search

WordPress / gutenberg

The Block Editor project for WordPress and beyond. Plugin is available from the official repository.
https://wordpress.org/gutenberg/
Other
10.4k stars 4.15k forks source link

Core Data selector canUser does not handle entity records #43751

Closed TimothyBJacobs closed 2 months ago

TimothyBJacobs commented 2 years ago

Description

The @wordpress/core-data module provides a selector canUser( action, resource, id ) that can interrogate whether a user has permission to perform the given CRUD action for the given resource and optionally a specific record.

For example, to check whether the user can update a page with the id of 5, you can perform the following check.

select( 'core' ).canUser( 'update', 'pages', 5 )

Unfortuantely, this method only supports resources that are in the wp/v2 namespace. Additionally, it requires you to know the final REST API path. Typically, however, only an entity kind and name are known.

There currently exists a canUserEntityRecord selector, but it is only a wrapper for canUser and does not Post Type entity records. Additionally, it only supports Post Types that have the wp/v2 namespace which is not a requirement since WP 5.9.

https://github.com/WordPress/gutenberg/blob/1d778aa5e7506390c4d1a89974ec69088026855a/packages/core-data/src/selectors.ts#L996-L1009

I think canUserEntityRecord should be adapted to actually perform the permission handling logic utilizing the baseURL property of the entity config. Then canUser would be deprecated.

Step-by-step reproduction instructions

  1. Register a custom post type with a custom namespace.
register_post_type( 'custom-ns', [
    'public'         => true,
    'show_in_rest'   => true,
    'rest_namespace' => 'my/namespace',
    'supports'       => [ 'editor', 'title', 'custom-fields' ],
] );
  1. Call the canUser selector via the browser console.
wp.data.select('core').canUser('create', 'custom-ns');

Screenshots, screen recording, code snippet

No response

Environment info

No response

Please confirm that you have searched existing issues in the repo.

Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

Yes

Mamaduka commented 2 years ago

Thanks for creating the issue.

I think we might want to keep canUser around for a while. The new recommended selector will require resources to be registered as custom entities; currently, we don't have an easy way of doing that. See #27859.

The canUserEditEntityRecord selector implies the action. We might need a better name here. Maybe hasPermssionsTo? Matches the new hook @adamziel stabilized recently - #43268.

TimothyBJacobs commented 2 years ago

I think we might want to keep canUser around for a while. The new recommended selector will require resources to be registered as custom entities; currently, we don't have an easy way of doing that. See https://github.com/WordPress/gutenberg/issues/27859.

I think most custom entities would be using a non wp/v2 namespace, so they wouldn't be able to leverage canUser anyways. But keeping it around seems fine too.

The canUserEditEntityRecord selector implies the action. We might need a better name here. Maybe hasPermssionsTo? Matches the new hook @adamziel stabilized recently - https://github.com/WordPress/gutenberg/pull/43268.

I like that a lot too.

adamziel commented 2 years ago

@Mamaduka we can't rename it, as it is a part of the public API, but we can create a new one and deprecate the old one. How about hasEntityRecordPermissions?

Mamaduka commented 2 years ago

@adamziel, right. We should deprecate the canUserEditEntityRecord selector and introduce the new one.

Mamaduka commented 3 months ago

I just want to cross-link the "Short-circuit HEAD methods in Core controllers" core ticket. When it's available in core, I think it would be a nice addition to the new selector/resolver.