Opened 3 years ago
Closed 3 years ago
#54889 closed defect (bug) (fixed)
Cannot access 'Manage menus' in Navigation block toolbar when running a classic theme
Reported by: | noisysocks | Owned by: | hellofromTonya |
---|---|---|---|
Milestone: | 5.9.1 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Editor | Keywords: | has-patch has-screenshots commit dev-reviewed fixed-major |
Focuses: | Cc: |
Description
Originally reported in https://github.com/WordPress/gutenberg/issues/38118.
(Re)discovered while testing https://github.com/WordPress/gutenberg/pull/38168.
Steps to reproduce:
- Activate a classic theme.
- Create or edit a post or page.
- Create or select a Navigation block.
- In the toolbar, select _Select menu_.
- Select _Manage menus_.
- You get a "Sorry, you are not allowed to edit posts in this post type." error.
Attachments (2)
Change History (27)
This ticket was mentioned in PR #2219 on WordPress/wordpress-develop by noisysocks.
3 years ago
#1
- Keywords has-patch added
#2
@
3 years ago
@hellofromTonya This is a separate issue that came up while testing the fix for https://github.com/WordPress/gutenberg/issues/38166. I don't believe it's particularly high priority as it only affects classic themes but it's an easy fix so maybe we should include it in RC 4. Your call.
#3
@
3 years ago
- Milestone changed from 5.9.1 to 5.9
Moving to 5.9 for visibility. Again, I'm not sure if it's 5.9 or 5.9.1.
#4
@
3 years ago
Test Report
Env
- WordPress: trunk and PR 2219
- Chrome 97.0.4692.71
- Windows 10
- Theme: Twenty Twenty-One
- Block Editor
- Plugin: None activated
Steps to test
As an administrator
:
- Navigate to
Posts > Add New
. - Insert a
Navigation
block. - Click
Select menu
. - Select a menu.
- Click
Select menu
. - Click
Manage menus
. - The following is displayed: Sorry, you are not allowed to edit posts in this post type.
- Apply PR 2219.
- Repeat steps 1-6.
- The
Navigation Menus
screen should appear. - Repeat steps 1-5 as an
editor
. - The
Manage menus
option should not be available.
Expected results (✅/❌)
- PR 2219 should grant access to the
Navigation Menus
screen foradministrators
when selectingManage menus
. ✅ - PR 2219 should hide the
Manage menus
option fromeditors
. ✅ - PR 2219 should continue to display a permissions notice to
editors
when browsing directly towp-admin/edit.php?post_type=wp_navigation
. ❌
Notes
Editors can still manually browse to wp-admin/edit.php?post_type=wp_navigation
. This shows the Navigation Menus
screen and the available menus but does not allow them to interact with the items. The Bulk Edit
dropdown is available, but does nothing.
#5
@
3 years ago
- Keywords needs-patch added; has-patch removed
- Milestone changed from 5.9 to 5.9.1
I can confirm the fix does allow administrator
to access to screen. However, as @costdev noted, it now also allows access to the editor
capability via URL.
An editor does not have access to the classic Menus screen (Appearance > Menus) via direct /wp-admin/nav-menus.php
URL or from the sidebar menus.
Though the fix does resolve the original reported issue, it needs to also deny access to non-admins.
Moving to 5.9.1.
#6
@
3 years ago
I can confirm the fix does allow administrator to access to screen. However, as @costdev noted, it now also allows access to the editor capability via URL.
In my testing, this patch doesn't introduce this issue. It seems to already be present in 5.9 for editors using a block theme.
#7
@
3 years ago
There are 12 capability keys that a post type can set upon registration, and the wp_template
and wp_template_part
post types set all of them. I notice that wp_navigation
(and also wp_global_styles
) are missing some. Maybe this is why the access is not working correctly?
This ticket was mentioned in Slack in #core by audrasjb. View the logs.
3 years ago
#9
@
3 years ago
Following @manfcarlo's train of thought, adding the edit_posts
capability to the wp_navigation
post type registration does enforce the restricted access that is expected on the Navigation Menus edit page. It is no longer accessible by non-admins. That addition could be added to @noisysocks's PR.
Related Issue
While I believe it to be separate, this is worth mentioning here, as it will come up during testing, whether or not the above adjustments make it into this patch.
