Gutenberg: Ability to select authors has vanished

This should probably not be edit context, as we only want to select users, not edit them.

https://github.com/WordPress/gutenberg/blob/ca7a4d4ccd8981061262fe6d4f8a77d8573c100d/editor/sidebar/post-author/index.js#L92

Specifically, this appears to be an issue in environments where the user does not have permission to request from:

/wp-json/wp/v2/users?context=edit

This should probably not be edit context, as we only want to select users, not edit them.

This is really only considering the symptom of the problem. Also, the edit context adds the capabilities property to a user entity which we use to determine whether a user should be shown in the dropdown:

https://github.com/WordPress/gutenberg/blob/63cb94275e85f68d3b0c0d216d708018f7017577/editor/sidebar/post-author/index.js#L34-L44

https://github.com/WordPress/WordPress/blob/a1879766ed4e95eab66ac4694aea3a5d4a9c9030/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php#L1247-L1252

How so, only considering the symptom?

https://github.com/WordPress/wordpress-develop/blob/3bc91a0521db1bbec1413e29ce5d1ecae6ab883a/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php#L186

Only admins have the list_users capability, unless roles are changed by a plugin.

I mean in the sense that it didn't offer an explanation to why the issue exists.

With consideration of https://github.com/WordPress/gutenberg/issues/3010#issuecomment-336181834, one could argue this is "working as intended" so far as the REST API intends. Obviously leaves us in a bad situation for building an editor though...

I'm not sure what you mean? This seems to be working as intended indeed, and also for Gutenberg. If you don't have right capabilities, you shouldn't be able to access the users in edit context. They should be retrieved in normal/view content, and be filtered server side. In this case the right approach seems to be removing the context argument and adding the role (author) argument.

https://developer.wordpress.org/rest-api/reference/users/#arguments

Role is not sufficient for querying the users which should be included in the dropdown. Related: #2157

You're totally right, somehow I thought that was equivalent to who and would show higher roles too. I guess ideally the API should let us query by capability (publish_posts)? How about using roles=author,editor,administrator for now? Also not ideal since plugins could add new roles and change caps.

Well, I guess we should also create a core ticket for it, otherwise it will always stay a hack.

Created https://core.trac.wordpress.org/ticket/42202.

Noting that this can also be an issue for sites which have configured plain permalinks.

Related:

• #3215
• https://core.trac.wordpress.org/ticket/42382

Actual output

This is the Status & Visibility block when permalinks are plain.

Expected output

This is how the Status & Visibility block appears when permalinks are set to post name ( /%postname%/ ).

Note: For the author selection drop down to appear there need to be at least two users with the capability to edit the post.

Workaround

• Use pretty permalinks

Just to summarise the ability to select Authors based on the editing user's role

User's role | Classic | Block editor
------------- | -------- | -------------
Contributor | n/a | n/a
Author | works | 403 response
Editor | works | 403 response
Administrator | works | works - up to a point- see below

The response message for the 403 is

{"code":"rest_forbidden_context","message":"Sorry, you are not allowed to list users.","data":{"status":403}}

Note: The data in the drop down information has changed.

Was "display name (username)". Now just "display name".

In addition to https://core.trac.wordpress.org/ticket/42202, the underlying problem here is that the REST API limits GET wp/v2/users?context=edit to WordPress users with the list_users capability.

However... WordPress' UI permits Editors to see other WordPress users when assigning the post author in Edit Post. Furthermore, Contributors and Authors can see (i.e. discover the existence of) other WordPress users in the Manage Posts view.

We can't grant list_users to Editors though, because that would expose email addresses where they aren't currently exposed. Unless we decide it's acceptable to do.

I don't have a great suggestion at this point. One idea, which I don't particularly like, is to permit GETGET wp/v2/users?context=editfor all users withedit_posts, but nullify the private information (email address, role, etc.) unless they havelist_userstoo. Then, furthermore,capabilities` and other super private information would be nullified unless the user could edit the viewed user.

We can't grant list_users to Editors though, because that would expose email addresses where they aren't currently exposed. Unless we decide it's acceptable to do.

Could exposing email addresses be an issue requiring GDPR consideration?

I don't have a great suggestion at this point.

With #6515 and #6529, I think we can get away with GET /wp/v2/users?who=authors&context=view for our immediate need.

Although, in principle, we should be using context=edit, I don't think it makes a difference in practice. Our current alternatives (nullifying values or introducing some context=admin with a limited subset of context=edit data) are more complex and don't offer any significant benefit.

There's a request to add this feature from the Gutenberg forums:

https://wordpress.org/support/topic/how-to-change-post-author-2/

@lizkarkoski This was already sorted out with Gutenberg, so the forum thread may be a plugin conflict, etc.

Got it. Thank you.

On Thu, Aug 16, 2018 at 8:45 AM, Daniel Bachhuber notifications@github.com
wrote:

@lizkarkoski https://github.com/lizkarkoski This was already sorted out
with Gutenberg, so the forum thread may be a plugin conflict, etc.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/WordPress/gutenberg/issues/3010#issuecomment-413533024,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AQFh9o_4wGOXfzetTj6lypPHCp3dzRsjks5uRWl5gaJpZM4P3Kla
.

Hey guys,

I see this issue is marked as closed, but I've just trying to create a post in the latest version of WordPress and still don't see any author dropdown? I'm on localhost with admin role.

This is my screenshot: