Closed rafaucau closed 10 months ago
Looking in the code where this button is added, right before it is a // @todo caps check for creating a new user
.
I need to nail down exactly what caps there are for listing the Guest Author page, accessing the Add New page, and successfully submitting a submission from that page, but it shouldn't be difficult to make the Add New button conditionally show - thanks for reporting!
Background:
read
capability.list_users
to an account with a Subscriber role allows the Users admin menu to appear, and the Guest Authors list page to be accessed.edit_posts
capability allows the Add New screen to be accessed; currently the list_authors
capability is used on the handling of the guest author creation.
Description
I've encountered an issue with the Co Authors Plus plugin where users with read-only permissions can see the
After clicking the ![image](https://github.com/Automattic/Co-Authors-Plus/assets/25438601/871149b6-ee75-462b-92a2-20a329ad7c18)
Add New
button for guest authors when they possess thelist_users
capability. This is problematic as they don't have the required permissions to create guest authors.Add New
button:Steps to Reproduce
list_users
capability but without permissions to create or edit users and posts.Add New
button for guest authors is visible and clickable, even though the user should not have permissions to add new guest authors.Expected Behavior
Users without the required permissions to create guest authors should not see the
Add New
button.Actual Behavior
The
Add New
button for guest authors is visible and clickable for users who only have thelist_users
capability.Possible Solution
Check for the appropriate capabilities before rendering the
Add New
button in the guest authors list.Additional Context
This can cause confusion as users may think they have permissions to add new guest authors when they actually don't.