From 840f0fc0536052747fd566175ba21af60f96479f Mon Sep 17 00:00:00 2001 From: ramonopoly Date: Wed, 18 Sep 2024 05:19:14 +0000 Subject: [PATCH] Global Styles: allow read access to users with `edit_posts` capabilities This patch any role that can edit a post, including custom post types, or edit theme options to read global styles from the API. This enables read-only access to global styles in the post editor. Test coverage in included. Props ramonopoly, peterwilsoncc, mukesh27, aaronrobertshaw, mamaduka, spacedmonkey, talldanwp, timothyblynjacobs. Fixes #62042. Built from https://develop.svn.wordpress.org/trunk@59048 git-svn-id: http://core.svn.wordpress.org/trunk@58444 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/post.php | 2 +- ...class-wp-rest-global-styles-controller.php | 55 ++++++++++--------- wp-includes/version.php | 2 +- 3 files changed, 30 insertions(+), 29 deletions(-) diff --git a/wp-includes/post.php b/wp-includes/post.php index 8812957bf2..e522e3eb84 100644 --- a/wp-includes/post.php +++ b/wp-includes/post.php @@ -489,7 +489,7 @@ function create_initial_post_types() { 'revisions_rest_controller_class' => 'WP_REST_Global_Styles_Revisions_Controller', 'late_route_registration' => true, 'capabilities' => array( - 'read' => 'edit_theme_options', + 'read' => 'edit_posts', 'create_posts' => 'edit_theme_options', 'edit_posts' => 'edit_theme_options', 'edit_published_posts' => 'edit_theme_options', diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php index 8be3aedd9a..51c1ac29b8 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php @@ -509,26 +509,40 @@ class WP_REST_Global_Styles_Controller extends WP_REST_Posts_Controller { * Checks if a given request has access to read a single theme global styles config. * * @since 5.9.0 + * @since 6.7.0 Allow users with edit post capabilities to view theme global styles. * * @param WP_REST_Request $request Full details about the request. * @return true|WP_Error True if the request has read access for the item, WP_Error object otherwise. */ public function get_theme_item_permissions_check( $request ) { /* - * Verify if the current user has edit_theme_options capability. - * This capability is required to edit/view/delete global styles. + * Verify if the current user has edit_posts capability. + * This capability is required to view global styles. */ - if ( ! current_user_can( 'edit_theme_options' ) ) { - return new WP_Error( - 'rest_cannot_manage_global_styles', - __( 'Sorry, you are not allowed to access the global styles on this site.' ), - array( - 'status' => rest_authorization_required_code(), - ) - ); + if ( current_user_can( 'edit_posts' ) ) { + return true; } - return true; + foreach ( get_post_types( array( 'show_in_rest' => true ), 'objects' ) as $post_type ) { + if ( current_user_can( $post_type->cap->edit_posts ) ) { + return true; + } + } + + /* + * Verify if the current user has edit_theme_options capability. + */ + if ( current_user_can( 'edit_theme_options' ) ) { + return true; + } + + return new WP_Error( + 'rest_cannot_read_global_styles', + __( 'Sorry, you are not allowed to access the global styles on this site.' ), + array( + 'status' => rest_authorization_required_code(), + ) + ); } /** @@ -589,26 +603,13 @@ class WP_REST_Global_Styles_Controller extends WP_REST_Posts_Controller { * Checks if a given request has access to read a single theme global styles config. * * @since 6.0.0 + * @since 6.7.0 Allow users with edit post capabilities to view theme global styles. * * @param WP_REST_Request $request Full details about the request. * @return true|WP_Error True if the request has read access for the item, WP_Error object otherwise. */ public function get_theme_items_permissions_check( $request ) { - /* - * Verify if the current user has edit_theme_options capability. - * This capability is required to edit/view/delete global styles. - */ - if ( ! current_user_can( 'edit_theme_options' ) ) { - return new WP_Error( - 'rest_cannot_manage_global_styles', - __( 'Sorry, you are not allowed to access the global styles on this site.' ), - array( - 'status' => rest_authorization_required_code(), - ) - ); - } - - return true; + return $this->get_theme_item_permissions_check( $request ); } /** @@ -632,7 +633,7 @@ class WP_REST_Global_Styles_Controller extends WP_REST_Posts_Controller { ); } - $response = array(); + $response = array(); // Register theme-defined variations e.g. from block style variation partials under `/styles`. $partials = WP_Theme_JSON_Resolver::get_style_variations( 'block' ); diff --git a/wp-includes/version.php b/wp-includes/version.php index 4768f9be67..8649cef4db 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.7-alpha-59047'; +$wp_version = '6.7-alpha-59048'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.