Reusable blocks: Improve UX for non-privileged users #12378
Conversation
noisysocks
added
[Type] Bug
noisysocks
force-pushed
the
fix/non-privileged-reusable-blocks-ux
branch
from
a1856af
to
9a4cb69
Compare
|
This should be ready to review!
|
noisysocks
force-pushed
the
fix/non-privileged-reusable-blocks-ux
branch
from
9a4cb69
to
3c1db96
Compare
There was a problem hiding this comment.
I like the canUser function, it's a nice way to express that functionality.
I think that flash of the disabled state of the block settings menu item is something that needs to be fixed.
Preloading could work, but I think checking the resolution state is also possible and worth doing as well, since it shouldn't just depend on preloading. I think this is what embeds do:
https://github.com/WordPress/gutenberg/blob/master/packages/core-data/src/selectors.js#L41
| @@ -80,6 +83,7 @@ export default compose( [ | |||
| ! isReusableBlock( blocks[ 0 ] ) || | |||
| ! getReusableBlock( blocks[ 0 ].attributes.ref ) | |||
| ), | |||
| canCreateBlocks: canUser( 'create', 'blocks' ), | |||
There was a problem hiding this comment.
For media upload permissions the media options request is preloaded. I think it might be worth doing the same here.
I noticed a 'flash' where the menu item went from being enabled to disabled when opening the block settings menu while the blocks options request was in progress.
There was a problem hiding this comment.
👌 I've added this OPTIONS request to the list of requests we preload in bc0709f.
Noting that this is a change we'll need to make to core after this PR is merged.
packages/editor/src/components/block-settings-menu/reusable-block-convert-button.js
Outdated
Show resolved
Hide resolved
| * | ||
| * @return {boolean} Whether or not the user can perform the action. | ||
| */ | ||
| export function canUser( state, action, resource, id ) { |
There was a problem hiding this comment.
I like the expressiveness of the canUser selector 😄
There was a problem hiding this comment.
Props to @gziolo for suggesting the API 🙂
| return { | ||
| reusableBlock: block && isReusableBlock( block ) ? getReusableBlock( block.attributes.ref ) : null, | ||
| id, | ||
| isDisabled: !! id && ( |
There was a problem hiding this comment.
I think same comment here regarding disabling vs. hiding.
There was a problem hiding this comment.
Also noting that in testing I didn't see the flash of this switching from enabled to disabled. That seems to be because the GET request for the block has already been made and cached. If an OPTIONS request was made instead of a GET request the issue would resurface.
There was a problem hiding this comment.
Have changed this to remove the button instead of disabling in 708a50484fc99537a5f3368b4dbb66e134198741.
We can't preload these requests because we don't know the reusable block ID ahead of time.
There was a problem hiding this comment.
Yep, I do understand that we can't preload. My worry is that it's only by coincidence that the user's capability is known ahead of time. If the underlying code switches to use OPTIONS instead of GET, users would start seeing this button initially be clickable but then suddenly disappear.
This is probably a nitpick though and not a blocker. I'm not even sure what the best UX would be.
There was a problem hiding this comment.
Ah, got it! Not sure if defaulting to disabled versus defaulting to enabled would be a better experience. Both aren't ideal. I matched the existing hasUploadPermissions behaviour which defaults to enabled.
I think that, further down the track, core-data should modify the canUser state whenever it receives an Allow header from any response, and not just when the canUser() resolver is called.
There was a problem hiding this comment.
Yeah, that's a nice idea. Not sure how it'd work, but a nice idea 😄
| path, | ||
| // Ideally this would always be an OPTIONS request, but unfortunately there's | ||
| // a bug in the REST API which causes the Allow header to not be sent on | ||
| // OPTIONS requests to /posts/:id routes. |
There was a problem hiding this comment.
Is that just for /post/:id of for the all resources? I mentioned that because the logic below happens for all resources (so doesn't match the comment).
Is there a ticket/issue covering the bug?
There was a problem hiding this comment.
I've only checked posts but I suspect the bug affects all REST endpoints. Will do some investigating and open up a Trac ticket 👍
There was a problem hiding this comment.
