Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add: Permission checks to avoid 403 errors on non admin roles. #63296

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions packages/edit-post/src/store/private-selectors.js
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,13 @@ export const getEditedPostTemplateId = createRegistrySelector(
type: postType,
slug,
} = select( editorStore ).getCurrentPost();
const { getSite, getEntityRecords } = select( coreStore );
const siteSettings = getSite();
const { getSite, getEntityRecords, canUser } = select( coreStore );
const siteSettings = canUser( 'read', {
kind: 'root',
name: 'site',
} )
? getSite()
: undefined;
// First check if the current page is set as the posts page.
const isPostsPage = +postId === siteSettings?.page_for_posts;
if ( isPostsPage ) {
Expand Down
9 changes: 7 additions & 2 deletions packages/editor/src/components/blog-title/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,14 @@ export default function BlogTitle() {
const { editEntityRecord } = useDispatch( coreStore );
const { postsPageTitle, postsPageId, isTemplate, postSlug } = useSelect(
( select ) => {
const { getEntityRecord, getEditedEntityRecord } =
const { getEntityRecord, getEditedEntityRecord, canUser } =
select( coreStore );
const siteSettings = getEntityRecord( 'root', 'site' );
const siteSettings = canUser( 'read', {
kind: 'root',
name: 'site',
} )
? getEntityRecord( 'root', 'site' )
: undefined;
const _postsPageRecord = siteSettings?.page_for_posts
? getEditedEntityRecord(
'postType',
Expand Down
51 changes: 39 additions & 12 deletions packages/editor/src/components/global-styles-provider/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -33,17 +33,30 @@ export function mergeBaseAndUserConfigs( base, user ) {
function useGlobalStylesUserConfig() {
const { globalStylesId, isReady, settings, styles, _links } = useSelect(
( select ) => {
const { getEditedEntityRecord, hasFinishedResolution } =
select( coreStore );
const {
getEditedEntityRecord,
hasFinishedResolution,
getUser,
getCurrentUser,
} = select( coreStore );
const _globalStylesId =
select( coreStore ).__experimentalGetCurrentGlobalStylesId();
const record = _globalStylesId
? getEditedEntityRecord(
'root',
'globalStyles',
_globalStylesId
)
: undefined;

// Doing canUser( 'read', 'global_styles' ) returns false even for users with the capability.
// See: https://github.com/WordPress/gutenberg/issues/63438
// So we need to check the user capabilities directly.
const userId = getCurrentUser()?.id;
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally, we would do canUser( 'read', 'global_styles' ) but this is not working even for admins so it is probably another bug we should check.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add inline comments here. It's probably worth opening an issue for REST API changes.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Mamaduka, thank you for the review. I added comments and created an issue as suggested.

const canEditThemeOptions =
userId && getUser( userId )?.capabilities?.edit_theme_options;

const record =
_globalStylesId && canEditThemeOptions
? getEditedEntityRecord(
'root',
'globalStyles',
_globalStylesId
)
: undefined;

let hasResolved = false;
if (
Expand Down Expand Up @@ -126,9 +139,23 @@ function useGlobalStylesUserConfig() {

function useGlobalStylesBaseConfig() {
const baseConfig = useSelect( ( select ) => {
return select(
coreStore
).__experimentalGetCurrentThemeBaseGlobalStyles();
const {
getCurrentUser,
getUser,
__experimentalGetCurrentThemeBaseGlobalStyles,
} = select( coreStore );

// Doing canUser( 'read', 'global_styles' ) returns false even for users with the capability.
// See: https://github.com/WordPress/gutenberg/issues/63438
// So we need to check the user capabilities directly.
const userId = getCurrentUser()?.id;
const canEditThemeOptions =
userId && getUser( userId )?.capabilities?.edit_theme_options;
Comment on lines +151 to +153
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here: Let's add a comment regarding getUser( userId )?.capabilities?.edit_theme_options usage.


