feat(ui): add popup title panel to Block Editor document settings

[s-acv2]

Summary

• Add a new Popup Title panel to the Block Editor sidebar
• Allows users to set the popup title text
• Allows users to toggle whether the title displays on the frontend

Changes

• Add popup_title REST field with update_callback in RestAPI.php
• Create popup-title-panel.tsx component with title input and display toggle
• Use module-level storage for pending values with save-on-publish pattern
• Subscribe to Block Editor save events to persist custom fields via REST API

Test Plan

• Edit a popup in Block Editor
• Find "Popup Title" panel in the right sidebar
• Enter a title and verify typing works without focus loss
• Toggle "Display on frontend" setting
• Click Save/Update
• Leave and re-open the popup - verify values persist
• Check frontend - verify title displays (or not) based on toggle

Summary by CodeRabbit

• New Features

  • Added a popup title editing panel to the Block Editor sidebar with save integration so titles persist when a popup is saved.
  • Exposed popup title to the editor so changes sync from the sidebar to the stored popup.

• Style

  • Added editor UI styles for a popup title display toggle.

• Documentation

  • Updated CHANGELOG to announce the new Block Editor functionality.

[coderabbitai]

Warning

Rate limit exceeded

@danieliser has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 10 minutes and 54 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d90996e1-162b-439c-9dc7-3b16bd5f23f3

📥 Commits

Reviewing files that changed from the base of the PR and between 7ec05ff and 5b2b093.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (7)

• CHANGELOG.md
• assets/js/src/admin/popup-editor/editor.scss
• classes/Controllers/PostTypes.php
• classes/Controllers/RestAPI.php
• packages/block-editor/src/index.ts
• packages/block-editor/src/plugins/index.ts
• packages/block-editor/src/plugins/popup-title-panel.tsx

Walkthrough

Adds a popup title editing panel to the Gutenberg block editor, registers a popup_title REST/post-meta field for the popup post type, implements a block-editor plugin that tracks edits and posts updates on successful saves, and adds editor styling and changelog entry.

Changes

Cohort / File(s)	Summary
REST API & Post Meta classes/Controllers/RestAPI.php, classes/Controllers/PostTypes.php	Registers popup_title post meta (show_in_rest: true, sanitization, auth callback) and a REST field on popup with get/update callbacks and permission checks; adds custom-fields support to the popup post type.
Block Editor Plugin packages/block-editor/src/index.ts, packages/block-editor/src/plugins/index.ts, packages/block-editor/src/plugins/popup-title-panel.tsx	Adds a new Gutenberg plugin PopupTitlePanel (default export, registered) that reads popup_title, tracks local edits via module-level pending state, subscribes to save completion, and POSTs popup_title to /popup-maker/v2/popups/{postId} on successful non-autosave saves.
Editor Styling assets/js/src/admin/popup-editor/editor.scss	Adds .pum-display-title-toggle styles and nested checkbox/hover rules for the popup title UI.
Changelog CHANGELOG.md	Adds feature entry announcing the popup title editing panel in the block editor sidebar.

Sequence Diagram

sequenceDiagram
    participant Editor as Block Editor
    participant Panel as PopupTitlePanel
    participant Store as Editor Data Store
    participant API as REST API
    participant DB as Post Meta

    Editor->>Panel: Render plugin
    Panel->>Store: useSelect(popup_title, postId)
    Store-->>Panel: current popup_title
    Panel->>Panel: set localTitle & pendingValues

    Editor->>Panel: User edits title
    Panel->>Panel: update localTitle & pendingValues.hasChanges = true

    Editor->>Store: Save post (user triggers save)
    Store->>API: Save post content (non-autosave)
    API->>DB: update post content
    API-->>Store: save complete

    Store-->>Panel: subscription notices save finished
    Panel->>API: POST /popup-maker/v2/popups/{postId} { popup_title }
    API->>DB: update popup_title meta
    DB-->>API: success
    API-->>Panel: response
    Panel->>Panel: pendingValues.hasChanges = false

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a popup title panel to the Block Editor sidebar document settings.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/block-editor-popup-title-panel

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@classes/Controllers/RestAPI.php`:
- Around line 357-373: Replace direct post meta access in the
register_rest_field call for 'popup_title' with the popup object methods: in the
'get_callback' use pum_get_popup($obj->ID) and return $popup ?
$popup->get_title() : ''; in the 'update_callback' retrieve the popup via
pum_get_popup($obj->ID) and call $popup->update_meta('popup_title',
sanitize_text_field($value)) only if $popup exists; keep schema and
permission_callback unchanged and mirror the pattern used by the existing
'popup_settings' handler.

