-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Global Styles: Allow non-admin users access to global styles data in post editor #64797
Changes from 4 commits
3a91175
06f1fbd
790febd
24d51e8
4baa390
a1b00fc
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -182,14 +182,25 @@ export const rootEntitiesConfig = [ | |
name: 'globalStyles', | ||
kind: 'root', | ||
baseURL: '/wp/v2/global-styles', | ||
baseURLParams: { context: 'edit' }, | ||
baseURLParams: {}, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It seems to work ok with |
||
plural: 'globalStylesVariations', // Should be different from name. | ||
getTitle: ( record ) => record?.title?.rendered || record?.title, | ||
getRevisionsUrl: ( parentId, revisionId ) => | ||
`/wp/v2/global-styles/${ parentId }/revisions${ | ||
revisionId ? '/' + revisionId : '' | ||
}`, | ||
supportsPagination: true, | ||
getPath: ( path, query, baseURL, id ) => { | ||
aaronrobertshaw marked this conversation as resolved.
Show resolved
Hide resolved
|
||
const context = | ||
query.context || | ||
( query.operation === 'read' ? 'view' : 'edit' ); | ||
const contextQuery = context ? `?context=${ context }` : ''; | ||
return `${ baseURL }${ id ? '/' + id : '' }${ contextQuery }`; | ||
}, | ||
capabilities: { | ||
read: 'edit_posts', | ||
update: 'edit_theme_options', | ||
}, | ||
}, | ||
{ | ||
label: __( 'Themes' ), | ||
|
Original file line number | Diff line number | Diff line change | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
|
@@ -146,13 +146,30 @@ function useGlobalStylesUserConfig() { | |||||||||||
|
||||||||||||
function useGlobalStylesBaseConfig() { | ||||||||||||
const baseConfig = useSelect( ( select ) => { | ||||||||||||
const { __experimentalGetCurrentThemeBaseGlobalStyles, canUser } = | ||||||||||||
select( coreStore ); | ||||||||||||
const { | ||||||||||||
__experimentalGetCurrentThemeBaseGlobalStyles, | ||||||||||||
getCurrentTheme, | ||||||||||||
canUser, | ||||||||||||
} = select( coreStore ); | ||||||||||||
|
||||||||||||
const canReadActiveTheme = canUser( 'read', 'themes?status=active' ); | ||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. So to prevent a flash of global styles in the post editor, we'll need to preload these paths as well? |
||||||||||||
if ( ! canReadActiveTheme ) { | ||||||||||||
return; | ||||||||||||
} | ||||||||||||
|
||||||||||||
const currentTheme = getCurrentTheme(); | ||||||||||||
if ( ! currentTheme?.stylesheet ) { | ||||||||||||
return; | ||||||||||||
} | ||||||||||||
|
||||||||||||
return ( | ||||||||||||
canUser( 'read', { kind: 'root', name: 'theme' } ) && | ||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Something I just noticed, this is only checking whether the user can read the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. How our permissions checks are supposed to work with entities is going over my head at the moment 🫠 The REST API endpoint called when retrieving this base global styles data does check if the user has the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. When debugging I find it helpful to remove the preloading so that you can see the requests in your dev tools. The permissions checks from The gutenberg/packages/core-data/src/resolvers.js Lines 374 to 378 in 482c188
The The user only needs I'll have a look into whether there's a way to replace that with a check that actually works. I think there's a similar issue with trying to do There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I've pushed a commit that adds working permissions checks. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If pushing changes to this PR, it might also helps those pinged for input if the PR description is updated to match new changes. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Actually, seems like I was logged in as admin accidentally when I thought it was working. It doesn't work with non-admin so I'll revert those commits. The explanation is still correct, but unfortunately it doesn't look like there's a way to check permissions using |
||||||||||||
__experimentalGetCurrentThemeBaseGlobalStyles() | ||||||||||||
const canUserReadBaseGlobalStyles = canUser( | ||||||||||||
'read', | ||||||||||||
`global-styles/themes/${ currentTheme.stylesheet }` | ||||||||||||
); | ||||||||||||
|
||||||||||||
return canUserReadBaseGlobalStyles | ||||||||||||
? __experimentalGetCurrentThemeBaseGlobalStyles() | ||||||||||||
: undefined; | ||||||||||||
}, [] ); | ||||||||||||
|
||||||||||||
return [ !! baseConfig, baseConfig ]; | ||||||||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To allow the
canUser( 'read', { kind: 'root', name: 'globalStyles', id: _globalStylesId, } )
check inuseGlobalStylesUserConfig()
to pass we might need to update the read capabilities of thewp_global_styles
custom post type:https://github.com/ramonjd/wordpress-develop/blob/30523ee4b6a0d33b1c2bd8c9ca4021b6256a96c3/src/wp-includes/post.php#L492-L492
E.g., to
'read' => 'edit_posts',
That would mean that editors/authors would be able to read the global styles post, e.g.,
await wp.data.resolveSelect( 'core' ).getEntityRecord( 'root', 'globalStyles', await wp.data.resolveSelect( 'core' ).__experimentalGetCurrentGlobalStylesId() )
It seems harmless enough, but I'm not sure what's kosher.
To display the values, the current editor/author needs to have read access to both.
I haven't thought this through, but I wonder if a new read-only endpoint to retrieve merged theme data might be in order. The
edit-post
package could call it directly from the core store and there'd be no need to shuffle around block settings.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I think if we think that we should allow "read" for global styles objects using the
edit_posts
capability, we should just make the update in the existing endpoint instead of creating a new one.It seems ok to me to do so. I don't see any harm for "editors" to have access to this information (without the ability to modify it)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just commenting on the REST API side of it, that makes sense to me. We do need to adapt the permission check to not just be
edit_posts
though, it needs to include anyshow_in_rest
cpt. See\WP_REST_Themes_Controller::check_read_active_theme_permission
for an example.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the feedback!
Ah I see what you mean about WP_REST_Themes_Controller::check_read_active_theme_permission - so if a user had rights to edit any type of post, they pass the test?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, exactly.