[wp-trac] [WordPress Trac] #18209: Capabilities with misplaced dependencies in edit_theme_options

WordPress Trac noreply at wordpress.org
Thu Aug 4 10:00:18 UTC 2022 

#18209: Capabilities with misplaced dependencies in edit_theme_options
--------------------------+------------------------------
 Reporter:  Clorith       |       Owner:  (none)
     Type:  defect (bug)  |      Status:  assigned
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Menus         |     Version:  3.2.1
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:  administration
--------------------------+------------------------------

Comment (by Clorith):

 Oh wow, it's been 11 years for me 😅

 I had a quick check, as I do sort of recall the problem at the time, and
 my findings are... better!

 It should be added that the introduction of FSE adds another layer to
 this, since the original issue revolves around menu management, including
 within the Customizer, whereas neither are options with a FSE theme
 enabled.

 In testing, I've created a new role (`testrole`- labeled "Test Role"), and
 given it only three capabilities;
 - `edit_theme_options`
 - `manage_links`
 - `read`

 This should be fairly similar to the expectations of the original ticket.

 As the user with this role, I have a very limited admin interface, but I
 have the Customizer and Menu management items.

 If I use the normal menu manager, I am now able to both remove, modify
 (change ordering, set child/parent relationships), or add to the menu, and
 I can save and see these changes as expected. The original problem when
 this was reported indicates that it was not possible to add new menu items
 without having the `edit_posts` capability as well, so this does not
 appear to be a problem any more.

 Now, for the newly introduced issues, the Navigation block in FSE does not
 play nice with this, and although the Editor it self is available with
 just the `edit_theme_options` capability, if you open it with a vanilla WP
 setup, and the TwentyTwenty-Two theme active, you'll get an error trying
 to load the navigation items in the backend at first (this is because it
 is a "Page List" block, and apparently the lack of capabilities means the
 user isn't allowed to list pages, this is likely a Gutenberg-ticket style
 issue though).

 ----

 For completeness sake, here are my exact testing steps:

 - Brand new setup of WordPress 6.0.1, no settings changed.
 - Installed the [https://wordpress.org/plugins/user-switching/ User
 Switching] plugin to quickly change between users and roles
 - Installed the [https://wordpress.org/plugins/user-role-editor/ User Role
 Editor] plugin to easily visualize and set up a new role (also the plugin
 used when the original ticket was made, which I thought was handy!)
 - Switched to the `Twenty Twenty` theme

 Once this is done, I vent to Users > User Role Editor, and added a new
 role with the following details:
 - Role name (ID): `testrole`
 - Display Role Name: `Test Role`

 I then used the Quick filter to add the following capabilities:
 - `edit_theme_options` (the capability we want to test)
 - `manage_links` (A capability that I know was around back then, and I
 would not have removed due to it's management-style concept)
 - `read` (The capability to read content on the site)

 Once this is done, I added a new user, and gave them the `Test Role` role
 on the site, and used the "Switch To" option in the user list to change to
 this user and test the admin interface, and adding new menu  items.

 I visited the Appearance > Menus page, and started adding/removing/moving
 menu items, saving them, and viewing it in a new tab from the front-end to
 see that changes were being applied.

 I did the same from within the Customizer, and the Menu manager there.

 -----

 That's not to say the problem might not still be evident somehow, but I
 was not able to reproduce it with the details I recall, and what was in
 the original ticket report. (I really wish I was better at writing tickets
 back then, to ensure I got the details right here, as I suspect I was
 creating a management role that had access to other things besides just
 Posts)

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/18209#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list