From 2d2bab59ea9293f803bbaf2dd87ae0150ef1ea30 Mon Sep 17 00:00:00 2001 From: ramon Date: Fri, 13 Sep 2024 12:12:22 +1000 Subject: [PATCH 1/3] First commit pulling over changes from WordPress/gutenberg#65071 --- src/wp-admin/edit-form-blocks.php | 2 +- src/wp-includes/post.php | 2 +- ...class-wp-rest-global-styles-controller.php | 48 ++++++++----------- .../rest-global-styles-controller.php | 34 +++++++++++-- 4 files changed, 53 insertions(+), 33 deletions(-) diff --git a/src/wp-admin/edit-form-blocks.php b/src/wp-admin/edit-form-blocks.php index e6abe9998028f..cbcce39374db5 100644 --- a/src/wp-admin/edit-form-blocks.php +++ b/src/wp-admin/edit-form-blocks.php @@ -67,7 +67,7 @@ static function ( $classes ) { array( '/wp/v2/settings', 'OPTIONS' ), '/wp/v2/global-styles/themes/' . get_stylesheet(), '/wp/v2/themes?context=edit&status=active', - '/wp/v2/global-styles/' . WP_Theme_JSON_Resolver::get_user_global_styles_post_id() . '?context=edit', + '/wp/v2/global-styles/' . WP_Theme_JSON_Resolver::get_user_global_styles_post_id(), ); block_editor_rest_api_preload( $preload_paths, $block_editor_context ); diff --git a/src/wp-includes/post.php b/src/wp-includes/post.php index 8812957bf215e..e522e3eb84f2e 100644 --- a/src/wp-includes/post.php +++ b/src/wp-includes/post.php @@ -489,7 +489,7 @@ function create_initial_post_types() { 'revisions_rest_controller_class' => 'WP_REST_Global_Styles_Revisions_Controller', 'late_route_registration' => true, 'capabilities' => array( - 'read' => 'edit_theme_options', + 'read' => 'edit_posts', 'create_posts' => 'edit_theme_options', 'edit_posts' => 'edit_theme_options', 'edit_published_posts' => 'edit_theme_options', diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php index 8be3aedd9a862..a30774b08f5a4 100644 --- a/src/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php +++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php @@ -509,26 +509,33 @@ public function get_item_schema() { * Checks if a given request has access to read a single theme global styles config. * * @since 5.9.0 + * @since 6.7.0 Allow users with edit post capabilities to view theme global styles. * * @param WP_REST_Request $request Full details about the request. * @return true|WP_Error True if the request has read access for the item, WP_Error object otherwise. */ public function get_theme_item_permissions_check( $request ) { /* - * Verify if the current user has edit_theme_options capability. - * This capability is required to edit/view/delete global styles. + * Verify if the current user has edit_posts capability. + * This capability is required to view global styles. */ - if ( ! current_user_can( 'edit_theme_options' ) ) { - return new WP_Error( - 'rest_cannot_manage_global_styles', - __( 'Sorry, you are not allowed to access the global styles on this site.' ), - array( - 'status' => rest_authorization_required_code(), - ) - ); + if ( current_user_can( 'edit_posts' ) ) { + return true; } - return true; + foreach ( get_post_types( array( 'show_in_rest' => true ), 'objects' ) as $post_type ) { + if ( current_user_can( $post_type->cap->edit_posts ) ) { + return true; + } + } + + return new WP_Error( + 'rest_cannot_read_global_styles', + __( 'Sorry, you are not allowed to access the global styles on this site.' ), + array( + 'status' => rest_authorization_required_code(), + ) + ); } /** @@ -589,26 +596,13 @@ public function get_theme_item( $request ) { * Checks if a given request has access to read a single theme global styles config. * * @since 6.0.0 + * @since 6.7.0 Allow users with edit post capabilities to view theme global styles. * * @param WP_REST_Request $request Full details about the request. * @return true|WP_Error True if the request has read access for the item, WP_Error object otherwise. */ public function get_theme_items_permissions_check( $request ) { - /* - * Verify if the current user has edit_theme_options capability. - * This capability is required to edit/view/delete global styles. - */ - if ( ! current_user_can( 'edit_theme_options' ) ) { - return new WP_Error( - 'rest_cannot_manage_global_styles', - __( 'Sorry, you are not allowed to access the global styles on this site.' ), - array( - 