This commit is contained in:
2026-07-02 15:54:39 -06:00
commit 9883323161
17470 changed files with 4470592 additions and 0 deletions
@@ -0,0 +1,100 @@
<?php
/**
* Editor preview REST endpoint.
*
* Returns server-rendered form HTML for use inside the Form block's
* in-editor preview. Uses the same render helper as the public runtime
* so there is no JS/PHP drift — what you see here is what visitors get.
*
* Permission: users with the baseline `use` cap can hit the route, and the
* render helper then allows published forms for those users while requiring
* edit access on the specific form for draft/private previews.
*
* @package GenerateBlocksPro
*/
if ( ! defined( 'ABSPATH' ) ) {
exit;
}
/**
* Form preview REST class.
*/
class GenerateBlocks_Pro_Form_Preview_Rest extends GenerateBlocks_Pro_Singleton {
/**
* Initialize.
*/
public function init() {
add_action( 'rest_api_init', [ $this, 'register_routes' ] );
}
/**
* Register routes.
*/
public function register_routes() {
register_rest_route(
'generateblocks-pro/v1',
'/forms/(?P<id>\d+)/preview',
[
'methods' => WP_REST_Server::READABLE,
'callback' => [ $this, 'render_preview' ],
'permission_callback' => [ $this, 'can_preview' ],
'args' => [
'id' => [
'required' => true,
'type' => 'integer',
'sanitize_callback' => 'absint',
],
],
]
);
}
/**
* Render the form HTML for an editor preview.
*
* Returns 200 with `{ html }` on success, 200 with `{ success:false, message }`
* on failure. 200 is intentional — this is an editor convenience endpoint,
* not a state change, and the editor shows the message inline.
*
* @param WP_REST_Request $request Request.
* @return WP_REST_Response
*/
public function render_preview( WP_REST_Request $request ) {
$form_id = absint( $request->get_param( 'id' ) );
$html = GenerateBlocks_Pro_Form_Render::render( $form_id, 'editor' );
if ( is_wp_error( $html ) ) {
return new WP_REST_Response(
[
'success' => false,
'message' => $html->get_error_message(),
],
200
);
}
return new WP_REST_Response(
[
'success' => true,
'html' => $html,
],
200
);
}
/**
* Permission callback.
*
* Individual form permission checks happen inside the render helper;
* here we only gate on the baseline "can use forms at all" cap to stop
* anonymous REST enumeration of preview URLs.
*
* @return bool
*/
public function can_preview() {
return GenerateBlocks_Pro_Form_Post_Type::current_user_can( 'use' );
}
}