In `@packages/block-editor/src/plugins/popup-title-panel.tsx`:
- Around line 93-99: The current .catch handler in the Promise chain inside
popup-title-panel.tsx (the handler that logs "Failed to save popup title
settings") only writes to console and leaves users unaware of save failures;
update the catch for the save call to also create a user-visible error notice
via the WordPress notices store (dispatch('core/notices').createErrorNotice or
the Popup Maker notification API) with a localized message, keep the
console.error for debugging, and ensure any UI state like
pendingValues.hasChanges remains accurate so the user can retry.

🧹 Nitpick comments (2)

packages/block-editor/src/plugins/popup-title-panel.tsx (2)

8-8: Consider using @popup-maker/i18n for consistency.

Per coding guidelines, prioritize @popup-maker/* packages over @wordpress/* when available. The @popup-maker/i18n package exports a __ function (see packages/i18n/src/index.ts).

Suggested change

-import { __ } from '@wordpress/i18n';
+import { __ } from '@popup-maker/i18n';

---

16-19: Local PopupSettings type may conflict with @popup-maker/core-data.

A PopupSettings type exists in @popup-maker/core-data. Consider importing and extending it, or renaming this local interface to avoid shadowing (e.g., LocalPopupSettings or PopupTitleSettings).

[github-actions]

❌ Commit Validation Error

Your commits don't pass validation. Common issues:

Format Requirements

Commits must follow conventional commit format:

type(scope): subject

[optional body]

[optional footer]

Valid types: feat, fix, improve, perf, refactor, docs, style, test, build, ci, chore, revert
Valid scopes: admin, conditions, cookies, frontend, popup, theme, triggers, forms, extensions, integrations, accessibility, performance, ui, ux, build, deps, tests, api, core, docs, release, support

Examples:

• feat(triggers): add exit intent detection
• improve(popup): enhance animation speed options
• fix(forms): resolve Contact Form 7 tracking issue

See: https://www.conventionalcommits.org/

[coderabbitai]

🧹 Nitpick comments (3)

classes/Controllers/PostTypes.php (3)

171-173: Auth callbacks use generic edit_posts instead of popup-specific capability.

The popup post type registration (lines 135-139) uses $this->container->get_permission( 'edit_popups' ), but these meta auth callbacks use the generic edit_posts capability. Consider using the same permission for consistency.

Also applies to: 190-192

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@classes/Controllers/PostTypes.php` around lines 171 - 173, The meta box auth
callbacks currently call current_user_can('edit_posts') which is inconsistent
with the popup post type permission; replace those auth_callback closures to
check the popup-specific capability by calling
current_user_can($this->container->get_permission('edit_popups')) (or otherwise
use $this->container->get_permission('edit_popups') inside the closure) so the
same permission used in the popup registration is enforced; update both
occurrences (the closure at the shown diff and the similar one around 190-192).

---

220-222: Nested arrays pass through without sanitization.

The comment indicates this is for conditions, triggers, and cookies, but the code allows any nested array to bypass sanitization. This could be a security concern if unexpected nested data is submitted via the REST API.

Consider applying recursive sanitization or explicitly validating that only known nested keys are allowed to pass through.

