Global Styles: Hide Custom CSS setting for users without 'edit_css' cap #46815
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Mamaduka
requested review from
glendaviesnz
and removed request for
spacedmonkey
Mamaduka
added
[Type] Bug
Mamaduka
commented
Dec 29, 2022
lib/compat/wordpress-6.2/class-gutenberg-rest-global-styles-controller-6-2.php
Show resolved
Hide resolved
Mamaduka
commented
Dec 29, 2022
Comment on lines
+107
to
+110
| if ( current_user_can( 'edit_css' ) ) { | ||
| $rels[] = 'https://api.w.org/action-edit-css'; | ||
| } |
There was a problem hiding this comment.
I couldn't find documentation on how these URLs are generated/created. So I need to double-check if https://api.w.org/action-edit-css is the correct format.
|
Size Change: +58 B (0%) Total Size: 1.33 MB
ℹ️ View Unchanged
|
mmtr
requested changes
Jan 9, 2023
There was a problem hiding this comment.
Thanks @Mamaduka!
I think we should consider the KSES filters as well, since right now the Custom CSS feature doesn't work for users with the edit_css cap if those filters are active (see #46651 (comment)).
You can follow these instructions to observe the differences:
- Enable the KSES filters with
add_action( 'init', 'kses_init_filters' ); - Activate the Twenty Twenty-One theme
- Go to Appearance > Customize > Additional CSS
- Add some CSS code
- Save the changes
- ✅ Note how the CSS code is correctly saved
- Now activate the Twenty Twenty-Three theme
- Go to Appearance > Editor
- Open the Styles sidebar
- Select "Custom CSS"
- Add some CSS code
- Save the changes
⚠️ Note how the changes are reverted
I think @glendaviesnz already solved that in #46666 (likely in this commit: 5d32940)
|
Flaky tests detected in 5b06a2d. 🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/3931818666
|
I think it was handled in this commit according to the commit message: 5d32940.
It's an opt-in behavior (so it's up to plugins or devs to do so), but it's useful for example to remove invalid styles from Global Styles or to remove invalid HTML from posts. |
|
Okay, I think I've better understood the logic now. We want to modify If you don't mind, I would like to address that separately. This PR handles the UI portion of the capability checks and how core processes the data is unrelated to it. |
While I generally like tackling issues in smaller and separate PRs, I'm not sure we should expose the Global Styles' Custom CSS feature in the UI until it works well for all scenarios. Right now, the feature doesn't work in one of these scenarios, as opposed to the Customizer's Custom CSS feature:
I'm ok addressing the remaining scenario in a separate PR, but I don't think we should merge this PR until that's solved. Otherwise, users with the Alternatively, you could keep the experimental flag check and remove that in a separate PR. That way, it should be fine to merge this PR. |
|
I've no strong preference. I can create PR for |
Mamaduka
force-pushed
the
add/custom-css-cap-check
branch
from
760cb95 to
cfb76dd
Compare
Mamaduka
force-pushed
the
add/custom-css-cap-check
branch
from
cfb76dd to
6c9f3e3
Compare
|
Currently in customizer a user needs This is the reason I added the |
|
@glendaviesnz, the Customizer uses Core links:
|
Yeah, I agree we should mimic what the Customizer does, so +1 on using The idea of adding a filter that allows plugins to customize the capability check sounds interesting, but I think it's fine to do so on a separate PR (and AFAICS the Customizer doesn't have anything like that, so it's totally ok to don't offer such filter for now). |
Thanks for the extra detail - I had missed the fact that it was mapped in my initial look at this. I have closed my draft PR now in favor of this one. Thanks for picking this up. |
Mamaduka
force-pushed
the
add/custom-css-cap-check
branch
from
6c9f3e3 to
b550122
Compare
|
I rebased on top of the current |
mmtr
approved these changes
Jan 16, 2023
There was a problem hiding this comment.
Lovely! This works now as expected for all possible scenarios. Thanks for working on #47062 first!
Mamaduka
force-pushed
the
add/custom-css-cap-check
branch
from
b550122 to
5b06a2d
Compare
10 tasks
85 tasks
Closed
pento
pushed a commit
to WordPress/wordpress-develop
that referenced
this pull request
Feb 1, 2023
…al_Styles_Controller`. Updates the Global Styles endpoint to expose the `'edit_css'` capability via action links. References: * [WordPress/gutenberg#46815 Gutenberg PR 46815] Part of an effort to hide custom CSS setting for users without `'edit_css'` capability. Follow-up to [52342], [52051]. Props mamaduka, dsas, glendaviesnz, mmtr86, talldanwp, timothyblynjacobs. Fixes #57526. git-svn-id: https://develop.svn.wordpress.org/trunk@55177 602fd350-edb4-49c9-b593-d223f7449a82
markjaquith
pushed a commit
to markjaquith/WordPress
that referenced
this pull request
Feb 1, 2023
…al_Styles_Controller`. Updates the Global Styles endpoint to expose the `'edit_css'` capability via action links. References: * [WordPress/gutenberg#46815 Gutenberg PR 46815] Part of an effort to hide custom CSS setting for users without `'edit_css'` capability. Follow-up to [52342], [52051]. Props mamaduka, dsas, glendaviesnz, mmtr86, talldanwp, timothyblynjacobs. Fixes #57526. Built from https://develop.svn.wordpress.org/trunk@55177 git-svn-id: http://core.svn.wordpress.org/trunk@54710 1a063a9b-81f0-0310-95a4-ce76da25c4cd
github-actions bot
pushed a commit
to platformsh/wordpress-performance
that referenced
this pull request
Feb 1, 2023
…al_Styles_Controller`. Updates the Global Styles endpoint to expose the `'edit_css'` capability via action links. References: * [WordPress/gutenberg#46815 Gutenberg PR 46815] Part of an effort to hide custom CSS setting for users without `'edit_css'` capability. Follow-up to [52342], [52051]. Props mamaduka, dsas, glendaviesnz, mmtr86, talldanwp, timothyblynjacobs. Fixes #57526. Built from https://develop.svn.wordpress.org/trunk@55177 git-svn-id: https://core.svn.wordpress.org/trunk@54710 1a063a9b-81f0-0310-95a4-ce76da25c4cd
VenusPR
added a commit
to VenusPR/Wordpress_Richard
that referenced
this pull request
Mar 9, 2023
…al_Styles_Controller`. Updates the Global Styles endpoint to expose the `'edit_css'` capability via action links. References: * [WordPress/gutenberg#46815 Gutenberg PR 46815] Part of an effort to hide custom CSS setting for users without `'edit_css'` capability. Follow-up to [52342], [52051]. Props mamaduka, dsas, glendaviesnz, mmtr86, talldanwp, timothyblynjacobs. Fixes #57526. Built from https://develop.svn.wordpress.org/trunk@55177 git-svn-id: http://core.svn.wordpress.org/trunk@54710 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What?
See #46651.
PR adds a capability check before displaying the Custom CSS setting and removes this feature behind the experimental flag.
Why?
The changes from users without
unfiltered_htmlcapabilities aren't persistent, and the feature looks broken. It also matches the behavior of the "Additional CSS" setting in Customizer.How?
The Global Styles endpoint now has a new action listed in link relations for users with
edit_csscaps. The client uses this action to check the required permissions.The
edit_cssis a mapped capability, which in Core defaults tounfiltered_html. See the permission section of this make post for more details - https://make.wordpress.org/core/2016/11/26/extending-the-custom-css-editor/.Testing Instructions
wp-config.php-define( 'DISALLOW_UNFILTERED_HTML', true );Screenshot