Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#54889 closed defect (bug) (fixed)

Cannot access 'Manage menus' in Navigation block toolbar when running a classic theme

Reported by: noisysocks's profile noisysocks Owned by: hellofromtonya's profile hellofromTonya
Milestone: 5.9.1 Priority: normal
Severity: normal Version:
Component: Editor Keywords: has-patch has-screenshots commit dev-reviewed fixed-major
Focuses: Cc:

Description

Originally reported in https://github.com/WordPress/gutenberg/issues/38118.

(Re)discovered while testing https://github.com/WordPress/gutenberg/pull/38168.

Steps to reproduce:

  1. Activate a classic theme.
  2. Create or edit a post or page.
  3. Create or select a Navigation block.
  4. In the toolbar, select _Select menu_.
  5. Select _Manage menus_.
  6. You get a "Sorry, you are not allowed to edit posts in this post type." error.

Attachments (2)

admin-cannot-access-wp_navigation.mp4 (1.1 MB) - added by ironprogrammer 3 years ago.
Screencast exhibiting error condition: admin unable to "Manage menus" from block editor
Test-Report-pr2327.png (584.8 KB) - added by hellofromTonya 3 years ago.
Test Report with PR 2327 applied showing results with admin, contributor, and editor roles ✅

Download all attachments as: .zip

Change History (27)

This ticket was mentioned in PR #2219 on WordPress/wordpress-develop by noisysocks.


3 years ago
#1

  • Keywords has-patch added

The Navigation block is supported in both block themes and classic themes, so it is incorrect to only allow access to
edit.php?post_type=wp_navigation when the current theme is a block theme.

This fixes a bug where clicking on 'Manage menus' in the toolbar of a Navigation block takes you an error page when running a classic theme.

Trac ticket: https://core.trac.wordpress.org/ticket/54889

#2 @noisysocks
3 years ago

@hellofromTonya This is a separate issue that came up while testing the fix for https://github.com/WordPress/gutenberg/issues/38166. I don't believe it's particularly high priority as it only affects classic themes but it's an easy fix so maybe we should include it in RC 4. Your call.

#3 @noisysocks
3 years ago

  • Milestone changed from 5.9.1 to 5.9

Moving to 5.9 for visibility. Again, I'm not sure if it's 5.9 or 5.9.1.

#4 @costdev
3 years ago

Test Report

Env

  • WordPress: trunk and PR 2219
  • Chrome 97.0.4692.71
  • Windows 10
  • Theme: Twenty Twenty-One
  • Block Editor
  • Plugin: None activated

Steps to test

As an administrator:

  1. Navigate to Posts > Add New.
  2. Insert a Navigation block.
  3. Click Select menu.
  4. Select a menu.
  5. Click Select menu.
  6. Click Manage menus.
  7. The following is displayed: Sorry, you are not allowed to edit posts in this post type.
  8. Apply PR 2219.
  9. Repeat steps 1-6.
  10. The Navigation Menus screen should appear.
  11. Repeat steps 1-5 as an editor.
  12. The Manage menus option should not be available.

Expected results (✅/❌)

  • PR 2219 should grant access to the Navigation Menus screen for administrators when selecting Manage menus. ✅
  • PR 2219 should hide the Manage menus option from editors. ✅
  • PR 2219 should continue to display a permissions notice to editors when browsing directly to wp-admin/edit.php?post_type=wp_navigation. ❌

Notes

Editors can still manually browse to wp-admin/edit.php?post_type=wp_navigation. This shows the Navigation Menus screen and the available menus but does not allow them to interact with the items. The Bulk Edit dropdown is available, but does nothing.

Last edited 3 years ago by costdev (previous) (diff)

#5 @hellofromTonya
3 years ago

  • Keywords needs-patch added; has-patch removed
  • Milestone changed from 5.9 to 5.9.1

I can confirm the fix does allow administrator to access to screen. However, as @costdev noted, it now also allows access to the editor capability via URL.

An editor does not have access to the classic Menus screen (Appearance > Menus) via direct /wp-admin/nav-menus.php URL or from the sidebar menus.

Though the fix does resolve the original reported issue, it needs to also deny access to non-admins.

Moving to 5.9.1.

#6 @talldanwp
3 years ago

I can confirm the fix does allow administrator to access to screen. However, as @costdev noted, it now also allows access to the editor capability via URL.

In my testing, this patch doesn't introduce this issue. It seems to already be present in 5.9 for editors using a block theme.

#7 @manfcarlo
3 years ago

There are 12 capability keys that a post type can set upon registration, and the wp_template and wp_template_part post types set all of them. I notice that wp_navigation (and also wp_global_styles) are missing some. Maybe this is why the access is not working correctly?

This ticket was mentioned in Slack in #core by audrasjb. View the logs.


3 years ago

#9 @ironprogrammer
3 years ago

Following @manfcarlo's train of thought, adding the edit_posts capability to the wp_navigation post type registration does enforce the restricted access that is expected on the Navigation Menus edit page. It is no longer accessible by non-admins. That addition could be added to @noisysocks's PR.

Related Issue
While I believe it to be separate, this is worth mentioning here, as it will come up during testing, whether or not the above adjustments make it into this patch.

The following issues were observed when interacting with Navigation blocks as a non-admin (tested: editor and author).

  • Without the fix applied, in both 5.9 and trunk, non-admins have the ability to add, edit, and remove Navigation blocks. I don't believe this is by design (there are several "toast" warnings to this effect).
  • With the fix applied, when a Navigation block is present, its block may be replaced with the warning: Navigation menu has been deleted or is unavailable. Create a new menu? Clicking "Create a new menu?" allows some basic tinkering with the Navigation block (e.g. alignment, colors, styles), which can be saved. After saving by a non-admin, the block appears as a "placeholder", but with styling applied.

