Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Template editor: wrong REST API permissions check #51886

Open
carlomanf opened this issue Jun 26, 2023 · 3 comments
Open

Template editor: wrong REST API permissions check #51886

carlomanf opened this issue Jun 26, 2023 · 3 comments
Labels
Needs Testing Needs further testing to be confirmed. REST API Interaction Related to REST API [Status] Stale Gives the original author opportunity to update before closing. Can be reopened as needed. [Type] Bug An existing feature does not function as intended

Comments

@carlomanf
Copy link

Description

Related: #26573, #37126

I wrote a plugin that replaces the templates REST API controller in order to separate the capability to create new templates from the capability to edit existing templates. Below is a simplified version of what I am using:

<?php

add_action( 'registered_post_type_wp_template', function( $post_type, $post_type_object ) {
	$post_type_object->rest_controller = null;
	$post_type_object->rest_controller_class = 'Example_Template_Controller';
}, 10, 2 );

class Example_Template_Controller extends WP_REST_Templates_Controller {
	public function update_item_permissions_check( $request ) {
		return true;
	}

	public function create_item_permissions_check( $request ) {
		return false;
	}
}

One problem that became apparent is that the "Edit template" link in the post editor does not show up unless I allowed the user to pass the create_item_permissions_check in the REST API, even if they were already passing the update_item_permission_check.

If the user passes the update_item_permission_check but fails the create_item_permissions_check, I expected that the "Edit template" link would still be available and only the button for creating a new one should be disabled.

On the other hand, if the user passes the create_item_permissions_check but fails the update_item_permission_check, the "Edit template" link wrongly shows and allows the template editor to be loaded, but the changes correctly can't get saved.

It appears that the "Edit template" link is calling the wrong REST API permissions check.

Step-by-step reproduction instructions

  1. Add the example code above (e.g. as a plugin)
  2. Edit a post or page the old way (not the site editor)
  3. Click on the "Template" section in the sidebar
  4. Observe that the "Edit template" link is missing
  5. Switch around the return true and return false statements in the example code
  6. Edit a post or page the old way (not the site editor)
  7. Click on the "Template" section in the sidebar
  8. Observe that the "Edit template" link is showing

Screenshots, screen recording, code snippet

No response

Environment info

Gutenberg 16.0.0

Please confirm that you have searched existing issues in the repo.

Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

No
@jordesign jordesign added [Type] Bug An existing feature does not function as intended REST API Interaction Related to REST API Needs Testing Needs further testing to be confirmed. labels Jul 10, 2023
@github-actions

This comment was marked as outdated.

Sign in to view
@github-actions github-actions bot added the [Status] Stale Gives the original author opportunity to update before closing. Can be reopened as needed. label Aug 10, 2023
@carlomanf
Copy link
Author

I know it's automated, but seems like a backward request to me. Unless I explicitly confirm the issue remains unresolved every time a new version is released, or at least every 30 days, the assumption will be that it's somehow resolved, despite there being no activity on this ticket?

Perhaps a more appropriate message would be:

Hi,
This issue has gone 6 months without any activity. This means it is time for a check-in to make sure it is still relevant. If you are no longer experiencing this issue with the latest versions, you can help the project by responding to confirm the problem is resolved and closing the ticket. If you are still experiencing the issue, disregard this message.
Thanks for helping out.

@github-actions github-actions bot removed the [Status] Stale Gives the original author opportunity to update before closing. Can be reopened as needed. label Aug 11, 2023
@github-actions

This comment was marked as outdated.

Sign in to view
@github-actions github-actions bot added the [Status] Stale Gives the original author opportunity to update before closing. Can be reopened as needed. label Sep 10, 2023
This was referenced Jan 21, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs Testing Needs further testing to be confirmed. REST API Interaction Related to REST API [Status] Stale Gives the original author opportunity to update before closing. Can be reopened as needed. [Type] Bug An existing feature does not function as intended
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jordesign @carlomanf