Social: Fix permissions for update/delete connections endpoints

[manzoorwanijk]

From the linked task:

Currently we check if the current user ID matches the keyring connection user ID, and if they have permission to edit other's posts. However, it seems that anyone can disconnect shared connections.

Actually WPCOM handles all these permissions but we should still handle these from inside Jetpack. It will:

• Prevent the unintended error messages from WPCOM being shown to non-admin authors
• Speed up the request by preventing an extra request to WPCOM

Proposed changes:

• Fix the permissions for the update and disconnect connections endpoint.
• Ensure that non-editor authors are not able to mark connections as shared.

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

Does this pull request change what data or activity we track or use?

Testing instructions:

• Using an admin or an editor account, goto connections management on Social or Jetpack settings page or the editor.
• Confirm that you are able to add, disconnect and mark/unmark connections as shared.
• Mark a connection as shared
• Now login from a non-admin author account and goto the editor to manage connections
• Run jetpack watch plugins/jetpack or jetpack watch plugins/social
• Set isAdmin to true in publicize-components/src/components/services/service-item-details.tsx in order to see the "Mark as shared" checkbox for non-admins.
• Set 'can_disconnect' to true in get_all_connections_for_user method in packages/publicize/src/class-publicize.php to allow non-admin author to see the disconnect button for shared connections.
• Try to disconnect a shared connection
• Confirm that you are not allowed to do that.
• Try to unmark a shared connection
• Confirm that you are not allowed to do that.
• Try to mark the author connected account as shared.
• Confirm that you are not allowed to do that.

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WordPress.com Simple site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin, and enable the fix/social/update-permissions-for-the-disconnect-endpoint branch.

• To test on Simple, run the following command on your sandbox:

  bin/jetpack-downloader test jetpack fix/social/update-permissions-for-the-disconnect-endpoint
  

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Team Review, ...).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available.

---

Once your PR is ready for review, check one last time that all required checks appearing at the bottom of this PR are passing or skipped.
Then, add the "[Status] Needs Team Review" label and ask someone from your team review the code. Once reviewed, it can then be merged.
If you need an extra review from someone familiar with the codebase, you can update the labels from "[Status] Needs Team Review" to "[Status] Needs Review", and in that case Jetpack Approvers will do a final review of your PR.

[gmjuhasz]

This tests well for me