🔧 Proposed defensive approach

 			} elseif ( is_array( $setting ) ) {
-				// Nested arrays (conditions, triggers, cookies) pass through.
-				$sanitized[ $key ] = $setting;
+				// Only allow known complex setting keys to pass through.
+				$allowed_nested_keys = [ 'conditions', 'triggers', 'cookies' ];
+				if ( in_array( $key, $allowed_nested_keys, true ) ) {
+					$sanitized[ $key ] = $setting;
+				}
 			}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@classes/Controllers/PostTypes.php` around lines 220 - 222, The current branch
in Controllers\PostTypes.php that sets $sanitized[$key] = $setting for
is_array($setting) lets any nested array pass through unsanitized; update this
branch to either (a) recursively sanitize the array (walk arrays and apply the
same scalar sanitization/validation used elsewhere) or (b) enforce an explicit
whitelist so only known nested keys like 'conditions', 'triggers', and 'cookies'
are accepted and their inner keys/values are validated; implement this change in
the same method where $setting, $key and $sanitized are handled so nested arrays
are never blindly assigned without validation.

---

163-175: Dual popup_title REST registration should be documented or consolidated.

The register_post_meta with show_in_rest => true (PostTypes.php, lines 163-176) and register_rest_field (RestAPI.php, lines 359-375) both expose the same popup_title meta key in the REST API at different endpoints (/meta/popup_title and /popup_title). While this appears intentional—only popup_title uses this pattern, not other post meta—the dual registration creates API ambiguity without clear documentation explaining which endpoint clients should use.

Consider either:

• Document why both registrations are necessary (block editor vs. custom namespace support)
• Consolidate to a single, well-documented REST endpoint
• Add a comment explaining the dual registration pattern

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@classes/Controllers/PostTypes.php` around lines 163 - 175, The popup_title
meta is being exposed twice via register_post_meta in PostTypes.php and
register_rest_field in RestAPI.php, creating ambiguous REST endpoints; either
consolidate to a single registration or add an explanatory comment and
documentation. Decide the canonical exposure (prefer register_post_meta(...,
show_in_rest => true) for block/editor compatibility), remove the duplicate
register_rest_field registration for 'popup_title' (or set show_in_rest => false
if you want the custom endpoint only), and add a brief comment in the remaining
registration explaining why this meta is exposed and which REST path clients
should use; update any tests or docs referencing both endpoints.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@classes/Controllers/PostTypes.php`:
- Around line 171-173: The meta box auth callbacks currently call
current_user_can('edit_posts') which is inconsistent with the popup post type
permission; replace those auth_callback closures to check the popup-specific
capability by calling
current_user_can($this->container->get_permission('edit_popups')) (or otherwise
use $this->container->get_permission('edit_popups') inside the closure) so the
same permission used in the popup registration is enforced; update both
occurrences (the closure at the shown diff and the similar one around 190-192).
- Around line 220-222: The current branch in Controllers\PostTypes.php that sets
$sanitized[$key] = $setting for is_array($setting) lets any nested array pass
through unsanitized; update this branch to either (a) recursively sanitize the
array (walk arrays and apply the same scalar sanitization/validation used
elsewhere) or (b) enforce an explicit whitelist so only known nested keys like
'conditions', 'triggers', and 'cookies' are accepted and their inner keys/values
are validated; implement this change in the same method where $setting, $key and
$sanitized are handled so nested arrays are never blindly assigned without
validation.
- Around line 163-175: The popup_title meta is being exposed twice via
register_post_meta in PostTypes.php and register_rest_field in RestAPI.php,
creating ambiguous REST endpoints; either consolidate to a single registration
or add an explanatory comment and documentation. Decide the canonical exposure
(prefer register_post_meta(..., show_in_rest => true) for block/editor
compatibility), remove the duplicate register_rest_field registration for
'popup_title' (or set show_in_rest => false if you want the custom endpoint
only), and add a brief comment in the remaining registration explaining why this
meta is exposed and which REST path clients should use; update any tests or docs
referencing both endpoints.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a5b834f5-29e5-4a48-84df-1856302d954b

📥 Commits

Reviewing files that changed from the base of the PR and between 9868d8a and f69314d.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (4)

• assets/js/src/admin/popup-editor/editor.scss
• classes/Admin/Popups.php
• classes/Controllers/PostTypes.php
• templates/popup.php

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

packages/block-editor/src/plugins/popup-title-panel.tsx (1)

52-65: Use imported select instead of accessing window.wp.data.select.