'status' => rest_authorization_required_code(), - ) - ); - } - - return true; + return $this->get_theme_item_permissions_check( $request ); } /** @@ -632,7 +626,7 @@ public function get_theme_items( $request ) { ); } - $response = array(); + $response = array(); // Register theme-defined variations e.g. from block style variation partials under `/styles`. $partials = WP_Theme_JSON_Resolver::get_style_variations( 'block' ); diff --git a/tests/phpunit/tests/rest-api/rest-global-styles-controller.php b/tests/phpunit/tests/rest-api/rest-global-styles-controller.php index d4d0aef8e10d2..f4e36abca4065 100644 --- a/tests/phpunit/tests/rest-api/rest-global-styles-controller.php +++ b/tests/phpunit/tests/rest-api/rest-global-styles-controller.php @@ -15,7 +15,10 @@ class WP_REST_Global_Styles_Controller_Test extends WP_Test_REST_Controller_Test * @var int */ protected static $admin_id; - + /** + * @var int + */ + protected static $editor_id; /** * @var int */ @@ -54,6 +57,12 @@ public static function wpSetupBeforeClass( $factory ) { ) ); + self::$editor_id = $factory->user->create( + array( + 'role' => 'editor', + ) + ); + self::$subscriber_id = $factory->user->create( array( 'role' => 'subscriber', @@ -264,18 +273,35 @@ public function test_get_theme_item_no_user() { wp_set_current_user( 0 ); $request = new WP_REST_Request( 'GET', '/wp/v2/global-styles/themes/tt1-blocks' ); $response = rest_get_server()->dispatch( $request ); - $this->assertErrorResponse( 'rest_cannot_manage_global_styles', $response, 401 ); + $this->assertErrorResponse( 'rest_cannot_read_global_styles', $response, 401 ); } /** * @covers WP_REST_Global_Styles_Controller::get_theme_item * @ticket 54516 + * @ticket 62042 */ - public function test_get_theme_item_permission_check() { + public function test_get_theme_item_subscriber_permission_check() { wp_set_current_user( self::$subscriber_id ); $request = new WP_REST_Request( 'GET', '/wp/v2/global-styles/themes/tt1-blocks' ); $response = rest_get_server()->dispatch( $request ); - $this->assertErrorResponse( 'rest_cannot_manage_global_styles', $response, 403 ); + $this->assertErrorResponse( 'rest_cannot_read_global_styles', $response, 403 ); + } + + /** + * @covers WP_REST_Global_Styles_Controller_Gutenberg::get_theme_item + * @ticket 62042 + */ + public function test_get_theme_item_editor_permission_check() { + wp_set_current_user( self::$editor_id ); + $request = new WP_REST_Request( 'GET', '/wp/v2/global-styles/themes/tt1-blocks' ); + $response = rest_get_server()->dispatch( $request ); + // Checks that the response has the expected keys. + $data = $response->get_data(); + $links = $response->get_links(); + $this->assertArrayHasKey( 'settings', $data, 'Data does not have "settings" key' ); + $this->assertArrayHasKey( 'styles', $data, 'Data does not have "styles" key' ); + $this->assertArrayHasKey( 'self', $links, 'Links do not have a "self" key' ); } /** From b183c97843443bdbe2772b36f1c1573b150ddee2 Mon Sep 17 00:00:00 2001 From: ramon Date: Fri, 13 Sep 2024 12:22:10 +1000 Subject: [PATCH 2/3] Removed GB refs --- .../phpunit/tests/rest-api/rest-global-styles-controller.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/phpunit/tests/rest-api/rest-global-styles-controller.php b/tests/phpunit/tests/rest-api/rest-global-styles-controller.php index f4e36abca4065..d10b7c26f4a10 100644 --- a/tests/phpunit/tests/rest-api/rest-global-styles-controller.php +++ b/tests/phpunit/tests/rest-api/rest-global-styles-controller.php @@ -289,7 +289,7 @@ public function test_get_theme_item_subscriber_permission_check() { } /** - * @covers WP_REST_Global_Styles_Controller_Gutenberg::get_theme_item + * @covers WP_REST_Global_Styles_Controller::get_theme_item * @ticket 62042 */ public function test_get_theme_item_editor_permission_check() { @@ -633,7 +633,7 @@ public function test_update_item_invalid_styles_css() { * within a theme style variation and wouldn't be registered at the time * of saving via the API. * - * @covers WP_REST_Global_Styles_Controller_Gutenberg::update_item + * @covers WP_REST_Global_Styles_Controller::update_item * @ticket 61312 * @ticket 61451 */ From 790e8d1e8afb3d907415749a93476bd91a0b67cf Mon Sep 17 00:00:00 2001 From: ramon Date: Wed, 18 Sep 2024 