Add capabilities for reusable blocks

Adds capabilities for creating, reading, updating and deleting reusable
blocks. The capabilities are mapped like so:

|        | Editors^ | Authors | Contributors | Subscribers* |
| ------ | -------- | ------- | ------------ | ------------ |
| Create | Yes      | Yes     | No           | No           |
| Read   | Yes      | Yes     | Yes          | No           |
| Update | Yes      | Own     | Own          | No           |
| Delete | Yes      | Own     | Own          | No           |

^ Includes administrators.
* Includes visitors that are not logged in.

lib/class-wp-rest-blocks-controller.php

@@ -16,6 +16,39 @@
  * @see WP_REST_Controller
  */
 class WP_REST_Blocks_Controller extends WP_REST_Posts_Controller {
+	/**
+	 * Checks if a block can be read.
+	 *
+	 * @since 2.1.0
+	 *
+	 * @param object $post Post object that backs the block.
+	 * @return bool Whether the block can be read.
+	 */
+	public function check_read_permission( $post ) {
+		// Ensure that the user is logged in and has the read_blocks capability.
+		$post_type = get_post_type_object( $post->post_type );
+		if ( ! current_user_can( $post_type->cap->read_post, $post->ID ) ) {
+			return false;
+		}
+
+		return parent::check_read_permission( $post );
+	}
+
+	/**
+	 * Handle a DELETE request.
+	 *
+	 * @since 1.10.0
+	 *
+	 * @param WP_REST_Request $request Full details about the request.
+	 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
+	 */
+	public function delete_item( $request ) {
+		// Always hard-delete a block.
+		$request->set_param( 'force', true );
+
+		return parent::delete_item( $request );
+	}
+
 	/**
 	 * Given an update or create request, build the post object that is saved to
 	 * the database.
@@ -25,33 +58,22 @@ class WP_REST_Blocks_Controller extends WP_REST_Posts_Controller {
 	 * @param WP_REST_Request $request Request object.
 	 * @return stdClass|WP_Error Post object or WP_Error.
 	 */
-	protected function prepare_item_for_database( $request ) {
-		$prepared_post = new stdClass;
-
-		if ( isset( $request['id'] ) ) {
-			$existing_post = $this->get_post( $request['id'] );
-			if ( is_wp_error( $existing_post ) ) {
-				return $existing_post;
-			}
-
-			$prepared_post->ID = $existing_post->ID;
-		}
+	public function prepare_item_for_database( $request ) {
+		$prepared_post = parent::prepare_item_for_database( $request );
 
-		$prepared_post->post_title   = $request['title'];
-		$prepared_post->post_content = $request['content'];
-		$prepared_post->post_type    = $this->post_type;
-		$prepared_post->post_status  = 'publish';
+		// Force blocks to always be published.
+		$prepared_post->post_status = 'publish';
 
-		return apply_filters( "rest_pre_insert_{$this->post_type}", $prepared_post, $request );
+		return $prepared_post;
 	}
 
 	/**
-	 * Given a post from the database, build the array that is returned from an
+	 * Given a block from the database, build the array that is returned from an
 	 * API response.
 	 *
 	 * @since 1.10.0
 	 *
-	 * @param WP_Post         $post    Post object.
+	 * @param WP_Post         $post    Post object that backs the block.
 	 * @param WP_REST_Request $request Request object.
 	 * @return WP_REST_Response Response object.
 	 */
@@ -67,21 +89,6 @@ public function prepare_item_for_response( $post, $request ) {
 		return apply_filters( "rest_prepare_{$this->post_type}", $response, $post, $request );
 	}
 
-	/**
-	 * Handle a DELETE request.
-	 *
-	 * @since 1.10.0
-	 *
-	 * @param WP_REST_Request $request Full details about the request.
-	 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
-	 */
-	public function delete_item( $request ) {
-		// Always hard-delete a block.
-		$request->set_param( 'force', true );
-
-		return parent::delete_item( $request );
-	}
-
 	/**
 	 * Builds the block's schema, conforming to JSON Schema.
 	 *

lib/register.php

@@ -401,11 +401,46 @@ function gutenberg_register_post_types() {
 			'singular_name' => 'Block',
 		),
 		'public'                => false,
-		'capability_type'       => 'post',
 		'show_in_rest'          => true,
 		'rest_base'             => 'blocks',
 		'rest_controller_class' => 'WP_REST_Blocks_Controller',
+		'capability_type'       => 'block',
+		'capabilities'          => array(
+			'read'         => 'read_blocks',
+			'create_posts' => 'create_blocks',
+		),
+		'map_meta_cap'          => true,
 	) );
+
+	foreach ( array( 'administrator', 'editor' ) as $role_name ) {
+		$editor = get_role( $role_name );
+		$editor->add_cap( 'edit_blocks' );
+		$editor->add_cap( 'edit_others_blocks' );
+		$editor->add_cap( 'publish_blocks' );
+		$editor->add_cap( 'read_private_blocks' );
+		$editor->add_cap( 'read_blocks' );
+		$editor->add_cap( 'delete_blocks' );
+		$editor->add_cap( 'delete_private_blocks' );
+		$editor->add_cap( 'delete_published_blocks' );
+		$editor->add_cap( 'delete_others_blocks' );
+		$editor->add_cap( 'edit_private_blocks' );
+		$editor->add_cap( 'edit_published_blocks' );
+		$editor->add_cap( 'create_blocks' );
+	}
+
+	$author = get_role( 'author' );
+	$author->add_cap( 'edit_blocks' );
+	$author->add_cap( 'publish_blocks' );
+	$author->add_cap( 'read_blocks' );
+	$author->add_cap( 'delete_blocks' );
+	$author->add_cap( 'delete_published_blocks' );
+	$author->add_cap( 'edit_published_blocks' );
+	$author->add_cap( 'create_blocks' );
+
+	$contributor = get_role( 'contributor' );
+	$contributor->add_cap( 'edit_blocks' );
+	$contributor->add_cap( 'read_blocks' );
+	$contributor->add_cap( 'delete_blocks' );
 }
 add_action( 'init', 'gutenberg_register_post_types' );