[wp-trac] [WordPress Trac] #54516: Full site editing/REST-API: modify permission checks to use post type.

WordPress Trac noreply at wordpress.org
Tue Feb 22 06:03:13 UTC 2022

#54516: Full site editing/REST-API: modify permission checks to use post type.
 Reporter:  peterwilsoncc   |       Owner:  spacedmonkey
     Type:  task (blessed)  |      Status:  reopened
 Priority:  normal          |   Milestone:  6.0
Component:  REST API        |     Version:  5.9
 Severity:  normal          |  Resolution:
 Keywords:  has-patch       |     Focuses:  rest-api

Comment (by manfcarlo):

 Replying to [comment:33 TimothyBlynJacobs]:
 > Instead, I think we should approach this in 6.0 by introducing specific
 meta capabilities like `edit_template` or similar that would handle
 whether this is a template backed by a file or by a post object in the
 permission handling itself. That way developers will have the full context
 available when utilizing the `map_meta_cap` and other filters.
 > Our REST API controllers can then perform logic like `current_user_can(
 'edit_template', 'twentytwentytwo//single' )` instead.

 Here is a suggested implementation. There appear to be two test failures,
 one is just stating that the new meta capabilities don't have their own
 tests yet, the other I believe is happening because the permission check
 is failing when the delete method is called on a non-existing template.
 Not sure what is the best way to handle that.

 Another limitation I can see is
 [https://github.com/WordPress/gutenberg/issues/37126 the example code in
 this issue] would still not work, due to the `map_meta_cap` filter
 ultimately being applied to `edit_template` rather than `edit_post`. This
 may not be a problem if it is understood that `edit_post` should not be
 used for templates, but again, thoughts are welcome.

Ticket URL: <https://core.trac.wordpress.org/ticket/54516#comment:36>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list