Harden access to validation data #6760
Conversation
|
Plugin builds for 6746ec2 are ready 🛎️!
|
|
@westonruter In ae702a3 you'll find the most important change – a new scanner status is introduced there, In e656fbf a minor refactor has been done so that the complexity of the Lastly, in e483fbe new E2E tests have been introduced. Thanks to them we're sure that if a user has no validation capability, Site Scan won't be available on the AMP Settings screen, in the Onboarding Wizard and after plugin activation. I think it's now ready for your review. As a side note, I think that our context provider trees are becoming pretty big and complex, with various dependencies between providers. I'm thinking of reevaluating this approach and maybe looking into a more systematic solution like React Query that would abstract away data fetching, caching and updating. Since data is stored in a global variable (internally), it can be exposed everywhere in a React app using a set of hooks. This might simplify and decouple the client-side data layer. |
…ate-access * 'develop' of github.com:ampproject/amp-wp: Run ergebnis/composer-normalize Supply aspect-ratio to videos in Video Blocks Add height:auto to videos in Video blocks Use intrinsic layout for video instead of responsive Add missing import for createInterpolateElement Improve translation strings Move Sandboxing level settings drawer after Analytics Eliminate sandboxing experiment filter in favor of option
There was a problem hiding this comment.
@delawski Thank you for the additional changes! Looks great and now behaves as expected.
| await installLocalPlugin( 'e2e-tests-demo-plugin' ); | ||
| await installLocalPlugin( 'do-not-allow-amp-validate-capability' ); | ||
|
|
||
| // If the demo plugin has been already installed it might be activated, too. | ||
| // If the plugins have been already installed, they may be activated, too. Try deactivating them, just in case. | ||
| await deactivatePlugin( 'e2e-tests-demo-plugin' ); | ||
| await deactivatePlugin( 'do-not-allow-amp-validate-capability' ); |
There was a problem hiding this comment.
Nit: the list of plugins could be in an array, and then they could be looped over.
There was a problem hiding this comment.
Yeah, I was thinking of the same, though there might be some issues when using await inside a loop. Let's take care of that as soon as we need to add another plugin.
|
Merging without approval since I'm the one who started this PR. @delawski I'm assuming you approve 😄 If you can sanity check my additional changes that would be great. |
|
The changes (and the PR overall) look good to me 👍 |
|
QA Passed After using the plugin with the code given above (in the description). ✅ The "AMP Setting" page is functioning correctly and site scanning is omitted on the page. ✅ Support page, Validated URL and Error Index page is disabled for the user.
✅ On the "Onboarding Wizard" step for site scan is removed.
|
westonruter
added
the
Changelogged
Summary
By default the
amp_validatecapability is mapped tomanage_options. However, it doesn't have to be. A site could disable access to validation data entirely—even to administrators—using a plugin like:If I try doing that, some unexpected things happen for new screens in 2.2:
We need to make sure that if a site is restricting access to any validation data by checking first if the user
AMP_Validation_Manager::has_cap().Checklist