Non Administrator roles are no longer able to switch post templates (and therefore also cannot preview them)

[fabiankaegy]

In #60447 we added the ability for non administrators to preview the template as they are editing a post. Even long before this editors were always able to switch between which template should be selected for a post.

Today in trunk neither option is available to editor roles or below. They don't get the template selector and they don't get a template preview.

Looking into the source code the templateId never gets defined

gutenberg/packages/editor/src/components/post-template/panel.js

Lines 22 to 29 in 7e9e53d

	const { templateId, isBlockTheme } = useSelect( ( select ) => {
	const { getCurrentTemplateId, getEditorSettings } =
	select( editorStore );
	return {
	templateId: getCurrentTemplateId(),
	isBlockTheme: getEditorSettings().__unstableIsBlockBasedTheme,
	};
	}, [] );

This is a major regression that we need to fix before the next WordPress release.

[t-hamano]

I would like to investigate this issue, but is this a new issue with WP 6.8?

Also, it would be great if you could add some test steps to reproduce this issue.

[fabiankaegy]

@t-hamano yes the issue is not present in WordPress 6.7.1

CleanShot.2025-01-24.at.11.36.51.mp4

Steps to reproduce the issue:

1. Use a default theme such as twenty twenty five
2. Log in as an editor role account
3. Edit the "Sample Page" (any page that isn't the Homepage / Posts page)
4. See the "Template" option in the Document Sidebar
5. User can swap template
6. User can enable show template option

[fabiankaegy]

It looks like #68110 may have actually caused this regression. It wants to solve for Author roles that cannot edit pages but in doing so it appears to have caused this regression (I think)

[t-hamano]

I've identified that the problem has been caused by #67031 (c22ecef). In fact, if you check out the commit immediately preceding that (9820a8c), you'll see that the problem can no longer be reproduced.

[fabiankaegy]

I think there actually are two separate issues here:

1. Non Admins can no longer switch between different templates (This is what @t-hamano found here Non Administrator roles are no longer able to switch post templates (and therefore also cannot preview them) #68870 (comment))
2. Non Admins can no longer preview a template (This is what I found here Non Administrator roles are no longer able to switch post templates (and therefore also cannot preview them) #68870 (comment))

Both are regressions and from my POV need to be fixed before 6.8.

I don't know yet how the first issue should get fixed. But for the second one it seems the blocking factor here is https://core.trac.wordpress.org/ticket/48885 (or something similar) that would allow non administrator roles to be able to read what page is set to be the homepage / posts page.

I wonder if an interim solution where we actually pass in the frontpage & post page configuration from the PHP side as static variables. Inside the post editor there is no way to change those anyways. And inside the site editor it doesn't matter because any user that can access the site editor has administrator rights and therefore can view the settings anyways. 🤔 I realize that is not an ideal solution. And I would much rather have a proper rest api fix that allows non admins to view non sensitive site settings such as these two values. But to me that rest limitation should not block this valuable feature (that we have already been shipping for several WP Core versions)

[t-hamano]

My guess is that this may be due to the new getTemplateId selector added in #67031.

For users who can't load site data, i.e. non-admin users, the getHomePage() selector returns null. As a result, the templateId doesn't get resolved by the early return here.

Simply removing this early return seems to solve the problem, but I'm not very familiar with the Core Data API and would like feedback.

cc @Mamaduka @youknowriad @jsnajdr

[youknowriad]

It is possible that non-administrators are not allowed to read the "home page" setting.

If it's the case, we shouldn't allow non administrators to switch to post templates because it just means that we'll render the wrong template in some cases.

The alternative would be to figure out how to make the "home page" setting accessible to non administrators.

[fabiankaegy]

The alternative would be to figure out how to make the "home page" setting accessible to non administrators.

This is what I would prefer and what I am trying to work on currently. https://core.trac.wordpress.org/ticket/48885 seems to be a good way to solve it.

If we cannot get there in time for 6.8 I say we have to revert the "bugxif" in #68110 because whilst I agree it is a bug. The behavior in trunk today is a large regression because users that were previously able to do something are no longer able to do it.

[t-hamano]

It's worth noting that some options are already exposed as inline JS variables: https://github.com/t-hamano/wordpress-develop/blob/530e8fda5d466b07391ff41fe20525d3de4c55ab/src/wp-includes/block-editor.php#L629-L635

It would probably be easiest to add an option for the homepage setting here, but once exposed, the JS global variable cannot be removed for backward compatibility, so it may be best to avoid this in the long run.

Personally, I would prefer to accept the bug for now that non-admins may see unintended templates, and make post templates available to non-admins too. That bug must have been there before.

[Mamaduka]

As a short-term solution, can we expose this as read-only settings via the REST API index? Are there any security concerns with making these page IDs public?

cc @TimothyBJacobs, @spacedmonkey