return (
canEditThemeOptions &&
__experimentalGetCurrentThemeBaseGlobalStyles()
);
}, [] );

return [ !! baseConfig, baseConfig ];
Expand Down
8 changes: 7 additions & 1 deletion packages/editor/src/components/post-card-panel/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,14 @@ export default function PostCardPanel( { actions } ) {
getCurrentPostId,
__experimentalGetTemplateInfo,
} = select( editorStore );
const { canUser } = select( coreStore );
const { getEditedEntityRecord } = select( coreStore );
const siteSettings = getEditedEntityRecord( 'root', 'site' );
const siteSettings = canUser( 'read', {
kind: 'root',
name: 'site',
} )
? getEditedEntityRecord( 'root', 'site' )
: undefined;
const _type = getCurrentPostType();
const _id = getCurrentPostId();
const _record = getEditedEntityRecord( 'postType', _type, _id );
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,14 @@ export default function PostContentInformation() {
const { postContent } = useSelect( ( select ) => {
const { getEditedPostAttribute, getCurrentPostType, getCurrentPostId } =
select( editorStore );
const { canUser } = select( coreStore );
const { getEntityRecord } = select( coreStore );
const siteSettings = getEntityRecord( 'root', 'site' );
const siteSettings = canUser( 'read', {
kind: 'root',
name: 'site',
} )
? getEntityRecord( 'root', 'site' )
: undefined;
const postType = getCurrentPostType();
const _id = getCurrentPostId();
const isPostsPage = +_id === siteSettings?.page_for_posts;
Expand Down
10 changes: 8 additions & 2 deletions packages/editor/src/components/post-template/hooks.js
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,14 @@ export function useAllowSwitchingTemplates() {
const { postType, postId } = useEditedPostContext();
return useSelect(
( select ) => {
const { getEntityRecord, getEntityRecords } = select( coreStore );
const siteSettings = getEntityRecord( 'root', 'site' );
const { canUser, getEntityRecord, getEntityRecords } =
select( coreStore );
const siteSettings = canUser( 'read', {
kind: 'root',
name: 'site',
} )
? getEntityRecord( 'root', 'site' )
: undefined;
const templates = getEntityRecords( 'postType', 'wp_template', {
per_page: -1,
} );
Expand Down
9 changes: 7 additions & 2 deletions packages/editor/src/components/post-url/panel.js
Original file line number Diff line number Diff line change
Expand Up @@ -61,8 +61,13 @@ export default function PostURLPanel() {
function PostURLToggle( { isOpen, onClick } ) {
const { slug, isFrontPage, postLink } = useSelect( ( select ) => {
const { getCurrentPostId, getCurrentPost } = select( editorStore );
const { getEditedEntityRecord } = select( coreStore );
const siteSettings = getEditedEntityRecord( 'root', 'site' );
const { getEditedEntityRecord, canUser } = select( coreStore );
const siteSettings = canUser( 'read', {
kind: 'root',
name: 'site',
} )
? getEditedEntityRecord( 'root', 'site' )
: undefined;
const _id = getCurrentPostId();
return {
slug: select( editorStore ).getEditedPostSlug(),
Expand Down
9 changes: 7 additions & 2 deletions packages/editor/src/components/posts-per-page/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,13 @@ export default function PostsPerPage() {
const { postsPerPage, isTemplate, postSlug } = useSelect( ( select ) => {
const { getEditedPostAttribute, getCurrentPostType } =
select( editorStore );
const { getEditedEntityRecord } = select( coreStore );
const siteSettings = getEditedEntityRecord( 'root', 'site' );
const { getEditedEntityRecord, canUser } = select( coreStore );
const siteSettings = canUser( 'read', {
kind: 'root',
name: 'site',
} )
? getEditedEntityRecord( 'root', 'site' )
: undefined;
return {
isTemplate: getCurrentPostType() === TEMPLATE_POST_TYPE,
postSlug: getEditedPostAttribute( 'slug' ),
Expand Down
9 changes: 7 additions & 2 deletions packages/editor/src/components/site-discussion/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,13 @@ export default function SiteDiscussion() {
( select ) => {
const { getEditedPostAttribute, getCurrentPostType } =
select( editorStore );
const { getEditedEntityRecord } = select( coreStore );
const siteSettings = getEditedEntityRecord( 'root', 'site' );
const { getEditedEntityRecord, canUser } = select( coreStore );
const siteSettings = canUser( 'read', {
kind: 'root',
name: 'site',
} )
? getEditedEntityRecord( 'root', 'site' )
: undefined;
return {
isTemplate: getCurrentPostType() === TEMPLATE_POST_TYPE,
postSlug: getEditedPostAttribute( 'slug' ),
Expand Down
Loading