Site editor allows unauthorised edits

[carlomanf]

Description

The site editor appears to ignore meta capabilities that may be applied to template and template parts.

Step-by-step reproduction instructions

1. Add a plugin with code similar to the below (where 338 is the ID of a template)
2. Attempt to edit the template in the site editor
3. Observe that the template was successfully edited

Screenshots, screen recording, code snippet

add_filter( 'map_meta_cap', 'test_function', 10, 4);
function test_function( $caps, $cap, $user_id, $args )
{
	if ( $cap === 'edit_post' && get_post( $args[0] )->ID === 338 ) return array( 'do_not_allow' );
	return $caps;
}

Environment info

core version 5.9-beta1-52318, plugin deactivated

Please confirm that you have searched existing issues in the repo.

Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

No

[annezazu]

Adding to the 5.9 project to be triaged further :)

[Mamaduka]

Hi, @carlomanf

The templates REST API endpoint uses edit_theme_options for permission checks, and if I remember correctly, this is why we don't check meta caps.

Pinging @spacedmonkey in case my knowledge isn't up to date.

[spacedmonkey]

There is already a core ticket for this [https://core.trac.wordpress.org/ticket/54516 #54516].

I have work in progress fix for this here - WordPress/wordpress-develop#2026

[annezazu]

Thank you both for chiming in and connecting dots. I'm going to close this out and defer to the core ticket to reduce confusion.

[carlomanf]

@annezazu I think this ticket should be re-opened. Although there is work being done on the core ticket, it will still be necessary to update the NPM packages here to work with the new API. This ticket can be used to track the client-side updates. What do you think?

[annezazu]

I trust your read and will reopen now :). I'd always rather have more places something is reported for consistency than less. Thanks for following back up.