Simple Payments: Stop contributors from creating inaccessible buttons with a "pending" post status.

[kwight]

When Contributors attempt to add a Simple Payments button, the API call (to /sites/:site/posts/new) will succeed, creating a new button post entry in the site's database. However, this post (of type jp_pay_product) will have a pending status, due to custom post type handling in the API. The button insert will fail in the Calypso UI, and site admins won't be able to interact with these zombie buttons since we explicitly list only published buttons in the UI.

Rather than have buttons of multiple possible statuses in the database, and rather than interfering with the current handling of all CPTs in the API, this PR bumps the edit_posts capability for jp_pay_product to publish_posts, making only Authors and above capable of creating Simple Payment buttons; Contributors will now get a failed permissions response, and no button post will be added to the site database.

Testing

• Add a contributor to a Jetpack site with a business plan (so that Simple Payments are available).
• Using the contributor, add a Simple Payments button in Calypso; notice the UI shows an error, but devtools reveals the successful creation of the post.
• Sandbox the API and apply this patch (the dotcom patch).
• Attempt to add a button again, and note the API response is error: "unauthorized"
• With a user that is an author or higher, verify you can still successfully add a Simple Payment button with the patch applied.

[matticbot]

Caution: This PR has changes that must be merged to WordPress.com
Please review this diff before merging: D18068-code. (newly created revision)

[jetpackbot]

	Warnings
⚠️	The PR is missing at least one [Status] label. Suggestions: [Status] In Progress, [Status] Needs Review
⚠️	"Testing instructions" are missing for this PR. Please add some
⚠️	"Proposed changelog entry" is missing for this PR. Please include any meaningful changes

This is automated check which relies on PULL_REQUEST_TEMPLATE.We encourage you to follow that template as it helps Jetpack maintainers do their job. If you think 'Testing instructions' or 'Proposed changelog entry' are not needed for your PR - please explain why you think so. Thanks for cooperation 🤖

Generated by 🚫 dangerJS

[gwwar]

Thanks @kwight I tested this with Editor/Author/Contributor and verified that this behaves as expected!

[jeherve]

When Contributors attempt to add a Simple Payments button

How would you do this as a contributor? I was trying to reproduce the issue, but I can't seem to add buttons in the wpcom editor as a contributor:

[kwight]

How would you do this as a contributor? I was trying to reproduce the issue, but I can't seem to add buttons in the wpcom editor as a contributor

Hm, I'm not sure why you can't – well, you should be able to create the junk "pending" post, and then the UI will still show a failure notice to insert the shortcode into the post:

I haven't seen the unknown_post_type error at all (not with dotcom sites, nor with a connected JP sandbox on a Premium plan. Simple Payments requires a Premium or Professional plan – did your test site have one?..

[matticbot]

Caution: This PR has changes that must be merged to WordPress.com
Please review this diff before merging: D18068-code. (updated diff)

[gwwar]

Was the site private? I think there's a second issue around permissions in that case.

[mdawaffe]

LGTM. Thanks!

[jeherve]

Works well for me too now. The sandbox I was testing on had code stopping the Simple Payments module to load. 🤦‍♂️

Merging now!