[wp-trac] [WordPress Trac] #35914: Prevent exporting a partial for selective refresh when user can't preview its settings

Tue Feb 23 07:21:31 UTC 2016

#35914: Prevent exporting a partial for selective refresh when user can't preview
its settings
--------------------------+-------------------
 Reporter:  westonruter   |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  4.5
Component:  Customize     |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-------------------
 When partials get registered, they are associated with one or more
 settings, just as controls do. Controls are prevented from being exported
 to the client if they are associated with any settings that the user
 doesn't have the capability to update. At the moment, however, partials do
 not have parity with controls in this way: partials are being exported to
 the client even if the user cannot make any changes to them. This results
 in misleading “Shift-click to edit this element.” messages for such users.

 So `WP_Customize_Partial::check_capabilities()` should be created for
 parity with `WP_Customize_Control::check_capabilities()`. Partials that
 don't pass the capability check can be omitted from being exported to the
 client. These partials can also be rejected from requests to render
 partials. While these are currently not rejected, they can only be
 previewed using settings already saved in the DB, since setting changes
 will be ignored if the user doesn't have the capability: these are
 currently treated as read-only partial renders.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/35914>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform