<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[58227] trunk: REST API: Allow view access of template endpoint to anyone with the edit_post capability.</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { white-space: pre-line; overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/58227">58227</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/58227","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>youknowriad</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2024-05-29 07:19:56 +0000 (Wed, 29 May 2024)</dd>
</dl>
<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>REST API: Allow view access of template endpoint to anyone with the edit_post capability.
In order to render the block template in the locked template preview inside the post editor we need to be able to fetch the contents of any block templates/template parts for any user role that can edit a post.
Props fabiankaegy, youknowriad.
Fixes <a href="https://core.trac.wordpress.org/ticket/61137">#61137</a>.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunksrcwpincludesrestapiendpointsclasswpresttemplatescontrollerphp">trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-templates-controller.php</a></li>
<li><a href="#trunktestsphpunittestsrestapiwpRestTemplatesControllerphp">trunk/tests/phpunit/tests/rest-api/wpRestTemplatesController.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunksrcwpincludesrestapiendpointsclasswpresttemplatescontrollerphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-templates-controller.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-templates-controller.php 2024-05-29 05:14:00 UTC (rev 58226)
+++ trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-templates-controller.php 2024-05-29 07:19:56 UTC (rev 58227)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -236,12 +236,28 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * Checks if a given request has access to read templates.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @since 5.8.0
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @since 6.6.0 Allow users with edit_posts capability to read templates.
</ins><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @param WP_REST_Request $request Full details about the request.
</span><span class="cx" style="display: block; padding: 0 10px"> * @return true|WP_Error True if the request has read access, WP_Error object otherwise.
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> public function get_items_permissions_check( $request ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- return $this->permissions_check( $request );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( current_user_can( 'edit_posts' ) ) {
+ return true;
+ }
+ foreach ( get_post_types( array( 'show_in_rest' => true ), 'objects' ) as $post_type ) {
+ if ( current_user_can( $post_type->cap->edit_posts ) ) {
+ return true;
+ }
+ }
+
+ return new WP_Error(
+ 'rest_cannot_manage_templates',
+ __( 'Sorry, you are not allowed to access the templates on this site.', 'default' ),
+ array(
+ 'status' => rest_authorization_required_code(),
+ )
+ );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -277,12 +293,28 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * Checks if a given request has access to read a single template.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @since 5.8.0
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @since 6.6.0 Allow users with edit_posts capability to read individual templates.
</ins><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @param WP_REST_Request $request Full details about the request.
</span><span class="cx" style="display: block; padding: 0 10px"> * @return true|WP_Error True if the request has read access for the item, WP_Error object otherwise.
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> public function get_item_permissions_check( $request ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- return $this->permissions_check( $request );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( current_user_can( 'edit_posts' ) ) {
+ return true;
+ }
+ foreach ( get_post_types( array( 'show_in_rest' => true ), 'objects' ) as $post_type ) {
+ if ( current_user_can( $post_type->cap->edit_posts ) ) {
+ return true;
+ }
+ }
+
+ return new WP_Error(
+ 'rest_cannot_manage_templates',
+ __( 'Sorry, you are not allowed to access the templates on this site.', 'default' ),
+ array(
+ 'status' => rest_authorization_required_code(),
+ )
+ );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span></span></pre></div>
<a id="trunktestsphpunittestsrestapiwpRestTemplatesControllerphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/phpunit/tests/rest-api/wpRestTemplatesController.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/rest-api/wpRestTemplatesController.php 2024-05-29 05:14:00 UTC (rev 58226)
+++ trunk/tests/phpunit/tests/rest-api/wpRestTemplatesController.php 2024-05-29 07:19:56 UTC (rev 58227)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -14,6 +14,8 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * @var int
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> protected static $admin_id;
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ protected static $editor_id;
+ protected static $subscriber_id;
</ins><span class="cx" style="display: block; padding: 0 10px"> private static $template_post;
</span><span class="cx" style="display: block; padding: 0 10px"> private static $template_part_post;
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -23,11 +25,21 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * @param WP_UnitTest_Factory $factory Helper that lets us create fake data.
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> public static function wpSetupBeforeClass( $factory ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- self::$admin_id = $factory->user->create(
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ self::$admin_id = $factory->user->create(
</ins><span class="cx" style="display: block; padding: 0 10px"> array(
</span><span class="cx" style="display: block; padding: 0 10px"> 'role' => 'administrator',
</span><span class="cx" style="display: block; padding: 0 10px"> )
</span><span class="cx" style="display: block; padding: 0 10px"> );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ self::$editor_id = $factory->user->create(
+ array(
+ 'role' => 'editor',
+ )
+ );
+ self::$subscriber_id = $factory->user->create(
+ array(
+ 'role' => 'subscriber',
+ )
+ );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> // Set up template post.
