Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Capabilities needed to use the Site Editor are not documented #1801

Open
andronocean opened this issue Nov 25, 2024 · 1 comment
Open

Capabilities needed to use the Site Editor are not documented #1801

andronocean opened this issue Nov 25, 2024 · 1 comment
Labels
[Status] To do Issue marked as Todo

Comments

@andronocean
Copy link

Issue Description

In the process of adding a new user role that would be able to access the Site Editor on a site using full site editing, I've discovered that there is no documentation anywhere about which capabilities are needed for such access. The Roles And Capabilities page has no references to the Site Editor or block themes at all.

The wp-admin/site-editor.php file itself contains a check for edit_theme_options, but from my testing this alone is insufficient. I created a fresh WP install, added edit_theme_options to the default Editor role, and tried to use the Site Editor. I found that:

  • The Appearance item shows up in the side menu with the "Editor" item.
  • Clicking it shows the editor side nav ("Design" etc), but the site preview does not load
  • The Styles editor does not load
  • The Pages view only loads partially (page list yes, authors are missing, previews don't work)
  • Templates and Patterns views load
  • 403 forbidden errors appear in network tab for some REST requests

It seems there are additional capability checks buried inside the API requests... but there's zero guidance as to what those are.

URL of the Page with the Issue

https://wordpress.org/documentation/article/roles-and-capabilities/

Section of Page with the issue

https://wordpress.org/documentation/article/roles-and-capabilities/#capabilities
https://wordpress.org/documentation/article/roles-and-capabilities/#edit_theme_options

Why is this a problem?

Without this documentation, there's no way to know how to add or modify roles to control site editor access. Many multi-user sites need to give a design or development team access to the Site Editor to change appearance. Having to make those users administrators is a security issue, since that also grants them control over users and plugins that may be risky.

Suggested Fix

At a minimum, I'd like to see the documentation for edit_theme_options (and whichever other capabilities are involved) improved to mention that they control Site Editor access when FSE is active.

A larger but better fix would be dedicated documentation (not sure where...) about how to allow or remove Site Editor access for any user role.
@andronocean andronocean added the [Status] To do Issue marked as Todo label Nov 25, 2024
@github-actions GitHub Actions
Copy link

Heads up @WordPress/docs-issues-coordinators, we have a new issue open. Time to use 'em labels.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
[Status] To do Issue marked as Todo
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@andronocean