refactor: validate author selection in post author components#71300
Draft
R1shabh-Gupta wants to merge 1 commit intoWordPress:trunkfrom
Draft
refactor: validate author selection in post author components#71300R1shabh-Gupta wants to merge 1 commit intoWordPress:trunkfrom
R1shabh-Gupta wants to merge 1 commit intoWordPress:trunkfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What?
Closes #71299
Adds client-side validation to post author selection components to prevent assignment of posts to users without proper authoring capabilities.
Why?
Currently, the Gutenberg editor correctly filters the author dropdown to show only users with authoring capabilities (Administrator, Editor, Contributor). However, there's no validation when the author field is updated programmatically. This allows malicious users to assign posts to Subscribers (who shouldn't be able to author content) by manipulating the dropdown value through browser developer tools, bypassing WordPress role-based security.
How?
PostAuthorSelectandPostAuthorComboboxcomponentsTesting Instructions
Follow the steps provided in the issue description, and in the end, verify that the post author remains unchanged and is not reassigned to the Subscriber.
Screenshots or screencast
Screen.Recording.2025-08-22.at.1.36.09.AM.mov