Ability to select authors has vanished

[karmatosed]

This was reported on the support forums. The ability to change the author of a post has disappeared.

[ellatrix]

This should probably not be edit context, as we only want to select users, not edit them.

gutenberg/editor/sidebar/post-author/index.js

Line 92 in ca7a4d4

users: '/wp/v2/users?context=edit&per_page=100',

[aduth]

Specifically, this appears to be an issue in environments where the user does not have permission to request from:

/wp-json/wp/v2/users?context=edit

This should probably not be edit context, as we only want to select users, not edit them.

This is really only considering the symptom of the problem. Also, the edit context adds the capabilities property to a user entity which we use to determine whether a user should be shown in the dropdown:

gutenberg/editor/sidebar/post-author/index.js

Lines 34 to 44 in 63cb942

	getAuthors() {
	// While User Levels are officially deprecated, the behavior of the
	// existing users dropdown on `who=authors` tests `user_level != 0`
	//
	// See: https://github.com/WordPress/WordPress/blob/a193916/wp-includes/class-wp-user-query.php#L322-L327
	// See: https://codex.wordpress.org/Roles_and_Capabilities#User_Levels
	const { users } = this.props;
	return filter( users.data, ( user ) => {
	return user.capabilities.level_1;
	} );
	}

https://github.com/WordPress/WordPress/blob/a1879766ed4e95eab66ac4694aea3a5d4a9c9030/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php#L1247-L1252

[ellatrix]

How so, only considering the symptom?

https://github.com/WordPress/wordpress-develop/blob/3bc91a0521db1bbec1413e29ce5d1ecae6ab883a/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php#L186

[ellatrix]

Only admins have the list_users capability, unless roles are changed by a plugin.

[aduth]

I mean in the sense that it didn't offer an explanation to why the issue exists.

With consideration of #3010 (comment), one could argue this is "working as intended" so far as the REST API intends. Obviously leaves us in a bad situation for building an editor though...

[ellatrix]

I'm not sure what you mean? This seems to be working as intended indeed, and also for Gutenberg. If you don't have right capabilities, you shouldn't be able to access the users in edit context. They should be retrieved in normal/view content, and be filtered server side. In this case the right approach seems to be removing the context argument and adding the role (author) argument.

https://developer.wordpress.org/rest-api/reference/users/#arguments

[aduth]

Role is not sufficient for querying the users which should be included in the dropdown. Related: #2157

[ellatrix]

You're totally right, somehow I thought that was equivalent to who and would show higher roles too. I guess ideally the API should let us query by capability (publish_posts)? How about using roles=author,editor,administrator for now? Also not ideal since plugins could add new roles and change caps.

[ellatrix]

Well, I guess we should also create a core ticket for it, otherwise it will always stay a hack.

[ellatrix]

Created https://core.trac.wordpress.org/ticket/42202.

[aduth]

Noting that this can also be an issue for sites which have configured plain permalinks.

Related:

• withAPIData URL parameters and Plain Permalinks #3215
• https://core.trac.wordpress.org/ticket/42382

[bobbingwide]

Actual output

This is the Status & Visibility block when permalinks are plain.

Expected output

This is how the Status & Visibility block appears when permalinks are set to post name ( /%postname%/ ).

Note: For the author selection drop down to appear there need to be at least two users with the capability to edit the post.

Workaround

• Use pretty permalinks

[bobbingwide]

Just to summarise the ability to select Authors based on the editing user's role

User's role	Classic	Block editor
Contributor	n/a	n/a
Author	works	403 response
Editor	works	403 response
Administrator	works	works - up to a point- see below

The response message for the 403 is

{"code":"rest_forbidden_context","message":"Sorry, you are not allowed to list users.","data":{"status":403}}

Note: The data in the drop down information has changed.

Was "display name (username)". Now just "display name".

[danielbachhuber]

In addition to https://core.trac.wordpress.org/ticket/42202, the underlying problem here is that the REST API limits GET wp/v2/users?context=edit to WordPress users with the list_users capability.

However... WordPress' UI permits Editors to see other WordPress users when assigning the post author in Edit Post. Furthermore, Contributors and Authors can see (i.e. discover the existence of) other WordPress users in the Manage Posts view.

We can't grant list_users to Editors though, because that would expose email addresses where they aren't currently exposed. Unless we decide it's acceptable to do.

I don't have a great suggestion at this point. One idea, which I don't particularly like, is to permit GET GET wp/v2/users?context=editfor all users withedit_posts, but nullify the private information (email address, role, etc.) unless they have list_userstoo. Then, furthermore,capabilities` and other super private information would be nullified unless the user could edit the viewed user.

[bobbingwide]

We can't grant list_users to Editors though, because that would expose email addresses where they aren't currently exposed. Unless we decide it's acceptable to do.

Could exposing email addresses be an issue requiring GDPR consideration?

[danielbachhuber]

I don't have a great suggestion at this point.

With #6515 and #6529, I think we can get away with GET /wp/v2/users?who=authors&context=view for our immediate need.

Although, in principle, we should be using context=edit, I don't think it makes a difference in practice. Our current alternatives (nullifying values or introducing some context=admin with a limited subset of context=edit data) are more complex and don't offer any significant benefit.

[lizkarkoski]

There's a request to add this feature from the Gutenberg forums:

https://wordpress.org/support/topic/how-to-change-post-author-2/

[danielbachhuber]

@lizkarkoski This was already sorted out with Gutenberg, so the forum thread may be a plugin conflict, etc.

[lizkarkoski]

Got it. Thank you.

…

On Thu, Aug 16, 2018 at 8:45 AM, Daniel Bachhuber ***@***.***> wrote: @lizkarkoski <https://github.com/lizkarkoski> This was already sorted out with Gutenberg, so the forum thread may be a plugin conflict, etc. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3010 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AQFh9o_4wGOXfzetTj6lypPHCp3dzRsjks5uRWl5gaJpZM4P3Kla> .

[rilwis]

Hey guys,

I see this issue is marked as closed, but I've just trying to create a post in the latest version of WordPress and still don't see any author dropdown? I'm on localhost with admin role.

This is my screenshot:

[paulshryock]

Any traction on this? Still seems like there's no way to change a post author from within the post.