.js b/packages/editor/src/components/post-card-panel/index.js index 80cfbaf60efec..0d06ff0dca106 100644 --- a/packages/editor/src/components/post-card-panel/index.js +++ b/packages/editor/src/components/post-card-panel/index.js @@ -38,7 +38,10 @@ export default function PostCardPanel( { actions } ) { } = select( editorStore ); const { canUser } = select( coreStore ); const { getEditedEntityRecord } = select( coreStore ); - const siteSettings = canUser( 'read', 'settings' ) + const siteSettings = canUser( 'read', { + kind: 'root', + name: 'site', + } ) ? getEditedEntityRecord( 'root', 'site' ) : undefined; const _type = getCurrentPostType(); diff --git a/packages/editor/src/components/post-content-information/index.js b/packages/editor/src/components/post-content-information/index.js index d60ec83b332e6..569339ef40c8b 100644 --- a/packages/editor/src/components/post-content-information/index.js +++ b/packages/editor/src/components/post-content-information/index.js @@ -27,7 +27,10 @@ export default function PostContentInformation() { select( editorStore ); const { canUser } = select( coreStore ); const { getEntityRecord } = select( coreStore ); - const siteSettings = canUser( 'read', 'settings' ) + const siteSettings = canUser( 'read', { + kind: 'root', + name: 'site', + } ) ? getEntityRecord( 'root', 'site' ) : undefined; const postType = getCurrentPostType(); diff --git a/packages/editor/src/components/post-template/hooks.js b/packages/editor/src/components/post-template/hooks.js index 1529228fe9515..c9668cd144333 100644 --- a/packages/editor/src/components/post-template/hooks.js +++ b/packages/editor/src/components/post-template/hooks.js @@ -23,8 +23,14 @@ export function useAllowSwitchingTemplates() { const { postType, postId } = useEditedPostContext(); return useSelect( ( select ) => { - const { getEntityRecord, getEntityRecords } = select( coreStore ); - const siteSettings = getEntityRecord( 'root', 'site' ); + const { canUser, getEntityRecord, getEntityRecords } = + select( coreStore ); + const siteSettings = canUser( 'read', { + kind: 'root', + name: 'site', + } ) + ? getEntityRecord( 'root', 'site' ) + : undefined; const templates = getEntityRecords( 'postType', 'wp_template', { per_page: -1, } ); diff --git a/packages/editor/src/components/post-url/panel.js b/packages/editor/src/components/post-url/panel.js index 4e24af9862bb9..be32b40eaf104 100644 --- a/packages/editor/src/components/post-url/panel.js +++ b/packages/editor/src/components/post-url/panel.js @@ -62,7 +62,10 @@ function PostURLToggle( { isOpen, onClick } ) { const { slug, isFrontPage, postLink } = useSelect( ( select ) => { const { getCurrentPostId, getCurrentPost } = select( editorStore ); const { getEditedEntityRecord, canUser } = select( coreStore ); - const siteSettings = canUser( 'read', 'settings' ) + const siteSettings = canUser( 'read', { + kind: 'root', + name: 'site', + } ) ? getEditedEntityRecord( 'root', 'site' ) : undefined; const _id = getCurrentPostId(); diff --git a/packages/editor/src/components/posts-per-page/index.js b/packages/editor/src/components/posts-per-page/index.js index 59ecff6c70be0..876644168a52c 100644 --- a/packages/editor/src/components/posts-per-page/index.js +++ b/packages/editor/src/components/posts-per-page/index.js @@ -25,7 +25,10 @@ export default function PostsPerPage() { const { getEditedPostAttribute, getCurrentPostType } = select( editorStore ); const { getEditedEntityRecord, canUser } = select( coreStore ); - const siteSettings = canUser( 'read', 'settings' ) + const siteSettings = canUser( 'read', { + kind: 'root', + name: 'site', + } ) ? getEditedEntityRecord( 'root', 'site' ) : undefined; return { diff --git a/packages/editor/src/components/site-discussion/index.js b/packages/editor/src/components/site-discussion/index.js index 017a691da3c60..b80b44b1f59c1 100644 --- a/packages/editor/src/components/site-discussion/index.js +++ b/packages/editor/src/components/site-discussion/index.js @@ -56,7 +56,10 @@ export default function SiteDiscussion() { const { getEditedPostAttribute, getCurrentPostType } = select( editorStore ); const { getEditedEntityRecord, canUser } = select( coreStore ); - const siteSettings = canUser( 'read', 'settings' ) + const siteSettings = canUser( 'read', { + kind: 'root', + name: 'site', + } ) ? getEditedEntityRecord( 'root', 'site' ) : undefined; return {