WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 5 years ago

Last modified 5 years ago

#7832 closed defect (bug) (worksforme)

Autosave fails for users with the "Author" role.

Reported by: beaulebens Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Autosave Keywords: editor, ajax, reporter-feedback
Focuses: Cc:

Description

If a user's role is set as "Author" then the autosave functionality of the editor will fail. So far the symptoms I've seen have been either returning a 500 error from the AJAX request (seen in FireBug using FF3, although these errors are seen on all browsers), or also as a big error in the right editor sidebar saying "You are not allowed to edit posts as this user".

When the error message appears, it also wraps the page content in the default admin error page layout (gray background, white box, rounded corners) and thus shrinks the page.

I tracked it down to being because the AJAX POST is failing to include a user_ID value, so when the security checks are made, they fail. One way to fix this is to add the user_ID to the AJAX POST.

/wp-includes/js/autosave.js -- Line 167, add:

user_ID: jQuery('#user-id').val() || 0,

If not through this method, then the user_ID needs to be derived from the request somehow else in /wp-admin/admin-ajax.php before line 565 (or somewhere in the flow of the wp_create_post_autosave() function) to avoid the error.

Change History (6)

comment:1 ryan6 years ago

We authenticate against the currently logged in user. We can't accept the word of a POST request. What version of WP are you using?

comment:2 beaulebens6 years ago

Agree that accepting the POST like that is sketchy, was just a temporary fix that seemed to work.

I've confirmed this on a clean download of 2.6.2 (gets 500 error, not directly throwing that "You are not allowed to edit posts as this user" error.

Here's what I did:

  • Download/install WP
  • Set up a new user and assign them the role "Author"
  • Log out and then log in as the new author
  • Write a post and save it.
  • Now edit the post and wait for the auto-save to trigger
  • Check in FireBug to see 500 error

It's not that big of a deal when it just doesn't save, but on my other install where it throws the big error and reformats the page it's quite a problem.

comment:3 ryan5 years ago

  • Component changed from Administration to Autosave
  • Owner anonymous deleted

comment:4 DD325 years ago

  • Keywords reporter-feedback added

I'm not seeing a problem with Autosave under 2.7 with a Author role user

comment:5 beaulebens5 years ago

  • Resolution set to worksforme
  • Status changed from new to closed

I've just tested this again on the current trunk (2.7), and the problem appears to be fixed.

comment:6 thee175 years ago

  • Milestone 2.7 deleted
Note: See TracTickets for help on using tickets.