Introduce new capabilities for viewing secondary elements

Feature Description

Site Kit’s primary features live in its dashboard view, but there are a few substantial “secondary” elements which fall outside of the main area, particularly the WordPress dashboard “Site Kit Summary” widget, and the admin bar integration on the frontend. These currently both rely on the custom VIEW_DASHBOARD capability, however in the context of dashboard sharing, this is potentially not sufficient as a user may have the ability to view the shared dashboard, but lack access to Search Console or Analytics. These two locations are unique in that they have a hardcoded layout that relies on these two modules only. If the user does not have access to at least one of them, we should not show it in the first place as the requests would be guaranteed to fail which would make for a rather poor experience.

Do not alter or remove anything below. The following sections will be managed by moderators only.

Acceptance criteria

• The Permissions class should receive two new capabilities:
  • VIEW_WP_DASHBOARD_WIDGET
  • VIEW_ADMIN_BAR_MENU
• For now, both capabilities will use the same logic for checking them: * They should be added to the list of base capabilities with similar behavior as VIEW_DASHBOARD. * They should however use the same logic as VIEW_AUTHENTICATED_DASHBOARD, i.e. they should only be available to authenticated users (in addition to the above base capability to core mapping).

Implementation Brief

• Add two new capability constants to includes/Core/Permissions/Permissions.php: VIEW_WP_DASHBOARD_WIDGET and VIEW_ADMIN_BAR_MENU.
• Have the constants setup/mirror the behaviour of the existing VIEW_DASHBOARD constant, except for its permissions checks use the logic here: https://github.com/google/site-kit-wp/blob/1a10436f98b25c2f046aaacde1bf5157a43717ff/includes/Core/Permissions/Permissions.php#L368

Test Coverage

• PHPUnit tests that ensure these capabilities are returned when the appropriate permissions exist/don’t exist should be added.

QA Brief

QA

• This issue should not affect any existing functionality as it simply ‘adds’ capabilities without ‘using’ them (for now). Thus, it should suffice to smoke test the plugin:
  • with and without the Dashboard Sharing feature flag.
  • using an authenticated admin and a non-authenticated admin (they should be able to do/not do things as before, i.e. authenticated admins should still be able to setup and view the dashboard, etc.).

UPDATED QA

• Verify that a non-authenticated admin and a non-admin user, who would be able to view the shared dashboard (their role should be shared with at least one module), CANNOT view the Admin Bar widget / menu button and the Site Kit Summary on the WP Dashboard.
• Verify that authenticated admins who can view the full dashboard are still able to view the Admin Bar and WP Dashboard widgets.

Changelog entry

• Introduce new permissions for viewing Site Kit on the WordPress Dashboard, and in the Admin Bar.