Template: Only show post template actions to users with correct capabilities

[walbo]

Description

Post template actions shows on user that doesn't have correct capabilities. Ex editors has a New button but when they try to create a new template nothing happens. (See screenshot)

How has this been tested?

Locally with a editor user and with a adminitrator user.

Screenshots

Before

After

Types of changes

Bug fix. Only show post template actions for users with correct capabilities

Checklist:

• My code is tested.
• My code follows the WordPress code style.
• My code follows the accessibility standards.
• I've tested my changes with keyboard and screen readers.
• My code has proper inline documentation.
• I've included developer documentation if appropriate.
• I've updated all React Native files affected by any refactorings/renamings in this PR (please manually search all *.native.js files for terms that need renaming or removal).

[ntsekouras]

Thanks for your work here @walbo ! This is something we should fix indeed.

Currently for handling of templates we use the edit_theme_options capability. I think we should use the same permission check here. In order to do that I guess we should add an __experimentalUserCanEditThemeOptions or something like that here with post-editor context, set it editor-settings and in use-block-editor-settings.js and finally use this value to conditionally show/hide the controls.

I'd love some thoughts about this from @gziolo .

[gziolo]

I'm not sure if there are any permissions tied to a related REST resource here. In that case, we could use canUser:

gutenberg/packages/core-data/src/selectors.js

Lines 682 to 685 in 3c84158

	export function canUser( state, action, resource, id ) {
	const key = compact( [ action, resource, id ] ).join( '/' );
	return get( state, [ 'userPermissions', key ] );
	}

In general, it would be great to have a higher level selector that lets us check permission through REST API, rather than overload settings for that purpose.

[walbo]

It's tied to the templates REST api.

Updated the permission check to use canUser( 'create', 'templates' ). Retested the code after the change and seems to work as expected.

Can you confirm this is correct usage @gziolo ?

[ntsekouras]

I'm not sure this is 100% correct but it requires folks with better caps knowledge than me to chime in :) .

If you try this:

canUserCreate: canUser( 'create', 'templates' ),
createOne: canUser( 'create', 'template' ),
updateMany: canUser( 'update', 'templates' ),
updateOne: canUser( 'update', 'template' ),

In admin and author roles are all false, with the exception in admin and canUserCreate: canUser( 'create', 'templates' ), which is true. 🤔

[gziolo]

I'm not sure if that is correct. Let's wait for feedback from other folks.

[Mamaduka]

I think usage here is correct. The resource name is templates since the endpoint is /wp/v2/templates. Checking canUser( 'create', 'template' ) should return false to any user.

I checked the response headers templates resource, and it only supports read and create actions for Admin users.

Editor Allow Headers	Admin Allow Headers

P.S. I think the only resource that supports all four actions is settings.

[Mamaduka]

LGTM 🚢