Author combobox component returns 403 error for non-admin users

[dkoo]

Description

Since #23237, a site with greater than 25 authors will display a ComboboxControl component to search for authors instead of the standard SelectControl. However, the REST request to fetch the list of authors will fail for users who do not have admin privileges (such as editors or contributors, who might still be editing posts). This can result in either the SelectControl being displayed with a large number of options, or worse, the ComboboxControl being displayed but with only a partially complete list of users to choose from (with autocomplete functionality broken).

Step-by-step reproduction instructions

1. Create or generate a sufficient number of author users to test with. e.g. wp user generate --role=editor --count=100 to generate 100 editor users. The more, the better!
2. Log in as an admin user and create or edit a post. In the Status & visibility panel, observe that the author control shown is the ComboboxControl with working autocomplete functionality.
3. Log in as a user with lower than admin privileges, such as one of the editor users you just generated, and create or edit a post. In the Status & visibility panel, observe that the author control shown is either the standard SelectControl with a huge number of options, or a ComboboxControl with non-functional autocomplete.
4. Observe the following REST request with a 403 error response:

https://<SITE_URL>/wp-json/wp/v2/users?who=authors&per_page=26&context=edit&_locale=user
{"code":"rest_forbidden_context","message":"Sorry, you are not allowed to list users.","data":{"status":403}}

Expected behaviour

Non-admin users who can access the post editor and have the edit_others_posts capability should still see the ComboboxControl author UI and be able to view and select from an appropriate list of author-type users.

Actual behaviour

See the REST error response above.

Code snippet (optional)

Related to

WordPress information

• WordPress version: 5.7
• Gutenberg version: Tested with both 10.1.1, and not installed
• Are all plugins except Gutenberg deactivated? Yes
• Are you using a default theme (e.g. Twenty Twenty-One)? Yes: Twenty Twenty-One

Device information

• Device: Desktop
• Operating system: OS X 10.15
• Browser: Tested and confirmed in Chrome 88 and Firefox 86

[kagg-design]

To support the issue and make additional clarifications.

This happens because in WP 5.7 the request https://<SITE_URL>/wp-json/wp/v2/users?who=authors&per_page=26&context=edit&_locale=user is executed with the context=edit parameter, which was not used in WP 5.6. So, same request in 5.6 is https://<SITE_URL>/wp-json/wp/v2/users?who=authors&per_page=26&_locale=user.

As a consequence, the check in the \WP_REST_Users_Controller::get_items_permissions_check returns 403. This is proper behaviour.

I suggest removing the context=edit parameter from the REST request preparing author combobox.

As a temporary measure and not a solution, the following code can be used as a mu-plugin. It is tested and works well on a site with 100+ authors.