feat: filter for settings access

Automattic · Jan 9, 2024 · 2dc28b3 · 2dc28b3
1 parent cf796d6
commit 2dc28b3
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 13 deletions.
diff --git a/includes/class-settings.php b/includes/class-settings.php
@@ -15,7 +15,6 @@
 final class Settings {
 
 	const API_NAMESPACE      = 'newspack-ads/v1';
-	const API_CAPABILITY     = 'manage_options';
 	const OPTION_NAME_PREFIX = '_newspack_ads_';
 
 	/**
@@ -29,7 +28,6 @@ public static function init() {
 	 * Register the endpoints needed to fetch and update settings.
 	 */
 	public static function register_api_endpoints() {
-
 		register_rest_route(
 			self::API_NAMESPACE,
 			'/settings',
@@ -61,13 +59,20 @@ public static function register_api_endpoints() {
 		);
 	}
 
+	/**
+	 * Can current user manage the settings?
+	 */
+	public static function can_current_user_manage_settings() {
+		return apply_filters( 'newspack_ads_can_current_user_manage_settings', current_user_can( 'manage_options' ) );
+	}
+
 	/**
 	 * Check capabilities for using API.
 	 *
 	 * @return bool|\WP_Error True or error object.
 	 */
 	public static function api_permissions_check() {
-		if ( ! current_user_can( self::API_CAPABILITY ) ) {
+		if ( ! self::can_current_user_manage_settings() ) {
 			return new \WP_Error(
 				'newspack_ads_rest_forbidden',
 				esc_html__( 'You cannot use this resource.', 'newspack-ads' ),

diff --git a/includes/customizer/class-customizer.php b/includes/customizer/class-customizer.php
@@ -90,7 +90,6 @@ public static function register_customizer_controls( $wp_customize ) {
 		include_once NEWSPACK_ADS_ABSPATH . '/includes/customizer/class-placement-customize-control.php';
 
 		$placements = Placements::get_placements();
-		$capability = Settings::API_CAPABILITY;
 
 		// Register panel.
 		$wp_customize->add_panel(
@@ -114,15 +113,16 @@ public static function register_customizer_controls( $wp_customize ) {
 					'panel' => 'newspack-ads',
 				]
 			);
-			$wp_customize->add_setting(
-				$setting_id,
-				[
-					'type'              => 'option',
-					'capability'        => $capability,
-					'transport'         => 'postMessage',
-					'sanitize_callback' => [ __CLASS__, 'sanitize' ],
-				]
-			);
+			if ( Settings::can_current_user_manage_settings() ) {
+				$wp_customize->add_setting(
+					$setting_id,
+					[
+						'type'              => 'option',
+						'transport'         => 'postMessage',
+						'sanitize_callback' => [ __CLASS__, 'sanitize' ],
+					]
+				);
+			}
 			$wp_customize->add_control(
 				new Placement_Customize_Control(
 					$wp_customize,