Skip to content

Suggest mode: REST permissions and PHP coverage for note suggestions#78351

Open
adamsilverstein wants to merge 1 commit into
suggest-mode-phase-4from
phase-5a-rest-backend
Open

Suggest mode: REST permissions and PHP coverage for note suggestions#78351
adamsilverstein wants to merge 1 commit into
suggest-mode-phase-4from
phase-5a-rest-backend

Conversation

@adamsilverstein
Copy link
Copy Markdown
Member

@adamsilverstein adamsilverstein commented May 15, 2026
edited
Loading

Overview

One of three replacement PRs for the now-closed #77407. This slice is the REST/PHP backend for the Suggest-mode lifecycle.

Tracking issue: #73411.

What's in this PR

  • REST permission overridelib/compat/wordpress-6.9/class-gutenberg-rest-comment-controller-6-9.php overrides update_item_permissions_check so a user with edit_post on the parent can update note comments — but only for suggestion-lifecycle fields (status limited to approved/hold, plus meta._wp_suggestion_status). Any other field falls back to core's edit_comment check.
  • Meta auth_callbacks_wp_suggestion and _wp_suggestion_status both authorize on edit_post against the parent.
  • Payload size cap — 64 KB ceiling on the serialized _wp_suggestion payload, enforced at the controller before sanitize fires (matching the client-side pre-flight cap).
  • PHPUnit coverageclass-wp-rest-comments-controller-gutenberg-test.php: meta round-trip, editor-can-apply, contributor-cannot-apply, restricted-field pass-through, payload-size truncation.

Pure backend. No JS, no UI. Safe to merge ahead of the rest of the stack.

Test plan

npm run wp-env run cli -- --env-cwd='wp-content/plugins/gutenberg' vendor/bin/phpunit --filter=WP_Test_REST_Comments_Controller_Gutenberg
vendor/bin/phpcs lib/compat/wordpress-6.9/class-gutenberg-rest-comment-controller-6-9.php lib/compat/wordpress-6.9/block-comments.php

Manual:

  1. Editor on a post they can edit_post: PATCH /wp/v2/comments/<id> with { status: 'approved', meta: { _wp_suggestion_status: 'applied' } } — succeeds.
  2. Contributor: same PATCH — 403.
  3. PATCH with { content: 'rewritten' } — falls back to core edit_comment.
  4. PATCH with { status: 'spam' } — falls back to core edit_comment.
  5. Submit a _wp_suggestion meta payload > 64 KB — 400.

Replaces part of #77407.

🗺️ PR Stack Navigation

# PR Phase
1 #77403 Intent scaffolding Edit / Suggest / View mode
2 #77404 Overlay capture In-memory suggestion overlay
3 #77405 Provider + Accept/Reject _wp_suggestion meta, provider, sidebar actions
4 #77406 Summary + docs + attribute tests Add/Delete/Formatting summary, architecture stub, conflict scoping
5a #78351 REST permissions and PHP coverage ← this PR Permissions, payload cap, PHP tests
5b #78352 Summary + attribute conflict + docs Renderer, per-attribute staleness, architecture docs
5c #78353 Surface Apply/Reject in the collaboration sidebar Icon buttons + e2e + sidebar wiring
6 #78308 Auto-save subsystem Background debounced save (replaces commit-bar)

📋 Tracking issue: #73411

@adamsilverstein
REST: Allow post editors to accept/reject suggestion notes
860177a 
Override the comments REST controller for type=note so non-author editors
can manage suggestion lifecycle without moderate_comments. Restrict updates
to a scope-tightened allowlist (status and _wp_suggestion_status only),
enforce a 64 KB payload ceiling on _wp_suggestion before sanitize fires,
and add PHPUnit coverage for the new permission surface.
@github-actions github-actions Bot added the [Package] Editor /packages/editor label May 15, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 15, 2026

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: adamsilverstein <adamsilverstein@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

This was referenced May 15, 2026
Open
Open
Closed
Open
Open
Open
Open
Open
@adamsilverstein adamsilverstein self-assigned this May 15, 2026
@adamsilverstein adamsilverstein added [Status] In Progress Tracking issues with work in progress [Type] Feature New feature to highlight in changelogs. [Feature] Notes Phase 3 of the Gutenberg roadmap around block commenting labels May 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spacedmonkey spacedmonkey Awaiting requested review from spacedmonkey spacedmonkey is a code owner

Assignees

@adamsilverstein adamsilverstein

Labels

[Feature] Notes Phase 3 of the Gutenberg roadmap around block commenting [Package] Editor /packages/editor [Status] In Progress Tracking issues with work in progress [Type] Feature New feature to highlight in changelogs.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@adamsilverstein