WordPress.org

Make WordPress Core

Opened 9 months ago

Last modified 5 weeks ago

#46723 new defect (bug)

Feature Image disappears only in Gutenberg with CPT.

Reported by: miyauchi Owned by:
Milestone: 5.4 Priority: normal
Severity: normal Version: 5.1
Component: REST API Keywords: has-patch
Focuses: Cc:
PR Number:

Description

Gutenberg is using the following API and it needs edit_posts capability to access it.
But if we apply the custom role for the post-type, it will have a capability like edit_events or so.
So we can't see feature image metabox for the post type with the gutenberg.

https://github.com/WordPress/WordPress/blob/c41dede996bbb50055f914d9094be59f659a4d14/wp-includes/rest-api/endpoints/class-wp-rest-themes-controller.php#L60-L66

There is an example plugin to reproduce the problem.
https://github.com/miya0001/reproduce-12198

Related: https://github.com/WordPress/gutenberg/issues/12198

Attachments (1)

46723.patch (942 bytes) - added by miyauchi 9 months ago.
It allows to access /themes endpoints if the user has upload_files capability.

Download all attachments as: .zip

Change History (9)

@miyauchi
9 months ago

It allows to access /themes endpoints if the user has upload_files capability.

#1 @miyauchi
9 months ago

  • Keywords has-patch added

#2 @miyauchi
9 months ago

I found similar problem to upload featured image.
https://github.com/WordPress/WordPress/blob/master/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php#L1384

User needs capability edit_post to attach featured image for the Gutenberg.
But user doesn't have edit_post if the custom post type is using custom role.

#3 @miyauchi
9 months ago

I tried to check the user has $post_type->cap->edit_post capability for the parent post type of the attachment.
But I run into the problem that the attachment possibly has another parent post type like page.

I tried to add following lines in check_update_permission() and it looks good.

if ( 'attachment' === $post->post_type ) {
        return current_user_can( 'upload_files' );
}

But I am concerned about introducing security risk.

This ticket was mentioned in Slack in #core-restapi by miyauchi. View the logs.


8 months ago

#6 @Jtree5757
4 months ago

If anyone else runs into this issue, temporary workaround is to revert to the old editor.

Just ran into this on a client site.Luckily they were just managing basic paragraph text for the custom post type that had the issue.

#7 @jrchamp
5 weeks ago

There is no workaround for this if you have already developed an entire plugin for the Block Editor. Lost 3 days to this bug while I fought with map_meta_cap and user_has_cap trying to figure out what I must have done wrong. Thank you @miyauchi for suggesting reasonable workarounds. For now, I'm doing something much more evil because I can't ship a modified version of WordPress core.

@desrosj & @kadamwhite: edit_posts was a nice idea, but it is definitely not sufficient. Please help!

#8 @kadamwhite
5 weeks ago

  • Milestone changed from Awaiting Review to 5.4

Provisionally milestoning for the next release

Note: See TracTickets for help on using tickets.