The following issues were observed when when accessing the block editor as a non-admin (tested: editor and author).
- Without the fix applied, in both 5.9 and trunk, non-admins have the ability to add, edit, and remove Navigation blocks. I don't believe this is by design (there are several "toast" warnings to this effect).
- With the fix applied, when a Navigation block is present, its block may be replaced with the warning: Navigation menu has been deleted or is unavailable. Create a new menu? Clicking "Create a new menu?" allows some basic tinkering with the Navigation block (e.g. alignment, colors, styles), which can be saved. After saving by a non-admin, the block appears as a "placeholder", but with styling applied.
I'm trying to track down if this has been recorded in Gutenberg issues, where I'll post additional details.
#11
@
3 years ago
Hi, @pyrobd: I was able to reproduce with @noisysocks's repro steps, as well as @costdev's test report. Note that the active theme needs to be "classic", or non-block.
I've attached a video that exhibits an admin user's permissions check failure on /wp-admin/edit.php?post_type=wp_navigation
when attempting to "Manage menus" from the block editor. I used an existing menu for brevity, but the same happens regardless of actions taken in the block editor, since the permissions are really failing on the wp_navigation
post type edit screen.
@
3 years ago
Screencast exhibiting error condition: admin unable to "Manage menus" from block editor
This ticket was mentioned in PR #2327 on WordPress/wordpress-develop by ironprogrammer.
3 years ago
#12
- Keywords has-patch added; needs-patch removed
Adds a post type registration capabilities check to prevent non-admin users from accessing the Navigation Menus edit screen.
This change is in conjunction with the original PR submitted by @noisysocks.
Trac ticket: https://core.trac.wordpress.org/ticket/54889
#13
@
3 years ago
- Keywords has-screenshots added
Submitted new PR (PR 2327) amending original PR (PR 2219) from @noisysocks so we have a consolidated patch. Adds the post type capability check mentioned here.
Also added has-screenshots
keyword reflecting addition of screencast of error condition.
#15
@
3 years ago
- Owner set to hellofromTonya
- Status changed from new to reviewing
Test Report
Env:
- WP: trunk with the PR 2327
- OS: macOS Big Sur
- Localhost: wp-env
- Browsers: Edge, Chrome, Firefox, Firefox Dev, Safari
- Theme: TT2 and TT1
- Plugins: none
Steps
- Step 1: Log in as an admin
- Step 2: Create contributor and editor users
- Step 3: Go to http://localhost:8889/wp-admin/edit.php?post_type=wp_navigation. Expected result: should have access to the Navigation Menus UI as the admin.
- Step 4: Log in as a contributor
- Step 5: Repeat step 3. Expected result: No access and an error message "You need a higher level of permission. Sorry, you are not allowed to edit posts in this post type."
- Step 6: Repeat steps 4 and 5 but as an editor user.
Test Results:
- Admin role: confirmed admin has access ✅
- Contributor role: confirmed does not have access ✅
- Editor role: confirmed does not have access ✅
PR is ready for commit. Self-assigning to prep commit.
@
3 years ago
Test Report with PR 2327 applied showing results with admin, contributor, and editor roles ✅
#16
@
3 years ago
Also worth noting, prior to this fix, with a block theme activated, admin and non-admins had access to the Navigation Menus UI. After the fix, only admins have access.
hellofromtonya commented on PR #2219:
3 years ago
#17
Closing as https://github.com/WordPress/wordpress-develop/pull/2327 is preferred.
#18
@
3 years ago
Reference: https://github.com/WordPress/gutenberg/pull/37454 for admin only permission discussion.
#20
@
3 years ago
- Keywords dev-feedback added
- Resolution fixed deleted
- Status changed from closed to reopened
Reopening for backport to 5.9-branch for 5.9.1. Needs 2nd committer review and approval.
hellofromtonya commented on PR #2327:
3 years ago
#21
Committed via https://core.trac.wordpress.org/changeset/52755.
The Navigation block is supported in both block themes and classic themes, so it is incorrect to only allow access to
edit.php?post_type=wp_navigation
when the current theme is a block theme.This fixes a bug where clicking on 'Manage menus' in the toolbar of a Navigation block takes you an error page when running a classic theme.
Trac ticket: https://core.trac.wordpress.org/ticket/54889