The code accesses window.wp?.data?.select with verbose type casting, but select is already imported from @wordpress/data (line 12). Using the import is cleaner and benefits from TypeScript's type inference.

Proposed refactor

+import { useSelect, subscribe, select } from '@wordpress/data';
+
 // In setupSaveSubscription:
 	subscribe( () => {
-		const editor = (
-			window as typeof window & {
-				wp?: {
-					data?: {
-						select: ( store: string ) => EditorStore;
-					};
-				};
-			}
-		).wp?.data?.select( 'core/editor' ) as EditorStore | null;
-
-		if ( ! editor ) {
-			return;
-		}
+		const editor = select( 'core/editor' ) as EditorStore;
 
 		const isSaving = editor.isSavingPost();

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/block-editor/src/plugins/popup-title-panel.tsx` around lines 52 -
65, The subscribe callback is using a verbose window.wp.data.select lookup;
replace that with the imported select from `@wordpress/data` to leverage
TypeScript inference: inside the subscribe( ... ) callback, change the editor
resolution to use select('core/editor') (e.g., const editor =
select('core/editor') as EditorStore | null) instead of the window casting, and
remove the surrounding window.wp?.data?.select cast; keep the existing null
check and early return logic intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@classes/Controllers/PostTypes.php`:
- Around line 161-176: The auth_callback used in the register_post_meta call for
the popup meta (register_post_meta on get_type_key('popup') for 'popup_title')
checks current_user_can('edit_posts') which mismatches the popup post type's
custom capability; change the auth_callback to check the post-type specific
permission by calling current_user_can( $this->get_permission('edit_popups') )
(or equivalent method call) so meta access aligns with the popup post type
capability definitions used elsewhere.

---

Nitpick comments:
In `@packages/block-editor/src/plugins/popup-title-panel.tsx`:
- Around line 52-65: The subscribe callback is using a verbose
window.wp.data.select lookup; replace that with the imported select from
`@wordpress/data` to leverage TypeScript inference: inside the subscribe( ... )
callback, change the editor resolution to use select('core/editor') (e.g., const
editor = select('core/editor') as EditorStore | null) instead of the window
casting, and remove the surrounding window.wp?.data?.select cast; keep the
existing null check and early return logic intact.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8fa1523e-fba3-41ea-8217-2acf4ebea049

📥 Commits

Reviewing files that changed from the base of the PR and between f69314d and c4e6ca3.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• CHANGELOG.md
• classes/Controllers/PostTypes.php
• packages/block-editor/src/plugins/popup-title-panel.tsx

✅ Files skipped from review due to trivial changes (1)

• CHANGELOG.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the custom capability used by popup post type
rg -nA5 "get_permission.*edit_popups" classes/

Repository: PopupMaker/Popup-Maker

Length of output: 4403

---

🏁 Script executed:

#!/bin/bash
# Check all register_post_meta calls in PostTypes.php to see the pattern
rg -nB2 -A15 "register_post_meta" classes/Controllers/PostTypes.php

Repository: PopupMaker/Popup-Maker

Length of output: 542

---

🏁 Script executed:

#!/bin/bash
# Verify the file context around the auth_callback to understand closure scope
sed -n '155,180p' classes/Controllers/PostTypes.php

Repository: PopupMaker/Popup-Maker

Length of output: 697

---

🏁 Script executed:

#!/bin/bash
# Check if there are other auth_callbacks in the file and how they handle permissions
rg -n "auth_callback" classes/Controllers/PostTypes.php -A3

Repository: PopupMaker/Popup-Maker

Length of output: 180

---

Use custom capability in auth_callback to match post type permissions.

The popup post type defines custom capabilities via get_permission('edit_popups') (lines 136-138), but the auth_callback for popup_title meta uses edit_posts. This creates a permission inconsistency where users with generic edit_posts capability could access the meta field when they lack edit_popups, or vice versa.

