From 11ee353116ac925c9c9cd8c16c70900368936d24 Mon Sep 17 00:00:00 2001 From: Mario Santos <34552881+SantosGuillamot@users.noreply.github.com> Date: Wed, 28 Feb 2024 13:40:13 +0100 Subject: [PATCH] Block Bindings: Don't show protected fields that are bound to blocks (#59326) * Check if the meta field is protected * Check if the meta field is available in the REST API * Use `get_registered_meta_keys` function * Return empty string instead of null * Return null if the bindings config is not correct * Return `null` when the field is unavailable or protected * Add tests for protected fields * Update tests to match current behavior * Remove unnecessary `show_in_rest` conditional Co-authored-by: Pascal Birchler --------- Co-authored-by: Pascal Birchler --- .../block-bindings/post-meta.php | 13 ++++ packages/e2e-tests/plugins/block-bindings.php | 20 +++++- .../editor/various/block-bindings.spec.js | 72 +++++++++++++++++-- 3 files changed, 100 insertions(+), 5 deletions(-) diff --git a/lib/compat/wordpress-6.5/block-bindings/post-meta.php b/lib/compat/wordpress-6.5/block-bindings/post-meta.php index 5ce8eb7ac56ee7..56298a7c4d4c50 100644 --- a/lib/compat/wordpress-6.5/block-bindings/post-meta.php +++ b/lib/compat/wordpress-6.5/block-bindings/post-meta.php @@ -28,6 +28,19 @@ function gutenberg_block_bindings_post_meta_callback( $source_attrs, $block_inst return null; } + // Check if the meta field is protected. + if ( is_protected_meta( $source_attrs['key'], 'post' ) ) { + return null; + } + + // Check if the meta field is registered to be shown in REST. + $meta_keys = get_registered_meta_keys( 'post', $block_instance->context['postType'] ); + // Add fields registered for all subtypes. + $meta_keys = array_merge( $meta_keys, get_registered_meta_keys( 'post', '' ) ); + if ( empty( $meta_keys[ $source_attrs['key'] ]['show_in_rest'] ) ) { + return null; + } + return get_post_meta( $post_id, $source_attrs['key'], true ); } diff --git a/packages/e2e-tests/plugins/block-bindings.php b/packages/e2e-tests/plugins/block-bindings.php index c686b40006a067..74aec2adb500fb 100644 --- a/packages/e2e-tests/plugins/block-bindings.php +++ b/packages/e2e-tests/plugins/block-bindings.php @@ -21,7 +21,6 @@ function gutenberg_test_block_bindings_register_custom_fields() { 'default' => 'Value of the text_custom_field', ) ); - // TODO: Change url. register_meta( 'post', 'url_custom_field', @@ -32,5 +31,24 @@ function gutenberg_test_block_bindings_register_custom_fields() { 'default' => '#url-custom-field', ) ); + register_meta( + 'post', + '_protected_field', + array( + 'type' => 'string', + 'single' => true, + 'default' => 'protected field value', + ) + ); + register_meta( + 'post', + 'show_in_rest_false_field', + array( + 'show_in_rest' => false, + 'type' => 'string', + 'single' => true, + 'default' => 'show_in_rest false field value', + ) + ); } add_action( 'init', 'gutenberg_test_block_bindings_register_custom_fields' ); diff --git a/test/e2e/specs/editor/various/block-bindings.spec.js b/test/e2e/specs/editor/various/block-bindings.spec.js index fc315e522b81ac..419a70faeaf9be 100644 --- a/test/e2e/specs/editor/various/block-bindings.spec.js +++ b/test/e2e/specs/editor/various/block-bindings.spec.js @@ -1218,7 +1218,7 @@ test.describe( 'Block bindings', () => { name: 'core/paragraph', attributes: { anchor: 'paragraph-binding', - content: 'p', + content: 'fallback value', metadata: { bindings: { content: { @@ -1244,9 +1244,73 @@ test.describe( 'Block bindings', () => { // Check the frontend doesn't show the content. const postId = await editor.publishPost(); await page.goto( `/?p=${ postId }` ); - await expect( - page.locator( '#paragraph-binding' ) - ).toBeHidden(); + await expect( page.locator( '#paragraph-binding' ) ).toHaveText( + 'non_existing_custom_field' + ); + } ); + + test( 'should not show the value of a protected meta field', async ( { + editor, + page, + } ) => { + await editor.insertBlock( { + name: 'core/paragraph', + attributes: { + anchor: 'paragraph-binding', + content: 'fallback value', + metadata: { + bindings: { + content: { + source: 'core/post-meta', + args: { key: '_protected_field' }, + }, + }, + }, + }, + } ); + const paragraphBlock = editor.canvas.getByRole( 'document', { + name: 'Block: Paragraph', + } ); + await expect( paragraphBlock ).toHaveText( '_protected_field' ); + // Check the frontend doesn't show the content. + const postId = await editor.publishPost(); + await page.goto( `/?p=${ postId }` ); + await expect( page.locator( '#paragraph-binding' ) ).toHaveText( + '_protected_field' + ); + } ); + + test( 'should not show the value of a meta field with `show_in_rest` false', async ( { + editor, + page, + } ) => { + await editor.insertBlock( { + name: 'core/paragraph', + attributes: { + anchor: 'paragraph-binding', + content: 'fallback value', + metadata: { + bindings: { + content: { + source: 'core/post-meta', + args: { key: 'show_in_rest_false_field' }, + }, + }, + }, + }, + } ); + const paragraphBlock = editor.canvas.getByRole( 'document', { + name: 'Block: Paragraph', + } ); + await expect( paragraphBlock ).toHaveText( + 'show_in_rest_false_field' + ); + // Check the frontend doesn't show the content. + const postId = await editor.publishPost(); + await page.goto( `/?p=${ postId }` ); + await expect( page.locator( '#paragraph-binding' ) ).toHaveText( + 'show_in_rest_false_field' + ); } ); } );