[wp-trac] [WordPress Trac] #50754: REST updating a post without author support updates the author to the current user

WordPress Trac noreply at wordpress.org
Sun Oct 25 01:41:20 UTC 2020 

#50754: REST updating a post without author support updates the author to the
current user
--------------------------+------------------------------
 Reporter:  jadpm         |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Editor        |     Version:  5.0
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:  rest-api
--------------------------+------------------------------
Changes (by TimothyBlynJacobs):

 * focuses:   => rest-api
 * component:  REST API => Editor
 * version:  5.5 => 5.0


Comment:

 Digging into this a bit. In [https://github.com/WordPress/wordpress-
 develop/blob/4e0222d529a9a6c600da0c32e445c9031c401631/src/wp-
 includes/post.php#L3883 `wp_insert_post()`] if the post author is not
 set, it is set to the current user.

 The Classic Editor doesn't run into this issue because the `post_author`
 is [https://github.com/WordPress/wordpress-
 develop/blob/1e030c4062f87b3881012d977a9adc3ade9c63b9/src/wp-admin/edit-
 form-advanced.php#L472 always populated], even if the current post type
 does not support `title`.. And `edit_post()` through
 `_wp_translate_post_data()` [https://github.com/WordPress/wordpress-
 develop/blob/1e030c4062f87b3881012d977a9adc3ade9c63b9/src/wp-
 admin/includes/post.php#L65 looks for] `post_author_override`.

 But it looks like the REST API doesn't run into this either. When updating
 an item, it uses `wp_update_post` which merges the currently saved post
 with the given updates. A unit test demonstrating this:

 {{{#!php
 <?php
 public function test_updating_post_does_not_change_author() {
         $post = self::factory()->post->create( array( 'post_author' =>
 self::$author_id ) );

         wp_set_current_user( self::$editor_id );
         $request = new WP_REST_Request( 'PUT', '/wp/v2/posts/' . $post );
         $request->set_body_params( array( 'title' => 'My New Title' ) );
         $response = rest_do_request( $request );

         $this->assertEquals( self::$author_id,
 $response->get_data()['author'] );
         $this->assertEquals( self::$author_id, get_post( $post
 )->post_author );
 }
 }}}

 It looks like indeed this is because of the classic metabox saving.
 Specifically Gutenberg
 [https://github.com/WordPress/gutenberg/blob/07b3ab2b4fb5e3c8d8b6e235b24cefbe779050a9/packages
 /edit-post/src/store/effects.js#L89 only adds] the `post_author` field if
 the current post has an author. If the current post type doesn't support
 an author, then it won't be included in the initial REST API response and
 thus won't be included in the update to `edit.php`.

 I think this can be fixed by adding the `post_author` field to
 `the_block_editor_meta_box_post_form_hidden_fields()` which has its form
 data merged with the metabox update.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50754#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list