Posts: People with Author User Role Cannot View Draft Titles By Other Users

[alexjgustafson]

At /posts/drafts/$site , people with the Author user role cannot view titles of drafts created by other users, however this is possible the analogous wp-admin page https://$site/wp-admin/edit.php?post_status=draft&post_type=post

While the Author role shouldn't be able to edit others' drafts, it can be handy to at least see that a draft is in progress, particularly on news sites where many different Authors may be starting to prepare a similar story.

To replicate:

1. Create a site, publish a post, and start a new draft with one user
2. Invite a second user with the Author role
3. View /posts/drafts/$site site to the "Everyone" toggle - the draft count will appear at the top, but the draft title from the original user do not appear

Screenshot:
https://cloudup.com/cuGjRN2SCyn

Originally reported by a wpcom user in 274039-chat

[ebinnion]

I'm going to remove the People Management label as I believe this to be confined to Posts.

[hoverduck]

14Apr16 Bug Scrub

Confirmed this is still an issue.

[hoverduck]

26May16 Bug Scrub

This is still an issue, but since it hasn't had any activity in over a month I'm tempted to close it. For now I'll just tag it as Low Priority, though, since it is a loss of functionality from wp-admin

[timmyc]

Doing a bit of investigating here, the root of the issue is the API does not return drafts for contributors/authors that they do not have the ability to view. The WPCOM_JSON_API_List_Posts_v1_1_Endpoint endpoint ultimately calls get_post for each draft on a site, and for contributors attempting to get_post on a draft that they are not an author of, an error is returned, and the post is omitted from the API response.

Alternatively, in wp-admin the WP_Posts_List_Table data is fetched using a query directly sent to wp

I also performed the same API query against the new WP REST API, and it too does not return drafts that do not belong to authors/contributors.

So I've added the API label to this issue. I'm not sure if this really is a bug either as it is the result of core logic in get_post - to me it seems more like a potential enhancement. Additionally the fact that the core WP REST API behaves in the same manner, I think our existing logic in the WPCOM API is validated further.

While testing this out I did notice a few buggy experiences in the UI for contributors that should probably be fixed either way. These bugs result from the post_counts API endpoint returning a count for drafts for all users. I suppose we could add logic in Calypso to ensure users have the appropriate permissions to view these drafts and conditionally show these links:

and in the published post listing:

[lancewillett]

See also #1806

[designsimply]

Closing in light of this comment from @timmyc earlier:

I'm not sure if this really is a bug either as it is the result of core logic in get_post - to me it seems more like a potential enhancement. Additionally the fact that the core WP REST API behaves in the same manner, I think our existing logic in the WPCOM API is validated further.

— #1231 (comment)

While testing this out I did notice a few buggy experiences in the UI for contributors that should probably be fixed either way. These bugs result from the post_counts API endpoint returning a count for drafts for all users. I suppose we could add logic in Calypso to ensure users have the appropriate permissions to view these drafts and conditionally show these links.

Moved the draft count issue to #14243