I'm trying to track down if this has been recorded in Gutenberg issues, where I'll post additional details.

Last edited 3 years ago by ironprogrammer (previous) (diff)

#10 @pyrobd
3 years ago

Not able to reproduce the issue in 5.9 any suggestions

#11 @ironprogrammer
3 years ago

Hi, @pyrobd: I was able to reproduce with @noisysocks's repro steps, as well as @costdev's test report. Note that the active theme needs to be "classic", or non-block.

I've attached a video that exhibits an admin user's permissions check failure on /wp-admin/edit.php?post_type=wp_navigation when attempting to "Manage menus" from the block editor. I used an existing menu for brevity, but the same happens regardless of actions taken in the block editor, since the permissions are really failing on the wp_navigation post type edit screen.

@ironprogrammer
3 years ago

Screencast exhibiting error condition: admin unable to "Manage menus" from block editor

This ticket was mentioned in PR #2327 on WordPress/wordpress-develop by ironprogrammer.


3 years ago
#12

  • Keywords has-patch added; needs-patch removed

Adds a post type registration capabilities check to prevent non-admin users from accessing the Navigation Menus edit screen.

This change is in conjunction with the original PR submitted by @noisysocks.

Trac ticket: https://core.trac.wordpress.org/ticket/54889

#13 @ironprogrammer
3 years ago

  • Keywords has-screenshots added

Submitted new PR (PR 2327) amending original PR (PR 2219) from @noisysocks so we have a consolidated patch. Adds the post type capability check mentioned here.

Also added has-screenshots keyword reflecting addition of screencast of error condition.

Last edited 3 years ago by ironprogrammer (previous) (diff)

#14 @noisysocks
3 years ago

  • Keywords commit added

@ironprogrammer's PR looks good to me.

#15 @hellofromTonya
3 years ago

  • Owner set to hellofromTonya
  • Status changed from new to reviewing

Test Report

Env:

  • WP: trunk with the PR 2327
  • OS: macOS Big Sur
  • Localhost: wp-env
  • Browsers: Edge, Chrome, Firefox, Firefox Dev, Safari
  • Theme: TT2 and TT1
  • Plugins: none

Steps

  • Step 1: Log in as an admin
  • Step 2: Create contributor and editor users
  • Step 3: Go to http://localhost:8889/wp-admin/edit.php?post_type=wp_navigation. Expected result: should have access to the Navigation Menus UI as the admin.
  • Step 4: Log in as a contributor
  • Step 5: Repeat step 3. Expected result: No access and an error message "You need a higher level of permission. Sorry, you are not allowed to edit posts in this post type."
  • Step 6: Repeat steps 4 and 5 but as an editor user.

Test Results:

  • Admin role: confirmed admin has access ✅
  • Contributor role: confirmed does not have access ✅
  • Editor role: confirmed does not have access ✅

PR is ready for commit. Self-assigning to prep commit.

Last edited 3 years ago by hellofromTonya (previous) (diff)

@hellofromTonya
3 years ago

Test Report with PR 2327 applied showing results with admin, contributor, and editor roles ✅

#16 @hellofromTonya
3 years ago

Also worth noting, prior to this fix, with a block theme activated, admin and non-admins had access to the Navigation Menus UI. After the fix, only admins have access.

#18 @hellofromTonya
3 years ago

Reference: https://github.com/WordPress/gutenberg/pull/37454 for admin only permission discussion.

#19 @hellofromTonya
3 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 52755:

Editor: Grant only admins access to the "Navigation Menus" UI for block and non-block themes.

Restricts and grants access to only admin roles for the Navigation Menu UI screen, i.e. either directly through the URL wp-admin/edit.php?post_type=wp_navigation or via the Navigation block's "Manage menu" option (in the block's toolbar).

It resolves 2 issues:

  • For non-block themes, fixes the issue where admins could not access the UI.
  • For block themes, restricts access to only admin roles, i.e. non-admins no longer have access to the UI.

Non-admins will receive the "Sorry, you are not allowed to edit posts in this post type" error message.

Follow-up [52069], [52145], [52330], [52400].

Props ironprogrammer, costdev, noisysocks, talldanwp, hellofromTonya, manfcarlo, pyrobd.
Fixes #54889.

#20 @hellofromTonya
3 years ago

  • Keywords dev-feedback added
  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopening for backport to 5.9-branch for 5.9.1. Needs 2nd committer review and approval.

This ticket was mentioned in Slack in #core by hellofromtonya. View the logs.


3 years ago

#23 @audrasjb
3 years ago

  • Keywords dev-reviewed fixed-major added; dev-feedback removed

Marking as ready for backport 👍
Thanks!

#24 @hellofromTonya
3 years ago

Thanks @audrasjb! I'm prepping backport now.

#25 @hellofromTonya
3 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 52756:

Editor: Grant only admins access to the "Navigation Menus" UI for block and non-block themes.

Restricts and grants access to only admin roles for the Navigation Menu UI screen, i.e. either directly through the URL wp-admin/edit.php?post_type=wp_navigation or via the Navigation block's "Manage menu" option (in the block's toolbar).

It resolves 2 issues:

  • For non-block themes, fixes the issue where admins could not access the UI.
  • For block themes, restricts access to only admin roles, i.e. non-admins no longer have access to the UI.

Non-admins will receive the "Sorry, you are not allowed to edit posts in this post type" error message.

Follow-up [52069], [52145], [52330], [52400].

Props ironprogrammer, costdev, noisysocks, talldanwp, hellofromTonya, manfcarlo, pyrobd.
Merges [52755] to the 5.9 branch.
Fixes #54889.

Note: See TracTickets for help on using tickets.