Require super-admin for theme-modifying REST routes on multisite#850
Open
mikachan wants to merge 13 commits into
Open
Require super-admin for theme-modifying REST routes on multisite#850mikachan wants to merge 13 commits into
mikachan wants to merge 13 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR tightens permissions for theme-modifying REST API routes in CBT_Theme_API, requiring super-admin on multisite (where themes are network-shared) and restoring gating by DISALLOW_FILE_EDIT / DISALLOW_FILE_MODS. It also adds PHPUnit coverage around the new permission behavior.
Changes:
- Updated 9 filesystem-mutating REST routes to use a centralized
can_modify_theme()permission check (super-admin on multisite,edit_theme_optionsotherwise). - Added
file_mods_allowed()to block modifications whenDISALLOW_FILE_EDIT/DISALLOW_FILE_MODSare set (with a filter seam for tests). - Introduced a new PHPUnit test class covering
can_modify_theme(),file_mods_allowed(), and select route permission outcomes.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
includes/class-create-block-theme-api.php |
Centralizes and tightens permission checks for mutating REST routes; adds file-mod hardening gate. |
tests/test-class-create-block-theme-api.php |
Adds unit tests for new permission logic and REST route permission enforcement. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Member
Author
|
Looks like these were all good suggestions - I've applied them all. |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
scruffian
reviewed
Jun 16, 2026
scruffian flagged that the previous implementation bypassed WordPress Core's canonical `file_mod_allowed` filter — the mechanism hosts and security plugins use to disable file modifications globally. Now delegates the DISALLOW_FILE_MODS / file_mod_allowed branch to wp_is_file_mod_allowed( 'create_block_theme_modify_theme' ). The explicit DISALLOW_FILE_EDIT check is kept on top because Core's helper does NOT cover that constant (it's specifically for the theme file editor UI). The cbt_file_mods_allowed filter remains as a test seam — it can only further restrict, never re-enable, the policy decided by core.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
scruffian
reviewed
Jun 17, 2026
scruffian
reviewed
Jun 17, 2026
Refactors can_modify_theme() to compose two WordPress Core primitives
instead of reimplementing the same checks:
current_user_can( 'edit_themes' )
&& wp_is_file_mod_allowed( 'create_block_theme_modify_theme' )
The edit_themes capability already encodes the matrix this plugin
needs: held by Administrators on single-site, super-admins on multisite
(NOT sub-site admins), and automatically denied by Core when
DISALLOW_FILE_EDIT is defined. wp_is_file_mod_allowed handles
DISALLOW_FILE_MODS and the canonical file_mod_allowed filter.
That removes:
- the explicit is_multisite() / is_super_admin() branch
- the explicit DISALLOW_FILE_EDIT constant check
- the file_mods_allowed() helper
- the cbt_file_mods_allowed filter (was a test seam; tests now use
the canonical file_mod_allowed filter instead)
Functional matrix is unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On a multisite, themes are network-shared. This PR tightens the permission check on the 9 filesystem-mutating REST routes in
CBT_Theme_APIso that only super-admins can call them when the site is multisite. The read-only/font-familiesroute is unchanged.Also restores
DISALLOW_FILE_EDIT/DISALLOW_FILE_MODShonouring that the plugin had prior to v2.1.2. Both constants now gate theme-file modifications, matching the behaviour ofwp-admin/theme-editor.php.To test, ensure the following tests pass: