WordPress.org
Get WordPress

Make WordPress Core

Opened 4 months ago

Closed 4 months ago

Last modified 4 months ago

#62737 closed defect (bug) (reported-upstream)

Block editor Author list missing capability check

Reported by: cagdasdag's profile cagdasdag Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.9
Component: Editor Keywords: has-testing-info has-screenshots has-patch
Focuses: administration, rest-api Cc:

Description

Hello

The author dropdown in page settings is not working correctly in block editor. It doesn't check user capabilities.

Here is the steps to replicate

  • Install a fresh WP
  • Create a contributor user so you will have 2 user 1 admin and 1 contributor
  • Create a page in Classic Editor
  • You will see it is showing only admin user in Author change dropdown because contributor doesn't have edit_pages capability
  • Create a page in Block Editor
  • Go to author change dropdown, you will see contributor user as well.

Which looks a bug to me. We need to make sure that there is a capability check.

Screenshots;
Classic Editor:
https://share.cleanshot.com/69vlJWcH

Block Editor:
https://share.cleanshot.com/xyVlryhh

Change History (8)

#1 @sukhendu2002
4 months ago

  • Keywords has-testing-info has-screenshots added

Reproduction Report

Description

This report validates whether the issue can be reproduced.

Environment

  • WordPress: 6.8-alpha-59274-src
  • PHP: 8.2.26
  • Server: nginx/1.27.3
  • Database: mysqli (Server: 8.0.40 / Client: mysqlnd 8.2.26)
  • Browser: Chrome 131.0.0.0
  • OS: macOS
  • Theme: Twenty Twenty-Five 1.0
  • MU Plugins: None activated
  • Plugins:
    • Test Reports 1.2.0

Actual Results

  1. ✅ Error condition occurs (reproduced).

Supplemental Artifacts

Block Editor

https://utfs.io/f/TTyF6MLuAyHD6dKIF4wPkc5yFtoTm71WzjAxse2GXvdqifuU

Classic Editor

https://utfs.io/f/TTyF6MLuAyHDo7fgAkU90qVRHNwWIYlQsC5GaBzfunJ81iZe

This ticket was mentioned in PR #8043 on WordPress/wordpress-develop by @dilipbheda.
4 months ago #2

  • Keywords has-patch added

#3 @dilipbheda
4 months ago

@cagdasdag Thanks for the report.

I've fixed the issue in the attached PR.

@sukhendu2002 Could you test it and share the report?

Thanks!

#4 @dilipbheda
4 months ago

  • Focuses administration rest-api added

@cagdasdag commented on PR #8043:
4 months ago #5

I don't think the fix is correct. In classic editor we have post_type_object->cap->edit_posts check. So we should use same capability check for consistency.

#6 @swissspidy
4 months ago

  • Component changed from General to Editor
  • Milestone Awaiting Review deleted
  • Resolution set to reported-upstream
  • Status changed from new to closed

This needs to be fixed on the Gutenberg side, where they need to use the capability argument instead of the who argument (which uses a deprecated query arg under the hood). who should be maintained as-is for backward compatibility.

This has been reported at https://github.com/WordPress/gutenberg/issues/39986 before, so I recommend chiming in there to fix it in the block editor.

#7 @swissspidy
4 months ago

  • Version changed from 6.7.1 to 5.9

@swissspidy commented on PR #8043:
4 months ago #8

As per the ticket, this should be fixed in Gutenberg at https://github.com/WordPress/gutenberg/issues/39986

Note: See TracTickets for help on using tickets.