If this is the case, it should be fixed /cc @danielbachhuber @kadamwhite
There was a problem hiding this comment.
If you just want the Allow header, what about doing a HEAD request instead of GET.
There was a problem hiding this comment.
Looking into this further:
- The
Allowheader is generated byrest_send_allow_header(), which is called onrest_post_dispatch. rest_post_dispatchis called for every response (I think):
It seems like Allow should be present for OPTIONS. It's an officially supported header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS
Can you provide steps to reproduce?
There was a problem hiding this comment.
I briefly debugged this when I noticed the issue and from memory it was something to do with rest_handle_options_request not calling $request->set_url_params() unlike dispatch which correctly parses and sets URL parameters.
Can you provide steps to reproduce?
- Create a reusable block
- Perform a
GET http://local.wordpress.test/wp-json/wp/v2/blocksrequest and note the ID of the reusable block - Perform a
OPTIONS http://local.wordpress.test/wp-json/wp/v2/blocks/27request, replacing27with the ID from step 2. Note that anAllowheader is not sent back - Perform a
GET http://local.wordpress.test/wp-json/wp/v2/blocks/27request, replacing27with the ID from step 2. Note that anAllowheader is sent back
Above steps also work with posts: just change blocks to posts.
There was a problem hiding this comment.
I created a ticket here: https://core.trac.wordpress.org/ticket/45753
There was a problem hiding this comment.
Added a link to the Trac ticket in cf2d701.
| @@ -103,7 +103,46 @@ export function* getEmbedPreview( url ) { | |||
| * Requests Upload Permissions from the REST API. | |||
| */ | |||
| export function* hasUploadPermissions() { | |||
There was a problem hiding this comment.
Should I mark this as deprecated? I'm unsure on what the policy is post 5.0 🙂
There was a problem hiding this comment.
I don't know either. Might be worth pinging someone on slack. Will hold off approving until the answer is known.
There was a problem hiding this comment.
It's probably fine leaving this as is where we support both canUser and hasUploadPermissions. We can always deprecate later.
There was a problem hiding this comment.
We might want to use a soft deprecation by using @deprecated in JSDoc and maybe filter out all actions and selectors from the generated docs.
There was a problem hiding this comment.
Yes, for now, we should leave those, we can add a deprecation message if needed but without specifying a version.
This is something we should discuss more in the next #core-js chats.
There was a problem hiding this comment.
I noted this in the agenda for the next meeting.
There was a problem hiding this comment.
@noisysocks I noticed you @deprecated the selector, but the resolver hasn't been deprecated. I guess technically they're the same interface and the resolver wouldn't be called directly, but I wanted to double-check if it was intentional.
There was a problem hiding this comment.
That's a good point. I think selectors are the public interface here but it wouldn't hurt to have the @deprecated attribute in the resolver as well.
noisysocks
force-pushed
the
fix/non-privileged-reusable-blocks-ux
branch
2 times, most recently
from
708a504
to
9ec72e8
Compare
|
@gziolo any thoughts on this one? |
| @@ -103,7 +103,46 @@ export function* getEmbedPreview( url ) { | |||
| * Requests Upload Permissions from the REST API. | |||
| */ | |||
| export function* hasUploadPermissions() { | |||
There was a problem hiding this comment.
We might want to use a soft deprecation by using @deprecated in JSDoc and maybe filter out all actions and selectors from the generated docs.
packages/core-data/src/resolvers.js
Outdated
|
|
||
| const method = methods[ action ]; | ||
| if ( ! method ) { | ||
| throw new Error( `'${ action }' is not a valid action` ); |
There was a problem hiding this comment.
We aren't consistent, but probably we should end all sentences with a period.
| throw new Error( `'${ action }' is not a valid action` ); | ||
| } | ||
|
|
||
| const path = id ? `/wp/v2/${ resource }/${ id }` : `/wp/v2/${ resource }`; |
There was a problem hiding this comment.
| const path = id ? `/wp/v2/${ resource }/${ id }` : `/wp/v2/${ resource }`; | |
| const path = '/wp/v2/${ resource }' + ( id ? `/${ id }` : '' ); |
would be shorter, not sure what reads better though :)
There was a problem hiding this comment.