Suggested fix

 		register_post_meta(
 			$this->get_type_key( 'popup' ),
 			'popup_title',
 			[
 				'show_in_rest'      => true,
 				'single'            => true,
 				'type'              => 'string',
 				'sanitize_callback' => 'sanitize_text_field',
 				'auth_callback'     => function () {
-					return current_user_can( 'edit_posts' );
+					return current_user_can( $this->container->get_permission( 'edit_popups' ) );
 				},
 			]
 		);

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Register popup meta for REST API (block editor support).
	register_post_meta(
	$this->get_type_key( 'popup' ),
	'popup_title',
	[
	'show_in_rest' => true,
	'single' => true,
	'type' => 'string',
	'sanitize_callback' => 'sanitize_text_field',
	'auth_callback' => function () {
	return current_user_can( 'edit_posts' );
	},
	]
	);
	// Register popup meta for REST API (block editor support).
	register_post_meta(
	$this->get_type_key( 'popup' ),
	'popup_title',
	[
	'show_in_rest' => true,
	'single' => true,
	'type' => 'string',
	'sanitize_callback' => 'sanitize_text_field',
	'auth_callback' => function () {
	return current_user_can( $this->container->get_permission( 'edit_popups' ) );
	},
	]
	);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@classes/Controllers/PostTypes.php` around lines 161 - 176, The auth_callback
used in the register_post_meta call for the popup meta (register_post_meta on
get_type_key('popup') for 'popup_title') checks current_user_can('edit_posts')
which mismatches the popup post type's custom capability; change the
auth_callback to check the post-type specific permission by calling
current_user_can( $this->get_permission('edit_popups') ) (or equivalent method
call) so meta access aligns with the popup post type capability definitions used
elsewhere.

✅ Addressed in commit 7ec05ff

[danieliser]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

classes/Controllers/PostTypes.php (1)

162-175: Consolidate popup_title to a single REST write path.

popup_title is now exposed here via register_post_meta(... show_in_rest => true ...), while classes/Controllers/RestAPI.php:343-373 also exposes and writes the same field via register_rest_field. Keeping both paths plus the custom post-save write in packages/block-editor/src/plugins/popup-title-panel.tsx:44-100 creates split behavior and harder debugging.

Pick one canonical contract (meta-backed or custom REST field) and remove the duplicate path.

Possible direction (if custom REST field remains canonical)

-		// Register popup meta for REST API (block editor support).
-		register_post_meta(
-			$this->get_type_key( 'popup' ),
-			'popup_title',
-			[
-				'show_in_rest'      => true,
-				'single'            => true,
-				'type'              => 'string',
-				'sanitize_callback' => 'sanitize_text_field',
-				'auth_callback'     => function () {
-					return current_user_can( $this->container->get_permission( 'edit_popups' ) );
-				},
-			]
-		);
+		// popup_title REST exposure is handled in RestAPI::register_popup_rest_fields().

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@classes/Controllers/PostTypes.php` around lines 162 - 175, Consolidate the
popup_title REST handling to a single canonical path: prefer the meta-backed
approach by keeping register_post_meta(...) for get_type_key('popup') and
removing the duplicate custom REST field and write logic in the RestAPI class
(remove the register_rest_field usage and any associated save/write handlers),
then update packages/block-editor/src/plugins/popup-title-panel.tsx to
read/write the post meta via the REST post meta contract instead of the custom
field; ensure references to register_rest_field and any RestAPI::(method
handling popup_title) are removed so only the meta-backed path remains.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@classes/Controllers/PostTypes.php`:
- Around line 162-175: Consolidate the popup_title REST handling to a single
canonical path: prefer the meta-backed approach by keeping
register_post_meta(...) for get_type_key('popup') and removing the duplicate
custom REST field and write logic in the RestAPI class (remove the
register_rest_field usage and any associated save/write handlers), then update
packages/block-editor/src/plugins/popup-title-panel.tsx to read/write the post
meta via the REST post meta contract instead of the custom field; ensure
references to register_rest_field and any RestAPI::(method handling popup_title)
are removed so only the meta-backed path remains.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f54fb289-3176-4a9a-b07a-4cda2806bb65

📥 Commits

Reviewing files that changed from the base of the PR and between c4e6ca3 and 7ec05ff.

📒 Files selected for processing (1)

• classes/Controllers/PostTypes.php