Add permission checks to Command Palette commands #71267
Conversation
t-hamano
added
[Type] Bug
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
t-hamano
left a comment
t-hamano
left a comment
There was a problem hiding this comment.
LGTM 👍 Finally, can you resolve the conflicts? It should not be difficult, as the conflict is small.
|
@R1shabh-Gupta, sorry, can you merge the latest trunk into this PR to fix the failing CIs? I think this PR doesn't cause any new CI failures, but I'm 100% unsure whether the following error isn't related to this PR: https://github.com/WordPress/gutenberg/actions/runs/17121572254/job/48567238274?pr=71267 |
…shabh-Gupta/gutenberg into fix/71263-command-palette-permissions
…palette-permissions
|
Hmm, the failing e2e test is certainly related to this PR. 
@Mamaduka, this PR checks the user permissions to conditionally execute commands (Page, Post, and Patterns). I suspect that this causes additional preloading, so we need to update the test side. Is my understanding correct? |
|
Thanks for the ping and sorry for the late reply. Yes, it appears that PR introduces a new HTTP request early in the loading stages, which we try to avoid; the failing e2e test is here to catch those early. I think we can resolve the current problem by switching the Side Note: I think it might be helpful to introduce a better API for checking permissions for commands, something that's lazily evaluated and not on page load. This could be a good addition to #59004. cc @youknowriad |
|
Thanks for the update! |
|
@R1shabh-Gupta, it looks like there is a merge conflict that requires rebasing. That should also resolve CI checks. |
…palette-permissions
t-hamano
left a comment
t-hamano
left a comment
There was a problem hiding this comment.
@R1shabh-Gupta Thanks for the update!
@Mamaduka can we merge this PR?
|
@t-hamano, yes. This is good to merge 👍 |
3 participants
What?
Closes #71263
Adds permission checks to Command Palette commands to prevent unauthorized users from accessing post, page, and patterns.
Why?
The Command Palette was showing "Add Post", "Add Page", and "Patterns" commands to all users, regardless of their permissions. This created a security vulnerability where users without proper capabilities could see and potentially attempt to access creation functions they shouldn't have access to. This PR ensures only users with the appropriate permissions can see and use these commands.
How?
canCreatePostpermission check usingcanUser('create', { kind: 'postType', name: 'post' })and disabled the command when the user lacks permissioncanCreatePagepermission check usingcanUser('create', { kind: 'postType', name: 'page' })and conditionally register the command only when user has permissioncanCreatePatternspermission check usingcanUser('create', { kind: 'postType', name: 'wp_block' })and show the command only when user can create templates OR patterns, with appropriate fallback navigationThe implementation uses WordPress's
canUserselector to check user capabilities before displaying commands.Testing Instructions
Screenshots or screencast
Screen.Recording.2025-08-20.at.2.11.09.PM.mov