I like that with the more verbose version that you can glance at the code and see the "shape" of the URL.
| @@ -116,5 +155,7 @@ export function* hasUploadPermissions() { | |||
| allowHeader = get( response, [ 'headers', 'Allow' ], '' ); | |||
| } | |||
|
|
|||
| yield receiveUploadPermissions( includes( allowHeader, 'POST' ) ); | |||
| const key = compact( [ action, resource, id ] ).join( '/' ); | |||
There was a problem hiding this comment.
You'd need template strings for the first part:
| const key = compact( [ action, resource, id ] ).join( '/' ); | |
| const path = `/wp/v2/${ resource }` + ( id ? `/${ id }` : '' ); |
I think it's a bit easier to sort out though, yeah.
There was a problem hiding this comment.
Was this suggestion meant to go in this thread? #12378 (comment)
packages/core-data/src/resolvers.js
Outdated
| yield receiveUploadPermissions( includes( allowHeader, 'POST' ) ); | ||
| const key = compact( [ action, resource, id ] ).join( '/' ); | ||
| const isAllowed = includes( allowHeader, method ); | ||
| yield receiveUserPermissions( key, isAllowed ); |
There was a problem hiding this comment.
Should it be named receiveUserPermission using singular version to reflect that you can provide only one permission at the time?
There was a problem hiding this comment.
At the very least could we add the ticket URL in the comment so it can be tracked/checked on?
There was a problem hiding this comment.
Should it be named receiveUserPermission using singular version to reflect that you can provide only one permission at the time?
👍 02d9502
At the very least could we add the ticket URL in the comment so it can be tracked/checked on?
I think this is referring to this thread? #12378 (comment) If so I added a link to the Trac ticket in
cf2d701.
| const state = deepFreeze( { | ||
| userPermissions: {}, | ||
| } ); | ||
| expect( canUser( state, 'create', 'media' ) ).toBe( true ); |
There was a problem hiding this comment.
That's surprising that we set true as a default value. What if REST API call takes 5 seconds and UI would be rendered before that happens?
There was a problem hiding this comment.
Yeah, true as the default seems wrong to me. I'd rather UI update after API requests and have extra settings added than them removed.
There was a problem hiding this comment.
I've changed canUser() to return false by default in 62bcb19.
| }; | ||
| } ), | ||
| withDispatch( ( dispatch, { onToggle = noop } ) => { | ||
| withDispatch( ( dispatch, { clientId, onToggle = noop }, { select } ) => { |
There was a problem hiding this comment.
select - that's interesting to see it have much broader application than I anticipated. I hope there are no drawbacks of that approach :)
There was a problem hiding this comment.
I like that in this case it lets us avoid passing unnecessary props to the component.
| ! isReusableBlock( blocks[ 0 ] ) || | ||
| ! getReusableBlock( blocks[ 0 ].attributes.ref ) | ||
| // Show 'Convert to Regular Block' when selected block is a reusable block | ||
| isVisible: isReusable || ( |
There was a problem hiding this comment.
It's probably better to move isVisible outside of the object - the way it was before. It makes return value harder follow at the moment.
| path, | ||
| // Ideally this would always be an OPTIONS request, but unfortunately there's | ||
| // a bug in the REST API which causes the Allow header to not be sent on | ||
| // OPTIONS requests to /posts/:id routes. |
There was a problem hiding this comment.
If this is the case, it should be fixed /cc @danielbachhuber @kadamwhite
packages/core-data/src/selectors.js
Outdated
| * @param {string} resource REST resource to check, e.g. 'media' or 'posts'. | ||
| * @param {?string} id ID of the rest resource to check. | ||
| * | ||
| * @return {boolean} Whether or not the user can perform the action. |
There was a problem hiding this comment.
Can we add the information about the default behavior when it is not found in the store?
There was a problem hiding this comment.
👍 Done as part of 62bcb19.