10:31:15 +1000 Subject: [PATCH 3/3] Revert change to preload paths as per the corresponding GB sync PR Add edit_theme_options cap check for reading items with accompanying test coverage. t --- src/wp-admin/edit-form-blocks.php | 2 +- ...class-wp-rest-global-styles-controller.php | 7 ++++ .../rest-global-styles-controller.php | 40 ++++++++++++++++++- 3 files changed, 47 insertions(+), 2 deletions(-) diff --git a/src/wp-admin/edit-form-blocks.php b/src/wp-admin/edit-form-blocks.php index cbcce39374db5..e6abe9998028f 100644 --- a/src/wp-admin/edit-form-blocks.php +++ b/src/wp-admin/edit-form-blocks.php @@ -67,7 +67,7 @@ static function ( $classes ) { array( '/wp/v2/settings', 'OPTIONS' ), '/wp/v2/global-styles/themes/' . get_stylesheet(), '/wp/v2/themes?context=edit&status=active', - '/wp/v2/global-styles/' . WP_Theme_JSON_Resolver::get_user_global_styles_post_id(), + '/wp/v2/global-styles/' . WP_Theme_JSON_Resolver::get_user_global_styles_post_id() . '?context=edit', ); block_editor_rest_api_preload( $preload_paths, $block_editor_context ); diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php index a30774b08f5a4..51c1ac29b8294 100644 --- a/src/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php +++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php @@ -529,6 +529,13 @@ public function get_theme_item_permissions_check( $request ) { } } + /* + * Verify if the current user has edit_theme_options capability. + */ + if ( current_user_can( 'edit_theme_options' ) ) { + return true; + } + return new WP_Error( 'rest_cannot_read_global_styles', __( 'Sorry, you are not allowed to access the global styles on this site.' ), diff --git a/tests/phpunit/tests/rest-api/rest-global-styles-controller.php b/tests/phpunit/tests/rest-api/rest-global-styles-controller.php index d10b7c26f4a10..b55c7c3d606eb 100644 --- a/tests/phpunit/tests/rest-api/rest-global-styles-controller.php +++ b/tests/phpunit/tests/rest-api/rest-global-styles-controller.php @@ -15,15 +15,22 @@ class WP_REST_Global_Styles_Controller_Test extends WP_Test_REST_Controller_Test * @var int */ protected static $admin_id; + /** * @var int */ protected static $editor_id; + /** * @var int */ protected static $subscriber_id; + /** + * @var int + */ + protected static $theme_manager_id; + /** * @var int */ @@ -69,6 +76,18 @@ public static function wpSetupBeforeClass( $factory ) { ) ); + self::$theme_manager_id = $factory->user->create( + array( + 'role' => 'subscriber', + ) + ); + + // Add the 'edit_theme_options' capability to the theme manager (subscriber). + $theme_manager_id = get_user_by( 'id', self::$theme_manager_id ); + if ( $theme_manager_id instanceof WP_User ) { + $theme_manager_id->add_cap( 'edit_theme_options' ); + } + // This creates the global styles for the current theme. self::$global_styles_id = $factory->post->create( array( @@ -87,11 +106,13 @@ public static function wpSetupBeforeClass( $factory ) { } /** - * + * Clean up after our tests run. */ public static function wpTearDownAfterClass() { self::delete_user( self::$admin_id ); + self::delete_user( self::$editor_id ); self::delete_user( self::$subscriber_id ); + self::delete_user( self::$theme_manager_id ); } /* @@ -304,6 +325,23 @@ public function test_get_theme_item_editor_permission_check() { $this->assertArrayHasKey( 'self', $links, 'Links do not have a "self" key' ); } + /** + * @covers WP_REST_Global_Styles_Controller_Gutenberg::get_theme_item + * @ticket 62042 + */ + public function test_get_theme_item_theme_options_manager_permission_check() { + wp_set_current_user( self::$theme_manager_id ); + switch_theme( 'emptytheme' ); + $request = new WP_REST_Request( 'GET', '/wp/v2/global-styles/themes/emptytheme' ); + $response = rest_get_server()->dispatch( $request ); + // Checks that the response has the expected keys. + $data = $response->get_data(); + $links = $response->get_links(); + $this->assertArrayHasKey( 'settings', $data, 'Data does not have "settings" key' ); + $this->assertArrayHasKey( 'styles', $data, 'Data does not have "styles" key' ); + $this->assertArrayHasKey( 'self', $links, 'Links do not have a "self" key' ); + } + /** * @covers WP_REST_Global_Styles_Controller::get_theme_item * @ticket 54516