don't show wp_block widget for non-admin users (#587)

components/class-boldgrid-components-shortcode.php

@@ -140,6 +140,15 @@ protected function add_widget_configs() {
 			$widgets = $GLOBALS['wp_widget_factory']->widgets;
 
 			foreach( $widgets as $classname => $widget ) {
+				/*
+				 * If the user is not an admin, skip the 'block'
+				 * widget because it allows the users to add
+				 * arbitrary HTML and JavaScript.
+				 */
+				if ( ! current_user_can( 'manage_options' ) && 'block' === $widget->id_base ) {
+					continue;
+				}
+
 				if ( ! in_array( $widget->id_base, $this->config['skipped_widgets'] ) ) {
 					$name = 'wp_' . $widget->id_base;
 					$widget_config = $this->create_widget_config( $widget, $classname );