@imath - I think you implemented the original version of this behavior when working on media upload permissions. Can you double check if the generalized version is still correct? @danielbachhuber or @kadamwhite - it would be nice to get your review on the bits that interact with REST API. @noisysocks - nice work on the PR. I personally think it is quite close to be considered ready. My comments are mostly nitpicks. The only important thing from my perspective is to ensure that |
Does this change the UI at all? If so, can you include screenshots and/or GIFs in the description? |
|
Also:
At first glance, I'm not sure how well this |
|
@gziolo Hi, I've just tested the PR. I confirm that being logged in as an Administrator I'm still able to upload files and that being logged in as a contributor I can only use external URLs to add media. So it seems to be working as expected for this part 👍 @noisysocks FYI I also tested the Reusable blocks UI changes being logged in as a contributor:
|
|
|
||
| * state: Data state. | ||
| * action: Action to check. One of: 'create', 'read', 'update', | ||
| 'delete'. |
There was a problem hiding this comment.
This indentation is kinda odd; I'm not sure why this is indented where it is...
There was a problem hiding this comment.
This indentation is kinda odd; I'm not sure why this is indented where it is...
Likely because it's unprocessed from the space-aligned JSDoc. Could probably be improved with some additional processing (lines.map( trim ).join( ' ' )?). It has no difference in the Markdown preview though, since the whitespace is collapsed.
| @@ -159,6 +162,7 @@ export default compose( [ | |||
| isFetching: isFetchingReusableBlock( ref ), | |||
| isSaving: isSavingReusableBlock( ref ), | |||
| block: reusableBlock ? getBlock( reusableBlock.clientId ) : null, | |||
| canUpdateBlock: !! reusableBlock && ! reusableBlock.isTemporary && canUser( 'update', 'blocks', ref ), | |||
There was a problem hiding this comment.
Any reason you're checking !! reusableBlock rather than just using reusableBlock? Just curious!
There was a problem hiding this comment.
Any reason you're checking
!! reusableBlockrather than just usingreusableBlock? Just curious!
If a value is falsey in this scenario, the specific value is returned in the left-hand of the condition.
If reusableBlock was undefined for example, without the !!, canUpdateBlock would be passed as undefined, despite its name indicating that it would be a boolean. As written, it satisfies an implicit contract of providing a boolean value. Practically speaking this would rarely have much an impact, except in a scenario where someone expected it to be the particular boolean form (=== false).
| @@ -116,5 +155,7 @@ export function* hasUploadPermissions() { | |||
| allowHeader = get( response, [ 'headers', 'Allow' ], '' ); | |||
| } | |||
|
|
|||
| yield receiveUploadPermissions( includes( allowHeader, 'POST' ) ); | |||
| const key = compact( [ action, resource, id ] ).join( '/' ); | |||
There was a problem hiding this comment.
You'd need template strings for the first part:
| const key = compact( [ action, resource, id ] ).join( '/' ); | |
| const path = `/wp/v2/${ resource }` + ( id ? `/${ id }` : '' ); |
I think it's a bit easier to sort out though, yeah.
packages/core-data/src/resolvers.js
Outdated
| yield receiveUploadPermissions( includes( allowHeader, 'POST' ) ); | ||
| const key = compact( [ action, resource, id ] ).join( '/' ); | ||
| const isAllowed = includes( allowHeader, method ); | ||
| yield receiveUserPermissions( key, isAllowed ); |
There was a problem hiding this comment.
At the very least could we add the ticket URL in the comment so it can be tracked/checked on?
| parse: false, | ||
| } ); | ||
| } catch ( error ) { | ||
| return; |
There was a problem hiding this comment.
😟 This seems like it should throw. Why are we catching an ignoring the error without doing anything with it?
There was a problem hiding this comment.
error here refers to the API error that resulted from our OPTIONS request. Doing nothing is correct in this case as we want to leave the store as is. I've added a comment to explain this in e0a7269.
| const state = deepFreeze( { | ||
| userPermissions: {}, | ||
| } ); | ||
| expect( canUser( state, 'create', 'media' ) ).toBe( true ); |
There was a problem hiding this comment.
Yeah, true as the default seems wrong to me. I'd rather UI update after API requests and have extra settings added than them removed.
| blocks.length === 1 && | ||
| blocks[ 0 ] && | ||
| isReusableBlock( blocks[ 0 ] ) && | ||
| !! getReusableBlock( blocks[ 0 ].attributes.ref ) |
There was a problem hiding this comment.
