-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid direct use of user capabilities in client-side code #6361
Comments
Is it just that the filters are not being used before localising information on caps for Gutenberg here, or are there more issues? I've looked at the other linked issue, but aside from both relating to capabilities, I'm not seeing a link, and this looks like more than one issue. |
Yes. Fundamentally, the problem is that the Impacted components include:
|
We chatted abit about this in the REST channel today. One of the ways we could do this is to utilize the {
"_links": {
"self": [],
"wp:action-sticky_post": [
{
"title": "Sticky Post",
"href": "https://w.org/wp-json/wp/v2/posts/5",
"targetSchema": {
"type": "object",
"properties": {
"sticky": {
"type": "boolean",
"description": "Whether or not the object should be treated as sticky."
}
}
}
}
]
}
} We would only include the The {
"_links": {
"self": [],
"wp:action-author": [
{
"title": "Author",
"href": "https://w.org/wp-json/wp/v2/posts/5",
"targetSchema": {
"type": "object",
"properties": {
"author": {
"type": "integer",
"description": "The ID for the author of the object."
}
}
}
}
]
}
} In JS land we'd check if the link with whichever relation we wanted exists in the item's response. |
Thanks @TimothyBJacobs. This seems to be exactly what we want. |
I agree this approach appears to solve the problem. Would we always return these actions as We should probably provide some base logic and utility methods in |
The former: the actions would be included on every response (but only when the user has permission to perform the action).
I think we should take on that abstraction when it proves necessary. At this point, we only need a few actions on the Posts controller.
The existing |
Given that this filter works (via the PR), I'm okay with leaving away an abstraction for now. I'd only advise against actually changing the controller internally without considering an abstraction. |
Can you explain what your abstraction might be, and how it would be a benefit? |
Not yet, I haven't really put thoughts into it, since we were not gonna do it. I guess I would consider introducing utility methods in My main point is that if we start implementing that here (which I support), we should at some point publish a post on make.wordpress.org/core/ about this procedure, and open tickets to add similar actions to other endpoints. This is out of scope for Gutenberg obviously, but I'd like to ensure we follow a certain pattern for this functionality across all areas. |
I've created a Trac ticket to get this into core: https://core.trac.wordpress.org/ticket/44287 |
* Allow converting core/html block to blocks * Add unfiltered_html capability to targetSchema * Take capability from _links property in post object See #6361 for reference * Add canUserUseUnfilteredHTML selector * Remove unused import * Add selector tests * Add REST API tests * Add REST API tests for multisite * Make php linter happy * Fix jsdoc comment
@danielbachhuber #7667 has landed a new |
@nosolosw Awesome! |
In a variety of places throughout the codebase, user capabilities are directly referenced to determine whether UI should be displayed. For example, here's the check for displaying post sticky UI:
This type of check, one where user capabilities are directly inspected, are incorrect because WordPress expects capabilities to be evaluated, and potentially modified, at runtime.
To illustrate, in the original
edit_post()
sticky post capability check, result ofcurrent_user_can()
can be modified by themap_meta_cap
anduser_can
filters:The REST API provides this information for us on a high-level through the
Allow
header:However, we don't yet have this information on an attribute by attribute basis (e.g. setting
sticky
requirespublish_posts
andedit_others_posts
, while assigning anauthor
requiresedit_others_posts
).The text was updated successfully, but these errors were encountered: