WordPress.org

Make WordPress Core

Opened 7 months ago

Last modified 2 months ago

#46723 new defect (bug)

Feature Image disappears only in Gutenberg with CPT.

Reported by: miyauchi Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.1
Component: REST API Keywords: has-patch
Focuses: Cc:
PR Number:

Description

Gutenberg is using the following API and it needs edit_posts capability to access it.
But if we apply the custom role for the post-type, it will have a capability like edit_events or so.
So we can't see feature image metabox for the post type with the gutenberg.

https://github.com/WordPress/WordPress/blob/c41dede996bbb50055f914d9094be59f659a4d14/wp-includes/rest-api/endpoints/class-wp-rest-themes-controller.php#L60-L66

There is an example plugin to reproduce the problem.
https://github.com/miya0001/reproduce-12198

Related: https://github.com/WordPress/gutenberg/issues/12198

Attachments (1)

46723.patch (942 bytes) - added by miyauchi 7 months ago.
It allows to access /themes endpoints if the user has upload_files capability.

Download all attachments as: .zip

Change History (7)

@miyauchi
7 months ago

It allows to access /themes endpoints if the user has upload_files capability.

#1 @miyauchi
7 months ago

  • Keywords has-patch added

#2 @miyauchi
7 months ago

I found similar problem to upload featured image.
https://github.com/WordPress/WordPress/blob/master/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php#L1384

User needs capability edit_post to attach featured image for the Gutenberg.
But user doesn't have edit_post if the custom post type is using custom role.

#3 @miyauchi
7 months ago

I tried to check the user has $post_type->cap->edit_post capability for the parent post type of the attachment.
But I run into the problem that the attachment possibly has another parent post type like page.

I tried to add following lines in check_update_permission() and it looks good.

if ( 'attachment' === $post->post_type ) {
        return current_user_can( 'upload_files' );
}

But I am concerned about introducing security risk.

This ticket was mentioned in Slack in #core-restapi by miyauchi. View the logs.


7 months ago

#6 @Jtree5757
2 months ago

If anyone else runs into this issue, temporary workaround is to revert to the old editor.

Just ran into this on a client site.Luckily they were just managing basic paragraph text for the custom post type that had the issue.

Note: See TracTickets for help on using tickets.