Any reason to use !! here? I just always find it weird to see 🤷♂️
There was a problem hiding this comment.
It's to ensure that typeof isReusable === 'boolean'.
|
|
||
| every( blocks, ( block ) => ( | ||
| // Guard against the case where a regular block has *just* been converted | ||
| !! block && |
There was a problem hiding this comment.
It's to ensure that typeof isVisible === 'boolean'.
noisysocks
force-pushed
the
fix/non-privileged-reusable-blocks-ux
branch
from
9ec72e8
to
cf2d701
Compare
noisysocks
force-pushed
the
fix/non-privileged-reusable-blocks-ux
branch
from
15ff121
to
7b8d040
Compare
|
IIRC this one also needed a change in core to preload that request. |
|
Getting this in early so that there's time for it to bake in 5.0.
Thanks for the reminder. I wonder what the best way to do this is... Do we check how the plugin PHP files differ when updating Core's script dependencies? (e.g. |
|
@noisysocks Not sure. This one was done as a trac ticket, so maybe that's the best option: |
| @@ -24,6 +24,7 @@ | |||
| "@babel/runtime": "^7.0.0", | |||
| "@wordpress/api-fetch": "file:../api-fetch", | |||
| "@wordpress/data": "file:../data", | |||
| "@wordpress/deprecated": "file:../deprecated", | |||
There was a problem hiding this comment.
There should have been a corresponding change to the root package-lock.json. I'm not sure how this passed the build task which checks for local uncommitted changes, but it shouldn't have.
There was a problem hiding this comment.
Huh! Looks like check-local-changes doesn't pick this up because precheck-local-changes doesn't run npm install. CI doesn't pick it up because it uses npm ci.
Will fix this up in a seperate PR.
|
A test that I made: |
|
@paaljoachim What version are you testing against? This has only just been released in the plugin today afaik. I couldn't reproduce testing against master. |
|
Hey Daniel @talldan Lets just call it an error on my end. I made the following comment: |
Improves the UX of creating, editing, and deleting a reusable block when logged in as an author or contributor by disabling the _Add to Reusable Blocks_, _Edit_, and _Remove from Reusable Blocks_ buttons when necessary. This is accomplished under the hood by introducing the `canUser()` selector to `core-data` which allows callers to query whether the REST API supports performing a given action on a given resource, e.g. one can query whether the logged in user can create posts by running `wp.data.select( 'core' ).canUser( 'create', 'posts' )`. The existing `hasUploadPermissions()` selector is changed to use `canUser( 'create', 'media' )` under the hood.
Improves the UX of creating, editing, and deleting a reusable block when logged in as an author or contributor by disabling the _Add to Reusable Blocks_, _Edit_, and _Remove from Reusable Blocks_ buttons when necessary. This is accomplished under the hood by introducing the `canUser()` selector to `core-data` which allows callers to query whether the REST API supports performing a given action on a given resource, e.g. one can query whether the logged in user can create posts by running `wp.data.select( 'core' ).canUser( 'create', 'posts' )`. The existing `hasUploadPermissions()` selector is changed to use `canUser( 'create', 'media' )` under the hood.
What this is
Fixes #12338.
Improves the UX of creating, editing, and deleting a reusable block when logged in as an author or contributor by disabling the Add to Reusable Blocks, Edit, and Remove from Reusable Blocks buttons when necessary.
This is accomplished under the hood by introducing the
canUser()selector tocore-datawhich allows callers to query whether the REST API supports performing a given action on a given resource, e.g. one can query whether the logged in user can create posts by runningwp.data.select( 'core' ).canUser( 'create', 'posts' ).The existing
hasUploadPermissions()selector is changed to usecanUser( 'create', 'media' )under the hood.How it looks
Add to Reusable Blocks button is visible for admins and editors:
Add to Reusable Blocks button is hidden for contributors:
Edit button is enabled and Remove from Reusable Blocks is visible for admins and editors:
Edit button is disabled and Remove from Reusable Blocks is hidden for authors:
How to test