PublishPress Blocks adds the missing blocks and configuration you need to build professional websites. Take the control of the new Gutenberg editor with user edition profile configuration and 20+ new blocks and options.
14
stars
8
forks
source link
Blocks Permissions should block submitting block that are disabled #1363
There's a problem with PublishPress Blocks which doesn't prevent people from submitting blocks that are disabled.
This looks like a broken access control issue in general based on the plugin's intent. You allow disabling blocks based on role but you don't attempt to filter out those disabled blocks from the content itself on submit.
A highly restrictive role can edit the post in Code Editor mode and manipulate the content to include blocks of any kind with whatever attributes they want to specify. Then they can save and preview/view it as the fully dynamic form.
https://secure.helpscout.net/conversation/2495159321