Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Global Styles: Don't remove Custom CSS for users with the correct caps #47062

Merged
merged 7 commits into from
Jan 16, 2023
Merged

Global Styles: Don't remove Custom CSS for users with the correct caps #47062

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
d25c34b
Global Styles: Don't remove Custom CSS for users with the correct caps
Mamaduka Jan 11, 2023
7801eca
Try fixing core kses_init_filters override
Mamaduka Jan 11, 2023
9a95df2
Add comment about priority change
Mamaduka Jan 12, 2023
11b9a75
Explicitly grant 'edit_css' capabilities
Mamaduka Jan 12, 2023
f05482f
Use grant_super_admin() for multisite
hellofromtonya Jan 12, 2023
e549f8a
Use dataProvider
hellofromtonya Jan 12, 2023
a2a9aca
Use assertSame*
hellofromtonya Jan 12, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion lib/class-wp-theme-json-gutenberg.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2818,7 +2818,12 @@ public static function remove_insecure_properties( $theme_json ) {
continue;
}

$output = static::remove_insecure_styles( $input );
// The global styles custom CSS is not sanitized, but can only be edited by users with 'edit_css' capability.
if ( isset( $input['css'] ) && current_user_can( 'edit_css' ) ) {
$output = $input;
} else {
$output = static::remove_insecure_styles( $input );
}

/*
* Get a reference to element name from path.
Expand Down
3 changes: 2 additions & 1 deletion lib/experimental/kses.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,5 +62,6 @@ function gutenberg_override_core_kses_init_filters() {
}

}
add_action( 'init', 'gutenberg_override_core_kses_init_filters' );
// The 'kses_init_filters' is usually initialized with default priority. Use higher priority to override.
add_action( 'init', 'gutenberg_override_core_kses_init_filters', 20 );
Mamaduka marked this conversation as resolved.
Show resolved Hide resolved
add_action( 'set_current_user', 'gutenberg_override_core_kses_init_filters' );
107 changes: 107 additions & 0 deletions phpunit/class-wp-theme-json-test.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,23 @@
*/

class WP_Theme_JSON_Gutenberg_Test extends WP_UnitTestCase {
/**
* Administrator ID.
*
* @var int
*/
protected static $administrator_id;

public static function set_up_before_class() {
parent::set_up_before_class();

self::$administrator_id = self::factory()->user->create(
array(
'role' => 'administrator',
)
);
}

/**
* @dataProvider data_get_layout_definitions
*
Expand Down Expand Up @@ -1598,4 +1615,94 @@ public function test_get_stylesheet_handles_custom_css() {
$custom_css = 'body { color:purple; }';
$this->assertEquals( $custom_css, $theme_json->get_stylesheet( array( 'custom-css' ) ) );
}

public function test_allows_custom_css_for_users_with_caps() {
wp_set_current_user( self::$administrator_id );

// Explicitly grant 'edit_css' capabilities.
$grant_edit_css_cap = function( $caps, $cap ) {
if ( 'edit_css' === $cap ) {
$caps = array( 'edit_theme_options' );
}
return $caps;
};
add_filter( 'map_meta_cap', $grant_edit_css_cap, 10, 2 );
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of this, in the set_up_before_class() fixture, you can add this code which grants this specific admin Super Admin access.

if ( is_multisite() ) {
	grant_super_admin( self::$administrator_id );
}

Let me push an update to see if it resolves the issue.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in 35eb041 and f05482f. PHPUnit tests are passing ✅

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, @hellofromtonya 🙇


$actual = WP_Theme_JSON_Gutenberg::remove_insecure_properties(
array(
'version' => WP_Theme_JSON_Gutenberg::LATEST_SCHEMA,
'styles' => array(
'css' => 'body { color:purple; }',
'blocks' => array(
'core/separator' => array(
'color' => array(
'background' => 'blue',
),
),
),
),
)
);

$expected = array(
'version' => WP_Theme_JSON_Gutenberg::LATEST_SCHEMA,
'styles' => array(
'css' => 'body { color:purple; }',
'blocks' => array(
'core/separator' => array(
'color' => array(
'background' => 'blue',
),
),
),
),
);

$this->assertEqualSetsWithIndex( $expected, $actual );
remove_filter( 'map_meta_cap', $grant_edit_css_cap );
}

public function test_removes_custom_css_for_users_without_caps() {
wp_set_current_user( self::$administrator_id );

$remove_edit_css_cap = function( $caps, $cap ) {
if ( 'edit_css' === $cap ) {
$caps = array( 'do_not_allow' );
}
return $caps;
};
add_filter( 'map_meta_cap', $remove_edit_css_cap, 10, 2 );

$actual = WP_Theme_JSON_Gutenberg::remove_insecure_properties(
array(
'version' => WP_Theme_JSON_Gutenberg::LATEST_SCHEMA,
'styles' => array(
'css' => 'body { color:purple; }',
'blocks' => array(
'core/separator' => array(
'color' => array(
'background' => 'blue',
),
),
),
),
)
);

$expected = array(
'version' => WP_Theme_JSON_Gutenberg::LATEST_SCHEMA,
'styles' => array(
'blocks' => array(
'core/separator' => array(
'color' => array(
'background' => 'blue',
),
),
),
),
);

$this->assertEqualSetsWithIndex( $expected, $actual );
remove_filter( 'map_meta_cap', $remove_edit_css_cap );
}
}