</span><span class="cx" style="display: block; padding: 0 10px"> $args = array(
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -166,6 +178,51 @@
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><span class="cx" style="display: block; padding: 0 10px"> * @covers WP_REST_Templates_Controller::get_items
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ public function test_get_items_editor() {
+ wp_set_current_user( self::$editor_id );
+ $request = new WP_REST_Request( 'GET', '/wp/v2/templates' );
+ $response = rest_get_server()->dispatch( $request );
+ $data = $response->get_data();
+
+ $this->assertSame(
+ array(
+ 'id' => 'default//my_template',
+ 'theme' => 'default',
+ 'slug' => 'my_template',
+ 'source' => 'custom',
+ 'origin' => null,
+ 'type' => 'wp_template',
+ 'description' => 'Description of my template.',
+ 'title' => array(
+ 'raw' => 'My Template',
+ 'rendered' => 'My Template',
+ ),
+ 'status' => 'publish',
+ 'wp_id' => self::$template_post->ID,
+ 'has_theme_file' => false,
+ 'is_custom' => true,
+ 'author' => 0,
+ 'modified' => mysql_to_rfc3339( self::$template_post->post_modified ),
+ 'author_text' => 'Test Blog',
+ 'original_source' => 'site',
+ ),
+ $this->find_and_normalize_template_by_id( $data, 'default//my_template' )
+ );
+ }
+
+ /**
+ * @covers WP_REST_Templates_Controller::get_items
+ */
+ public function test_get_items_no_permission_subscriber() {
+ wp_set_current_user( self::$subscriber_id );
+ $request = new WP_REST_Request( 'GET', '/wp/v2/templates' );
+ $response = rest_get_server()->dispatch( $request );
+ $this->assertErrorResponse( 'rest_cannot_manage_templates', $response, 403 );
+ }
+
+ /**
+ * @covers WP_REST_Templates_Controller::get_items
+ */
</ins><span class="cx" style="display: block; padding: 0 10px"> public function test_get_items_no_permission() {
</span><span class="cx" style="display: block; padding: 0 10px"> wp_set_current_user( 0 );
</span><span class="cx" style="display: block; padding: 0 10px"> $request = new WP_REST_Request( 'GET', '/wp/v2/templates' );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -211,6 +268,54 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @covers WP_REST_Templates_Controller::get_item
+ */
+ public function test_get_item_editor() {
+ wp_set_current_user( self::$editor_id );
+ $request = new WP_REST_Request( 'GET', '/wp/v2/templates/default//my_template' );
+ $response = rest_get_server()->dispatch( $request );
+ $data = $response->get_data();
+ unset( $data['content'] );
+ unset( $data['_links'] );
+
+ $this->assertSame(
+ array(
+ 'id' => 'default//my_template',
+ 'theme' => 'default',
+ 'slug' => 'my_template',
+ 'source' => 'custom',
+ 'origin' => null,
+ 'type' => 'wp_template',
+ 'description' => 'Description of my template.',
+ 'title' => array(
+ 'raw' => 'My Template',
+ 'rendered' => 'My Template',
+ ),
+ 'status' => 'publish',
+ 'wp_id' => self::$template_post->ID,
+ 'has_theme_file' => false,
+ 'is_custom' => true,
+ 'author' => 0,
+ 'modified' => mysql_to_rfc3339( self::$template_post->post_modified ),
+ 'author_text' => 'Test Blog',
+ 'original_source' => 'site',
+ ),
+ $data
+ );
+ }
+
+ /**
+ * @covers WP_REST_Templates_Controller::get_item
+ */
+ public function test_get_item_subscriber() {
+ wp_set_current_user( self::$subscriber_id );
+ $request = new WP_REST_Request( 'GET', '/wp/v2/templates/default//my_template' );
+ $response = rest_get_server()->dispatch( $request );
+ $response = rest_get_server()->dispatch( $request );
+ $this->assertErrorResponse( 'rest_cannot_manage_templates', $response, 403 );
+ }
+
+ /**
</ins><span class="cx" style="display: block; padding: 0 10px"> * @ticket 54507
</span><span class="cx" style="display: block; padding: 0 10px"> * @dataProvider data_get_item_works_with_a_single_slash
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span></span></pre>
</div>
</div>
</body>
</html>