-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Alternative: restrict Navigation permissions and show UI warning if cannot create #37454
Alternative: restrict Navigation permissions and show UI warning if cannot create #37454
Conversation
Size Change: +238 B (0%) Total Size: 1.13 MB
ℹ️ View Unchanged
|
lib/navigation.php
Outdated
@@ -50,6 +50,9 @@ function gutenberg_register_navigation_post_type() { | |||
'editor', | |||
'revisions', | |||
), | |||
'capabilities' => array( | |||
'create_posts' => 'edit_theme_options', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Restrict creation of Nav posts to "admin" role level only. Allows us to display a warning immediately upon insertion of Nav block.
Attempting to modify all the permission (as in WordPress/wordpress-develop#2056) will not work because getEntityRecord
will not return the Navigation Post for viewing.
This sounds like a good option, and it still leaves the possibility for loosening the restrictions later if the right solution can be found. Agree with @spacedmonkey that it'd be good to support selecting menus still, but I suppose the dropdown would have to exclude classic menus, as they're converted to a Code looks good so far. |
f0bfb94
to
8013fab
Compare
OK I reinstated that feature and created another Notice which appears only when the user is trying to create and there is not existing Nav entity reference.
Is that because Menus are converted into |
Hopefully we can also hide as many menu creation options as possible.
Yep exactly. |
I am working on e2e tests now. |
It works well, and it is a good start, thank you for working on that @getdave ! There is a bit of a flickering involved:
See the video below: editing.notices.mp4It isn't necessarily a blocker, as this PR solves an important problem, but it would be great to land a fix sooner than later. Maybe the suspense API support will help here once it lands? There's one other non-blocking rough edge I want to point out: The notice is really easy to miss, and even though it is in place, the sidebar still offers to save the menu. An attempt to save it fails, but It would be nicer to not display it there in the first place, or make the block immutable (e.g. using a templateLock as @talldan suggested). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I pointed out some rough edges in this PR, but I don't think any of them is a blocker. The code looks good, the fix works, the problem is important, so I'm approving ✅ I'll defer to @getdave on the best way to apply, postpone, and track the non-blocking issues here.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
@tellthemachines I believe you will be managing the backporting for Beta 4? If so please can you look to merge this PR as it's important to fix a key permission bug with the Nav block. Please note that we'll require a companion Trac ticket to alter the 🙇 Thank you in advance. |
…annot create (#37454) * Test for publish abtility and display warning * Update creation of Nav posts to require admin perms * Only show menu creation option if user has permission to create * Move permission selectors to hook * Show warning if unable to create Navigation Menus * Copy changes from Core patch See https://github.com/WordPress/wordpress-develop/pull/2056/files * Only show error if create is not allowed * Revert "Copy changes from Core patch" This reverts commit 1872f62a454dc41ce787103e3d1830f7ff00d63c. * Use streamlined permissions Kudos to @spacedmonkey for https://github.com/WordPress/gutenberg/pull/37454\#discussion_r771026149 * Remove inline warning and reenable ability to select existing * Refactor Notices to reusable hook * Add notices for creating Menus * Rename dep for clarity * Hide other creation options * Add e2e test * Hide classic Menus from dropdown See https://github.com/WordPress/gutenberg/pull/37454\#issuecomment-996569572 * Fix up e2e tests following changes from rebase * Update to make component props more agnostic * Make component props less tighly coupled to permissions * Remove unneeded undefined fallback * Refactor hooks * Try switch user to admin * Try switching back to admin after each permissions test * Try targetting test that relies on avoiding a 404 from URL details endpoint
… type. Adds `'edit_theme_options'` capabilities top restrict Navigation permission. Partial backport from Gutenberg WordPress/gutenberg#37454. Follow-up to [52069], [52145]. Props spacedmonkey, get_dave, hellofromTonya. See #54487. git-svn-id: https://develop.svn.wordpress.org/trunk@52400 602fd350-edb4-49c9-b593-d223f7449a82
… type. Adds `'edit_theme_options'` capabilities top restrict Navigation permission. Partial backport from Gutenberg WordPress/gutenberg#37454. Follow-up to [52069], [52145]. Props spacedmonkey, get_dave, hellofromTonya. See #54487. Built from https://develop.svn.wordpress.org/trunk@52400 git-svn-id: http://core.svn.wordpress.org/trunk@51992 1a063a9b-81f0-0310-95a4-ce76da25c4cd
… type. Adds `'edit_theme_options'` capabilities top restrict Navigation permission. Partial backport from Gutenberg WordPress/gutenberg#37454. Follow-up to [52069], [52145]. Props spacedmonkey, get_dave, hellofromTonya. See #54487. Built from https://develop.svn.wordpress.org/trunk@52400 git-svn-id: https://core.svn.wordpress.org/trunk@51992 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Description
In #37289 we were exploring trying to show a warning if the user cannot "make" new Navigation Menus. However this was proving difficult as whilst even low Role users had permission to
create
they don't have the permission topublish
. This makes it impossible to show an upfront warning to the user if they are likely to not have permission to publish because the publish action is specific to an individualwp_navigation
Post which is not created when you insert the Nav block.This PR proposes another route. We increase the permission gate for the
create
action on thewp_navigation
Post type toedit_theme_options
.This will effectively mean that only Admins can "create" Navigation posts whilst all other users can only "read".
This matches nicely with the current
Menus
system in WordPress which is also only accessible to Admin users.There is a precedent in Core for adding custom capabilities to "special" post types. This PR takes the same approach for Navigation posts.
Why not set all permissions to
edit_theme_options
?This PR does not use the changes from this Core ticket which seeks to alter the perms on the
wp_navigation
post to match those of the Menu post type. Why? Because by adjusting the permissions in this way the post types endpoint will not show thewp_navigation
post and thus it will not be loaded as an entity in Gutenberg. This will mean the check for the entity will fail ingetEntityRecord()
before the API request is fired. Therefore we will not be able to "view" the Navigation post.Having spoken with release leads, as requested I have raised this Trac ticket.
As this PR modifies
navigation.php
we will need a corresponding Core patch. The best candidate is probably the one @spacedmonkey already has open in WordPress/wordpress-develop#2056.Closes #36286
How has this been tested?
First check you cannot create Navigations as a low permission user:
Create
a Navigation via buttons in the placeholder.Now check you can still view existing Navigations:
Create Menu
option in theSelect Menu
dropdown.Screenshots
Types of changes
Checklist:
*.native.js
files for terms that need renaming or removal).