Guest authors and user accounts can accidentally share the same slug, making the guest author impossible to update

[mallorydxw]

Creating a guest author, then creating a user account with the same slug makes it impossible to update the guest author, with the following error message:

Guest authors cannot be created with the same user_login value as a user. Try creating a profile from the user on the Manage Users listing instead.

The only solution that doesn't involve deleting the guest author is to change the cap-user_login postmeta in the database.

Steps to reproduce:

• Visit /wp-admin/post-new.php?post_type=guest-author
• Set Display Name to "Peach"
• Press "Add New Guest Author"
• Visit /wp-admin/user-new.php
• Set Username to "peach"
• Set email to whatever
• Press "Add New User"
• Visit /wp-admin/users.php?page=view-guest-authors
• Follow the link to the edit page for "Peach"
• Press "Update Guest Author"

Then you'll be presented with the error message above.

[psaikali]

I think this error message could be considered outdated now, as the "Create profile" link is not displayed by default in the Users table (some history : https://github.com/Automattic/Co-Authors-Plus/pull/248).

I'd be happy to have some insights from other people on that before try to solve this. One solution would be to intercept all new WP_User creations and check if a Guest Author already exists with the user_login we're trying to create. The WP_User creation process would throw an error if we have a Guest Author with that user_login; that could be done by hooking to the user_profile_update_errors action.

A more user-friendly solution would be to add an AJAX check on the WP_User creation form, so we can prevent any Guest Author conflict when an admin writes a value in the username field. If the AJAX call finds a Guest Author sharing this same username, we could :

• possibly disable the form submission until username field is changed, and display a message to the admin explaining what's going on
• or display a new checkbox in the form to ask for admin permission to automatically create the new WP_User <> Guest Author mapping on user creation.

[benlk]

I encountered this bug today, in the following contexts:

• trying to update profile fields for a Guest Author who had the same the same Display Name, First Name, and Last Name as a WP User: no edits could be saved for this Guest Author
• after deleting the existing Guest Author, trying to create a new guest author with the same Display Name, First Name, and Last Name as the WP User: the profile could not be created

In both cases, the error message described above was shown:

Guest authors cannot be created with the same user_login value as a user. Try creating a profile from the user on the Manage Users listing instead.

There is no "Create Profile" link.

In the "Add New Guest Author" screen:

• the "Unique Slug" field is not user-editable. Would allowing users to set a different slug allow them to work around this bug?
• the "WordPress User Mapping" field is also not user-editable. Would allowing users to pick a WP user when creating a Guest Author fix this problem?

In the meantime, I'm going to try the coauthors_show_create_profile_user_link filter fix described at https://github.com/Automattic/Co-Authors-Plus/pull/248#issuecomment-103215238 to get back the "Create profile" link.

[theresaweb]

I am encountering this as well. To reproduce:

• create a coauthor user
• create a WP user with same username
• try to edit coauthor and receive error. "Guest authors cannot be created with the same user_login value as a user. Try creating a profile from the user on the Manage Users listing instead."

@benlk did you implement the coauthors_show_create_profile_user_link filter? I have added but see no Create Profile link. To be honest, I'm not sure where it would appear as I'm not sure where 'Manage Users screen' would be. Any details you can share?

[benlk]

@theresaweb Yes, I made a small plugin for it at the time, but I have not tested that tiny plugin against the latest version 3.4.3 of CAP released on April 20, 2020. You can find my fix plugin in the comment at https://github.com/Automattic/Co-Authors-Plus/pull/248#issuecomment-613060764

It's been a while since I looked, but I believe the "Manage Users" admin page can be found from the Dashboard's main menu, under "Users", if your WordPress user has the right capabilities — if you're an Administrator or Super-admin you should see it.

[theresaweb]

@benlk Thanks for responding. I guess the issue is not the need to create a user from the WP Users interface but that the creation of a WP User does not check if a Coauthor with the same slug is already created.

The more I think it through, @psaikali had the right suggestion for a fix (in 2018!) One solution would be to intercept all new WP_User creations and check if a Guest Author already exists with the user_login we're trying to create. The WP_User creation process would throw an error if we have a Guest Author with that user_login; that could be done by hooking to the user_profile_update_errors action.

@psaikali do you know if this was ever addressed?

[bengreeley]

FYI this bug occurred on a site I'm working on as well.

[theresaweb]

Guest authors cannot be created with the same user_login value as a user. Try creating a profile from the user on the Manage Users listing instead.

One thing I'd like to understand is the validity/purpose of and logic behind this message. Clearly if the wp user is created first, then this message and die statement block you from creating a co-author with the same slug. But why? Is the real requirement that the wp user and co-author cannot have the same slug unless they are mapped to each other? i.e. would it break anything if the co-author and wp user have the same slug if they are mapped to each other?

If above rings true, a better die message might be Guest authors cannot be created with the same user_login value as a user unless they are mapped. Return to edit screen and map user.

Then the logic in manage_guest_author_filter_post_data can add a check for $_POST['cap-linked_account'] and make sure that the slugs match

[theresaweb]

I've created a fix for this, you can view the change here https://github.com/theresaweb/Co-Authors-Plus/pull/1/files. I'll be creating a plugin to apply in the meantime.

[theresaweb]

@benlk , @psaikali , I'm trying to formulate a PR but not sure the procedure? Can either of you point me to how to do it?

[benlk]

@theresaweb On the page https://github.com/Automattic/Co-Authors-Plus/pulls there should be a green "New pull request" button. From there, click the "compare across forks" link/button, then choose your fork and branch from the drop-downs. Once you've got that selected, you'll see a comparison between the base and comparison branches, and you'll be able to make a pull request if there's a difference.

For example, here's a comparison between the master branch of Automattic/Co-Authors-Plus and your fix_578 branch: https://github.com/Automattic/Co-Authors-Plus/compare/master...theresaweb:fix_578

[theresaweb]

Thanks @benlk !

PR 748 created

Also, created a little plugin if anyone can't wait https://github.com/theresaweb/Co-Authors-Plus-Helper