Revert change to preload paths as per the corresponding GB sync PR

Add edit_theme_options cap check for reading items with accompanying test coverage. t
WordPress · Sep 18, 2024 · 790e8d1 · 790e8d1
1 parent b183c97
commit 790e8d1
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 2 deletions.
diff --git a/src/wp-admin/edit-form-blocks.php b/src/wp-admin/edit-form-blocks.php
@@ -67,7 +67,7 @@ static function ( $classes ) {
 	array( '/wp/v2/settings', 'OPTIONS' ),
 	'/wp/v2/global-styles/themes/' . get_stylesheet(),
 	'/wp/v2/themes?context=edit&status=active',
-	'/wp/v2/global-styles/' . WP_Theme_JSON_Resolver::get_user_global_styles_post_id(),
+	'/wp/v2/global-styles/' . WP_Theme_JSON_Resolver::get_user_global_styles_post_id() . '?context=edit',
 );
 
 block_editor_rest_api_preload( $preload_paths, $block_editor_context );

diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php
@@ -529,6 +529,13 @@ public function get_theme_item_permissions_check( $request ) {
 			}
 		}
 
+		/*
+		 * Verify if the current user has edit_theme_options capability.
+		 */
+		if ( current_user_can( 'edit_theme_options' ) ) {
+			return true;
+		}
+
 		return new WP_Error(
 			'rest_cannot_read_global_styles',
 			__( 'Sorry, you are not allowed to access the global styles on this site.' ),

diff --git a/tests/phpunit/tests/rest-api/rest-global-styles-controller.php b/tests/phpunit/tests/rest-api/rest-global-styles-controller.php
@@ -15,15 +15,22 @@ class WP_REST_Global_Styles_Controller_Test extends WP_Test_REST_Controller_Test
 	 * @var int
 	 */
 	protected static $admin_id;
+
 	/**
 	 * @var int
 	 */
 	protected static $editor_id;
+
 	/**
 	 * @var int
 	 */
 	protected static $subscriber_id;
 
+	/**
+	 * @var int
+	 */
+	protected static $theme_manager_id;
+
 	/**
 	 * @var int
 	 */
@@ -69,6 +76,18 @@ public static function wpSetupBeforeClass( $factory ) {
 			)
 		);
 
+		self::$theme_manager_id = $factory->user->create(
+			array(
+				'role' => 'subscriber',
+			)
+		);
+
+		// Add the 'edit_theme_options' capability to the theme manager (subscriber).
+		$theme_manager_id = get_user_by( 'id', self::$theme_manager_id );
+		if ( $theme_manager_id instanceof WP_User ) {
+			$theme_manager_id->add_cap( 'edit_theme_options' );
+		}
+
 		// This creates the global styles for the current theme.
 		self::$global_styles_id = $factory->post->create(
 			array(
@@ -87,11 +106,13 @@ public static function wpSetupBeforeClass( $factory ) {
 	}
 
 	/**
-	 *
+	 * Clean up after our tests run.
 	 */
 	public static function wpTearDownAfterClass() {
 		self::delete_user( self::$admin_id );
+		self::delete_user( self::$editor_id );
 		self::delete_user( self::$subscriber_id );
+		self::delete_user( self::$theme_manager_id );
 	}
 
 	/*
@@ -304,6 +325,23 @@ public function test_get_theme_item_editor_permission_check() {
 		$this->assertArrayHasKey( 'self', $links, 'Links do not have a "self" key' );
 	}
 
+	/**
+	 * @covers WP_REST_Global_Styles_Controller_Gutenberg::get_theme_item
+	 * @ticket 62042
+	 */
+	public function test_get_theme_item_theme_options_manager_permission_check() {
+		wp_set_current_user( self::$theme_manager_id );
+		switch_theme( 'emptytheme' );
+		$request  = new WP_REST_Request( 'GET', '/wp/v2/global-styles/themes/emptytheme' );
+		$response = rest_get_server()->dispatch( $request );
+		// Checks that the response has the expected keys.
+		$data  = $response->get_data();
+		$links = $response->get_links();
+		$this->assertArrayHasKey( 'settings', $data, 'Data does not have "settings" key' );
+		$this->assertArrayHasKey( 'styles', $data, 'Data does not have "styles" key' );
+		$this->assertArrayHasKey( 'self', $links, 'Links do not have a "self" key' );
+	}
+
 	/**
 	 * @covers WP_REST_Global_Styles_Controller::get_theme_item
 	 * @ticket 54516