[wp-trac] [WordPress Trac] #62140: Consider allowing themes to register block metadata collections

WordPress Trac noreply at wordpress.org
Thu Oct 24 14:23:36 UTC 2024 

#62140: Consider allowing themes to register block metadata collections
--------------------------+---------------------
 Reporter:  flixos90      |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  6.7.1
Component:  Editor        |     Version:
 Severity:  normal        |  Resolution:
 Keywords:  needs-patch   |     Focuses:
--------------------------+---------------------

Comment (by flixos90):

 Replying to [comment:9 dougwollison]:
 > Replying to [comment:4 flixos90]:
 > > The reason those conditions exist has nothing to do with allowlisting
 in the first place. They exist because we need to prevent certain
 directories from being used, for example it needs to be impossible to
 register e.g. the root plugins or root themes directory as a block
 collection, since then all block types from all other plugins would be
 considered part of such a collection. So that part of the behavior needs
 to be maintained no matter what we allowlist. Another example would be if
 someone tried to register the parent directory of the entire WordPress
 site, that would be a problem so it needs to be prevented.
 >
 > Wait, how is that so disasterous? I'm looking at the source again and
 I'm confused.

 When `register_block_type_from_metadata()` runs, we check if there's a
 block metadata collection that encompasses that given file location. For
 example, if I have a block file `wp-content/plugins/my-
 plugin/blocks/test/block.json`, a collection with `wp-content/plugins/my-
 plugin` would match that (good), but so would a collection with `wp-
 content/plugins` (bad). We wouldn't want to allow someone to tamper with
 how other plugins' blocks are registered, it could be used to override the
 block configuration data by other plugins. Other than that, it's also a
 bit wasteful for performance because ''every'' plugin's blocks would also
 match that overall `wp-content/plugins` block metadata collection.

 Last but not least, there's efforts like #62267, which would make it even
 more problematic if it was possible to register block metadata collections
 for those root directories.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/62140#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list