New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update admin screen access #1437

Merged
merged 3 commits into from Sep 17, 2018

Conversation

Projects
None yet
2 participants
@westonruter
Member

westonruter commented Sep 17, 2018

While the AMP validation screens are generally available to users who can edit_posts, in reality this should be tightened up to just administrators, with authors then only able to access the amp_invalid_url screens with just the posts that they themselves were responsible for creating in the course of creating regular posts.

  • Only show reciprocal links on Invalid URLs and Error Index screens when user has authorization, respectively.
  • Do not show the recheck row action for invalid URLs if they do not have permission.
  • Hide AMP admin bar link if user doesn't have authorization.
  • Harmonize approach for adding wp-heading-inline links. See #1397 (comment).
  • Allow non-admin users to access AMP settings screen, but let all fields be disabled so that they can only see how it is configured.
  • Do not give non-admins access to the Error Index screen.

westonruter added some commits Sep 17, 2018

Add cap checks for showing buttons, including row actions, and doing …
…actions

Skip showing admin bar item if user cannot validate someone else's post.

@westonruter westonruter added this to the v1.0 milestone Sep 17, 2018

@westonruter westonruter requested a review from kienstra Sep 17, 2018

@westonruter

This comment has been minimized.

Member

westonruter commented Sep 17, 2018

@postphotos this fixes the issue you noted when a non-admin tries to access AMP screens.

@kienstra

This comment has been minimized.

Collaborator

kienstra commented Sep 17, 2018

Approved

Hi @weston,
This PR looks good, and it's nice how it changes the capabilities for the validator.

This looked good, when testing it for an administrator, editor, and author.

authors-view-page

@@ -553,14 +553,21 @@ public function render_screen() {
AMP_Options_Manager::check_supported_post_type_update_errors();
}
?>
<?php if ( ! current_user_can( 'manage_options' ) ) : ?>
<div class="notice notice-info">
<p><?php esc_html_e( 'You do not have permission to modify these settings. They are shown here for your reference. Please contact your administrator to make changes.', 'amp' ); ?></p>

This comment has been minimized.

@kienstra

kienstra Sep 17, 2018

Collaborator

Good idea to display this notice.

@@ -1019,12 +1052,19 @@ public static function handle_validate_request() {
if ( ! $post || self::POST_TYPE_SLUG !== $post->post_type ) {
throw new Exception( 'invalid_post' );
}
if ( ! current_user_can( 'edit_post', $post->ID ) ) {
throw new Exception( 'unauthorized' );

This comment has been minimized.

@kienstra

kienstra Sep 17, 2018

Collaborator

Good idea to check the capability here.

@westonruter westonruter merged commit 9444a75 into develop Sep 17, 2018

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@westonruter westonruter deleted the update/admin-screen-access branch Sep 17, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment