diff --git a/src/wp-admin/edit-form-blocks.php b/src/wp-admin/edit-form-blocks.php index cbcce39374db5..e6abe9998028f 100644 --- a/src/wp-admin/edit-form-blocks.php +++ b/src/wp-admin/edit-form-blocks.php @@ -67,7 +67,7 @@ static function ( $classes ) { array( '/wp/v2/settings', 'OPTIONS' ), '/wp/v2/global-styles/themes/' . get_stylesheet(), '/wp/v2/themes?context=edit&status=active', - '/wp/v2/global-styles/' . WP_Theme_JSON_Resolver::get_user_global_styles_post_id(), + '/wp/v2/global-styles/' . WP_Theme_JSON_Resolver::get_user_global_styles_post_id() . '?context=edit', ); block_editor_rest_api_preload( $preload_paths, $block_editor_context ); diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php index a30774b08f5a4..51c1ac29b8294 100644 --- a/src/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php +++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php @@ -529,6 +529,13 @@ public function get_theme_item_permissions_check( $request ) { } } + /* + * Verify if the current user has edit_theme_options capability. + */ + if ( current_user_can( 'edit_theme_options' ) ) { + return true; + } + return new WP_Error( 'rest_cannot_read_global_styles', __( 'Sorry, you are not allowed to access the global styles on this site.' ), diff --git a/tests/phpunit/tests/rest-api/rest-global-styles-controller.php b/tests/phpunit/tests/rest-api/rest-global-styles-controller.php index d10b7c26f4a10..b55c7c3d606eb 100644 --- a/tests/phpunit/tests/rest-api/rest-global-styles-controller.php +++ b/tests/phpunit/tests/rest-api/rest-global-styles-controller.php @@ -15,15 +15,22 @@ class WP_REST_Global_Styles_Controller_Test extends WP_Test_REST_Controller_Test * @var int */ protected static $admin_id; + /** * @var int */ protected static $editor_id; + /** * @var int */ protected static $subscriber_id; + /** + * @var int + */ + protected static $theme_manager_id; + /** * @var int */ @@ -69,6 +76,18 @@ public static function wpSetupBeforeClass( $factory ) { ) ); + self::$theme_manager_id = $factory->user->create( + array( + 'role' => 'subscriber', + ) + ); + + // Add the 'edit_theme_options' capability to the theme manager (subscriber). + $theme_manager_id = get_user_by( 'id', self::$theme_manager_id ); + if ( $theme_manager_id instanceof WP_User ) { + $theme_manager_id->add_cap( 'edit_theme_options' ); + } + // This creates the global styles for the current theme. self::$global_styles_id = $factory->post->create( array( @@ -87,11 +106,13 @@ public static function wpSetupBeforeClass( $factory ) { } /** - * + * Clean up after our tests run. */ public static function wpTearDownAfterClass() { self::delete_user( self::$admin_id ); + self::delete_user( self::$editor_id ); self::delete_user( self::$subscriber_id ); + self::delete_user( self::$theme_manager_id ); } /* @@ -304,6 +325,23 @@ public function test_get_theme_item_editor_permission_check() { $this->assertArrayHasKey( 'self', $links, 'Links do not have a "self" key' ); } + /** + * @covers WP_REST_Global_Styles_Controller_Gutenberg::get_theme_item + * @ticket 62042 + */ + public function test_get_theme_item_theme_options_manager_permission_check() { + wp_set_current_user( self::$theme_manager_id ); + switch_theme( 'emptytheme' ); + $request = new WP_REST_Request( 'GET', '/wp/v2/global-styles/themes/emptytheme' ); + $response = rest_get_server()->dispatch( $request ); + // Checks that the response has the expected keys. + $data = $response->get_data(); + $links = $response->get_links(); + $this->assertArrayHasKey( 'settings', $data, 'Data does not have "settings" key' ); + $this->assertArrayHasKey( 'styles', $data, 'Data does not have "styles" key' ); + $this->assertArrayHasKey( 'self', $links, 'Links do not have a "self" key' ); + } + /** * @covers WP_REST_Global_Styles_Controller::get_theme_item * @ticket 54516