Block Bindings: Fix editing protected custom fields in block bindings (…

…#65658) * Use `getPostMetaFields` in `canUserEditValue` * Add e2e test Co-authored-by: SantosGuillamot <[email protected]> Co-authored-by: cbravobernal <[email protected]>
WordPress · Sep 25, 2024 · 0a09968 · 0a09968
1 parent 1bf76cc
commit 0a09968
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 10 deletions.
diff --git a/packages/e2e-tests/plugins/block-bindings.php b/packages/e2e-tests/plugins/block-bindings.php
@@ -55,9 +55,10 @@ function gutenberg_test_block_bindings_registration() {
 		'post',
 		'_protected_field',
 		array(
-			'type'    => 'string',
-			'single'  => true,
-			'default' => 'protected field value',
+			'type'         => 'string',
+			'show_in_rest' => true,
+			'single'       => true,
+			'default'      => 'protected field value',
 		)
 	);
 	register_meta(

diff --git a/packages/editor/src/bindings/post-meta.js b/packages/editor/src/bindings/post-meta.js
@@ -114,14 +114,9 @@ export default {
 			return false;
 		}
 
-		// Check that the custom field is not protected and available in the REST API.
+		const fieldValue = getPostMetaFields( registry, context )?.[ args.key ]
+			?.value;
 		// Empty string or `false` could be a valid value, so we need to check if the field value is undefined.
-		const fieldValue = registry
-			.select( coreDataStore )
-			.getEntityRecord( 'postType', postType, context?.postId )?.meta?.[
-			args.key
-		];
-
 		if ( fieldValue === undefined ) {
 			return false;
 		}

diff --git a/test/e2e/specs/editor/various/block-bindings.spec.js b/test/e2e/specs/editor/various/block-bindings.spec.js
@@ -2390,6 +2390,33 @@ test.describe( 'Block bindings', () => {
 					previewPage.locator( '#image-alt-binding img' )
 				).toHaveAttribute( 'alt', 'new value' );
 			} );
+
+			test( 'should not be possible to edit the value of the protected custom fields', async ( {
+				editor,
+			} ) => {
+				await editor.insertBlock( {
+					name: 'core/paragraph',
+					attributes: {
+						content: 'paragraph default content',
+						metadata: {
+							bindings: {
+								content: {
+									source: 'core/post-meta',
+									args: { key: '_protected_field' },
+								},
+							},
+						},
+					},
+				} );
+				const paragraphBlock = editor.canvas.getByRole( 'document', {
+					name: 'Block: Paragraph',
+				} );
+
+				await expect( paragraphBlock ).toHaveAttribute(
+					'contenteditable',
+					'false'
+				);
+			} );
 		} );
 	} );