Core Data selector canUser does not handle entity records

[TimothyBJacobs]

Description

The @wordpress/core-data module provides a selector canUser( action, resource, id ) that can interrogate whether a user has permission to perform the given CRUD action for the given resource and optionally a specific record.

For example, to check whether the user can update a page with the id of 5, you can perform the following check.

select( 'core' ).canUser( 'update', 'pages', 5 )

Unfortuantely, this method only supports resources that are in the wp/v2 namespace. Additionally, it requires you to know the final REST API path. Typically, however, only an entity kind and name are known.

There currently exists a canUserEntityRecord selector, but it is only a wrapper for canUser and does not Post Type entity records. Additionally, it only supports Post Types that have the wp/v2 namespace which is not a requirement since WP 5.9.

gutenberg/packages/core-data/src/selectors.ts

Lines 996 to 1009 in 1d778aa

	export function canUserEditEntityRecord(
	state: State,
	kind: string,
	name: string,
	recordId: EntityRecordKey
	): boolean | undefined {
	const entityConfig = getEntityConfig( state, kind, name );
	if ( ! entityConfig ) {
	return false;
	}
	const resource = entityConfig.__unstable_rest_base;
	return canUser( state, 'update', resource, recordId );
	}

I think canUserEntityRecord should be adapted to actually perform the permission handling logic utilizing the baseURL property of the entity config. Then canUser would be deprecated.

Step-by-step reproduction instructions

1. Register a custom post type with a custom namespace.

register_post_type( 'custom-ns', [
	'public'         => true,
	'show_in_rest'   => true,
	'rest_namespace' => 'my/namespace',
	'supports'       => [ 'editor', 'title', 'custom-fields' ],
] );

2. Call the canUser selector via the browser console.

wp.data.select('core').canUser('create', 'custom-ns');

Screenshots, screen recording, code snippet

No response

Environment info

No response

Please confirm that you have searched existing issues in the repo.

Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

Yes

[Mamaduka]

Thanks for creating the issue.

I think we might want to keep canUser around for a while. The new recommended selector will require resources to be registered as custom entities; currently, we don't have an easy way of doing that. See #27859.

The canUserEditEntityRecord selector implies the action. We might need a better name here. Maybe hasPermssionsTo? Matches the new hook @adamziel stabilized recently - #43268.

[TimothyBJacobs]

I think we might want to keep canUser around for a while. The new recommended selector will require resources to be registered as custom entities; currently, we don't have an easy way of doing that. See #27859.

I think most custom entities would be using a non wp/v2 namespace, so they wouldn't be able to leverage canUser anyways. But keeping it around seems fine too.

The canUserEditEntityRecord selector implies the action. We might need a better name here. Maybe hasPermssionsTo? Matches the new hook @adamziel stabilized recently - #43268.

I like that a lot too.

[adamziel]

@Mamaduka we can't rename it, as it is a part of the public API, but we can create a new one and deprecate the old one. How about hasEntityRecordPermissions?

[Mamaduka]

@adamziel, right. We should deprecate the canUserEditEntityRecord selector and introduce the new one.

[Mamaduka]

I just want to cross-link the "Short-circuit HEAD methods in Core controllers" core ticket. When it's available in core, I think it would be a nice addition to the new selector/resolver.