From ac75c14edcd96e01f3ff41f67fddac3f74b9ca45 Mon Sep 17 00:00:00 2001
From: Andrew Duthie <andrew@andrewduthie.com>
Date: Fri, 19 Oct 2018 14:47:47 -0400
Subject: [PATCH] Reusable Blocks: Verify edit capability on export action

---
 gutenberg.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/gutenberg.php b/gutenberg.php
index 22e3ec6dfff24..d420337390d9e 100644
--- a/gutenberg.php
+++ b/gutenberg.php
@@ -265,6 +265,14 @@ function gutenberg_add_edit_link( $actions, $post ) {
 
 	if ( 'wp_block' === $post->post_type ) {
 		unset( $actions['inline hide-if-no-js'] );
+
+		// Export uses block raw content, which is only returned from the post
+		// REST endpoint via `context=edit`, requiring edit capability.
+		$post_type = get_post_type_object( $post->post_type );
+		if ( ! current_user_can( $post_type->cap->edit_post, $post->ID ) ) {
+			return $actions;
+		}
+
 		$actions['export'] = sprintf(
 			'<button type="button" class="wp-list-reusable-blocks__export button-link" data-id="%s" aria-label="%s">%s</button>',
 			$post->ID,