WordPress.org

Make WordPress Core

Opened 10 months ago

Last modified 3 days ago

#46723 new defect (bug)

Feature Image disappears only in Gutenberg with CPT.

Reported by: miyauchi Owned by:
Milestone: 5.4 Priority: normal
Severity: normal Version: 5.1
Component: REST API Keywords: needs-refresh needs-unit-tests
Focuses: Cc:
PR Number:

Description

Gutenberg is using the following API and it needs edit_posts capability to access it.
But if we apply the custom role for the post-type, it will have a capability like edit_events or so.
So we can't see feature image metabox for the post type with the gutenberg.

https://github.com/WordPress/WordPress/blob/c41dede996bbb50055f914d9094be59f659a4d14/wp-includes/rest-api/endpoints/class-wp-rest-themes-controller.php#L60-L66

There is an example plugin to reproduce the problem.
https://github.com/miya0001/reproduce-12198

Related: https://github.com/WordPress/gutenberg/issues/12198

Attachments (1)

46723.patch (942 bytes) - added by miyauchi 10 months ago.
It allows to access /themes endpoints if the user has upload_files capability.

Download all attachments as: .zip

Change History (13)

@miyauchi
10 months ago

It allows to access /themes endpoints if the user has upload_files capability.

#1 @miyauchi
10 months ago

  • Keywords has-patch added

#2 @miyauchi
10 months ago

I found similar problem to upload featured image.
https://github.com/WordPress/WordPress/blob/master/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php#L1384

User needs capability edit_post to attach featured image for the Gutenberg.
But user doesn't have edit_post if the custom post type is using custom role.

#3 @miyauchi
10 months ago

I tried to check the user has $post_type->cap->edit_post capability for the parent post type of the attachment.
But I run into the problem that the attachment possibly has another parent post type like page.

I tried to add following lines in check_update_permission() and it looks good.

if ( 'attachment' === $post->post_type ) {
        return current_user_can( 'upload_files' );
}

But I am concerned about introducing security risk.

This ticket was mentioned in Slack in #core-restapi by miyauchi. View the logs.


10 months ago

#6 @Jtree5757
5 months ago

If anyone else runs into this issue, temporary workaround is to revert to the old editor.

Just ran into this on a client site.Luckily they were just managing basic paragraph text for the custom post type that had the issue.

#7 @jrchamp
3 months ago

There is no workaround for this if you have already developed an entire plugin for the Block Editor. Lost 3 days to this bug while I fought with map_meta_cap and user_has_cap trying to figure out what I must have done wrong. Thank you @miyauchi for suggesting reasonable workarounds. For now, I'm doing something much more evil because I can't ship a modified version of WordPress core.

@desrosj & @kadamwhite: edit_posts was a nice idea, but it is definitely not sufficient. Please help!

#8 @kadamwhite
3 months ago

  • Milestone changed from Awaiting Review to 5.4

Provisionally milestoning for the next release

This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.


5 weeks ago

#10 @sjnbham
3 weeks ago

I ran into this issue when trying to set up a user to only have access to create, edit, publish, and delete events using the popular The Events Calendar plugin by Modern Tribe. To reproduce, you have to enable the block editor option in the event plugin and then assign the following permissions below. Without adding edit_posts the feature image metabox isn't presented.

create_tribe_events
create_tribe_organizers
delete_others_tribe_events
delete_others_tribe_organizers
delete_others_tribe_venues
delete_private_tribe_events
delete_private_tribe_organizers
delete_private_tribe_venues
delete_published_tribe_events
delete_published_tribe_organizers
delete_published_tribe_venues
delete_tribe_events
delete_tribe_organizers
delete_tribe_venues
edit_others_tribe_events
edit_others_tribe_organizers
edit_others_tribe_venues
edit_private_tribe_events
edit_private_tribe_organizers
edit_private_tribe_venues
edit_published_tribe_events
edit_published_tribe_organizers
edit_published_tribe_venues
edit_tribe_events
edit_tribe_organizers
edit_tribe_venues
level_0
publish_tribe_events
publish_tribe_organizers
publish_tribe_venues
read
read_private_tribe_events
read_private_tribe_organizers
read_private_tribe_venues
upload_files

Last edited 2 weeks ago by sjnbham (previous) (diff)

This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.


3 days ago

#12 @TimothyBlynJacobs
3 days ago

  • Keywords needs-refresh needs-unit-tests added; has-patch removed

This change looks sensible to me as a stop gap measure before considering loosening the restrictions even more. I'd like to see test coverage on this change.

We can also drop the is_user_logged_in check while we're at it.

Note: See TracTickets for help on using tickets.