fix: added pre-API call permissions check on APIs being called on non-admin accessible screens (#51406)
fix: no permissions api errors
This commit is contained in:
RJ
Christopher Allford
parent
c891bd09e3
commit
a66adfcf6c
|
|
@ -0,0 +1,4 @@
|
|||
Significance: minor
|
||||
Type: fix
|
||||
|
||||
Added pre-API call permission checks for some API calls that were being called on non-admin accessible screens
|
||||
|
|
@ -10,11 +10,14 @@ import { apiFetch } from '@wordpress/data-controls';
|
|||
import { NAMESPACE } from '../constants';
|
||||
import { setNotes, setNotesQuery, setError } from './actions';
|
||||
import { NoteQuery, Note } from './types';
|
||||
import { checkUserCapability } from '../utils';
|
||||
|
||||
export function* getNotes( query: NoteQuery = {} ) {
|
||||
const url = addQueryArgs( `${ NAMESPACE }/admin/notes`, query );
|
||||
|
||||
try {
|
||||
yield checkUserCapability( 'manage_woocommerce' );
|
||||
|
||||
const notes: Note[] = yield apiFetch( {
|
||||
path: url,
|
||||
} );
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@ import {
|
|||
TaskListType,
|
||||
} from './types';
|
||||
import { Plugin } from '../plugins/types';
|
||||
import { checkUserCapability } from '../utils';
|
||||
|
||||
const resolveSelect =
|
||||
controls && controls.resolveSelect ? controls.resolveSelect : select;
|
||||
|
|
@ -68,6 +69,8 @@ export function* getEmailPrefill() {
|
|||
export function* getTaskLists() {
|
||||
const deprecatedTasks = new DeprecatedTasks();
|
||||
try {
|
||||
yield checkUserCapability( 'manage_woocommerce' );
|
||||
|
||||
const results: TaskListType[] = yield apiFetch( {
|
||||
path: WC_ADMIN_NAMESPACE + '/onboarding/tasks',
|
||||
method: deprecatedTasks.hasDeprecatedTasks() ? 'POST' : 'GET',
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ import {
|
|||
RecommendedTypes,
|
||||
JetpackConnectionDataResponse,
|
||||
} from './types';
|
||||
import { checkUserCapability } from '../utils';
|
||||
|
||||
// Can be removed in WP 5.9, wp.data is supported in >5.7.
|
||||
const resolveSelect =
|
||||
|
|
@ -61,6 +62,8 @@ type ConnectJetpackResponse = {
|
|||
export function* getActivePlugins() {
|
||||
yield setIsRequesting( 'getActivePlugins', true );
|
||||
try {
|
||||
yield checkUserCapability( 'manage_woocommerce' );
|
||||
|
||||
const url = WC_ADMIN_NAMESPACE + '/plugins/active';
|
||||
const results: PluginGetResponse = yield apiFetch( {
|
||||
path: url,
|
||||
|
|
@ -77,6 +80,8 @@ export function* getInstalledPlugins() {
|
|||
yield setIsRequesting( 'getInstalledPlugins', true );
|
||||
|
||||
try {
|
||||
yield checkUserCapability( 'manage_woocommerce' );
|
||||
|
||||
const url = WC_ADMIN_NAMESPACE + '/plugins/installed';
|
||||
const results: PluginGetResponse = yield apiFetch( {
|
||||
path: url,
|
||||
|
|
@ -111,6 +116,8 @@ export function* getJetpackConnectionData() {
|
|||
yield setIsRequesting( 'getJetpackConnectionData', true );
|
||||
|
||||
try {
|
||||
yield checkUserCapability( 'manage_woocommerce' );
|
||||
|
||||
const url = JETPACK_NAMESPACE + '/connection/data';
|
||||
|
||||
const results: JetpackConnectionDataResponse = yield apiFetch( {
|
||||
|
|
|
|||
|
|
@ -2,14 +2,15 @@
|
|||
* External dependencies
|
||||
*/
|
||||
import { addQueryArgs } from '@wordpress/url';
|
||||
import { apiFetch } from '@wordpress/data-controls';
|
||||
import { apiFetch, select } from '@wordpress/data-controls';
|
||||
|
||||
/**
|
||||
* Internal dependencies
|
||||
*/
|
||||
import { BaseQueryParams } from './types/query-params';
|
||||
import { fetchWithHeaders } from './controls';
|
||||
|
||||
import { USER_STORE_NAME } from './user';
|
||||
import { WCUser } from './user/types';
|
||||
function replacer( _: string, value: unknown ) {
|
||||
if ( value ) {
|
||||
if ( Array.isArray( value ) ) {
|
||||
|
|
@ -100,3 +101,20 @@ export function* request< Query extends BaseQueryParams, DataType >(
|
|||
return { items: response.data, totalCount };
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Utility function to check if the current user has a specific capability.
|
||||
*
|
||||
* @param {string} capability - The capability to check (e.g. 'manage_woocommerce').
|
||||
* @throws {Error} If the user does not have the required capability.
|
||||
*/
|
||||
export function* checkUserCapability( capability: string ) {
|
||||
const currentUser: WCUser< 'capabilities' > = yield select(
|
||||
USER_STORE_NAME,
|
||||
'getCurrentUser'
|
||||
);
|
||||
|
||||
if ( ! currentUser.capabilities[ capability ] ) {
|
||||
throw new Error( `User does not have ${ capability } capability.` );
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -269,7 +269,8 @@ export const ActivityPanel = ( { isEmbedded, query } ) => {
|
|||
visible:
|
||||
( isEmbedded || ! isHomescreen ) &&
|
||||
! isPerformingSetupTask() &&
|
||||
! isProductScreen(),
|
||||
! isProductScreen() &&
|
||||
currentUserCan( 'manage_woocommerce' ),
|
||||
};
|
||||
|
||||
const feedback = {
|
||||
|
|
|
|||
|
|
@ -0,0 +1,4 @@
|
|||
Significance: minor
|
||||
Type: fix
|
||||
|
||||
Added pre-API call permission checks for some API calls that were being called on non-admin accessible screens
|
||||
Loading…
Reference in New Issue