Editor: Permission Errors when trying to Update/Publish Post/Pages

[KristinaKay]

We are receiving several reports of customers getting errors when trying to update or publish posts/page. Initial P2 #p2EDhh-19p-p2

HEs Warning P2: p7DVsv-9vm-p2

Systems P2: pMz3w-c2B-p2

Demographics: https://docs.google.com/spreadsheets/d/1dcsU96Q7ChdQGnest975BLG5HBXmysSPkQ6dEN0d-iU/edit?usp=sharing

Logging added here: D50847-code and D50934-code Logs: in kibana for feature : update_item_permissions_check_failure If a cookie is not set, it will not appear. If wp_api_sec is set and valid it will have the user id as value. If not valid it will have false as value. The rest cookies false values are a side effect only.

Steps to reproduce

It's hard to say as all cases are different and not necessarily corrected in the same way. I am adding the comments from the original P2 here to have it all in one place.

• 23849977-hc, #24239938-hc - Scheduling failed. Sorry, you are not allowed to edit this post.”

• 3254656-zen: “Scheduling failed. Sorry, you are not allowed to edit this post.” error as shown in this screenshot: https://d.pr/i/QncCb4/VxdNKTS4Xi

https://wordpress.com/forums/topic/red-line-says-updating-failed-sorry-you-are-not-allowed-to-edit-this-post/

• 23849977-hc: “Sorry, you are not allowed to edit this post” as shown in this screenshot: https://d.pr/i/Xt7KAf

• 3299020-hc – “Sorry, you are not allowed to edit this post”

• 3302662-zen - “Sorry, you are not allowed to edit this post”

• Social Post 1

• Social Post 2

• 3315500-zen - Only occurring in Edge and not Chrome.

• 24239938-hc - They used Chrome and tried clearing cache in Chrome but the issue persists. It works when they used Firefox though.

• 11163274-hc I can’t get my blog posts to update or save- I can’t get HTML blocks to show up. I keep getting the message that I am not allowed to edit something when I am the only person who does have permissions for this site. It deletes my work and won’t save. This is not a common error message.”

• Error: “Updating failed. Sorry, you are not allowed to edit this post.” Domain: (unspecified, presumably multiple sites as this user has many, but I’ll ask) Ticket: https://wordpress.com/forums/topic/block-editor-preventing-me-to-publish-as-usual/ Browser: Chrome Theme: (unspecified) Plan: Free

Action: since they’re having issues with “liking” posts, too, I’m wondering if it’s a login issue. I’m having them log out, clear cache, and log back in to see if that will help.

Otherwise, is this related to samesite browser cookie changes?

• 3340559-zen - Clearing cache works immediately – but the problem keeps recurring regularly.

They also report this happening more widely with people they know:

This is not a solitary issue with just my blog. I run a group that attempts to post daily in November and the current problems makes it almost impossible to think about attempting this on the WordPress platform. A blogger in that group who is open to their blog being examined over this recurring error is behindthewillows.com.

@davemart-in @cathymcbride

[sophiegyo]

Another report: 3816989-hc

Asked user to log out, clear their cookies and cache, and log back in again, but they left with no further response.

Edit: wow, this user doesn't even have a mapped domain on their site, it's a .wordpress.com address only.

[rickmgithub]

Report here 3394528-zd

https://whatismybrowser.com/w/R74DNDM

[pablinos]

Edit: wow, this user doesn't even have a mapped domain on their site, it's a .wordpress.com address only.

Yep, that one disproves most of my theories, as they only have a single site too.

I was wondering if it could be related to the JS from a particular theme/widget/plugin. I can't see anything in common about the sites affected by this problem at the moment. More investigation is needed!

[cpapazoglou]

Just checked:

• plugins shouldn't be an issue since most users are in Premium and below plans, where they cannot add plugins
• opened 4 random issues, with 4 different themes so themes shouldn't be an issue too

I think the only thing in common is that they were using the deprecated editor, here is an other example with the first User with Edge instead of Chrome 3400019-zd-woothemes

[adelineyaw]

24869654-hc 3405951-zen (follow up ticket)

Issue occurs on two simple sites intermittently.

I've asked the user to clear their browser's cache and cookies. And to try another device / browser but no luck. I'm unable to replicate the issue when I SU into the account.

[hacchism]

Another report: 23433772-hc

Asked the user to log out, clear their cookies and cache, and log back in again, but they left with no further response.

[pauloeaquino]

24877533-hc I advised to clear cache and see how that goes, but user left. I had no issues saving/updating on my end

3166423-hc I was unable to replicate the issue when SU. Clearing cache or trying a different browser did not help. Pushed to ticket in 3406703-zd

[nagpai]

https://toocoolformiddleschool.com

24877829-hc

Error: "The editor has encountered an unexpected error"

On clicking Copy error from Gutenberg:

TypeError: r is not a function at https://c0.wp.com/c/5.5.1/wp-includes/js/dist/components.min.js:7:394527 at Vb (https://c0.wp.com/c/5.5.1/wp-includes/js/dist/vendor/react-dom.min.js:104:431) at Xi (https://c0.wp.com/c/5.5.1/wp-includes/js/dist/vendor/react-dom.min.js:151:136) at unstable_runWithPriority (https://c0.wp.com/c/5.5.1/wp-includes/js/dist/vendor/react.min.js:26:340) at Ma (https://c0.wp.com/c/5.5.1/wp-includes/js/dist/vendor/react-dom.min.js:52:280) at Yb (https://c0.wp.com/c/5.5.1/wp-includes/js/dist/vendor/react-dom.min.js:150:420) at Ae (https://c0.wp.com/c/5.5.1/wp-includes/js/dist/vendor/react-dom.min.js:118:178) at xi (https://c0.wp.com/c/5.5.1/wp-includes/js/dist/vendor/react-dom.min.js:39:146)

Works fine on incognito window.

https://whatismybrowser.com/w/WC2TWS7

[rinazrina]

Another report: #3371540-zen. The user shared a video on how they reproduce the issue (see ticket notes). It works fine when they click Edit link from the front end and edit the post from there. It also works on WP Admin's Classic editor.

• Browser: Google Chrome Version 86.0.4240.75 (Official Build) (64-bit)
• 2-3 weeks ago
• They log in log in via username and password
• No VPN, no proxy, no special antivirus except the Microsoft standard.

[noahtallen]

I want to note that there was an issue we solved in #46475 where a specific data subscription would consistently fail. This meant that every time any data changed in any gutenberg data store, a certain error would be triggered. I believe that this caused many features in gutenberg to become buggy, specifically on Atomic sites while accessing the editor via Calypso.

That specific issue should now be fixed, but it is unrelated to the original issue here. Just wanted to include this since some reports could have gotten mixed into this issue.

See this thread as well: p1602727238248200-slack-create-gardeners

[galakhyati]

Got another case here: 24879211-hc, they shared the error they got on clicking on Copy Error button:

TypeError: r is not a function at https://c0.wp.com/c/5.5.1/wp-includes/js/dist/components.min.js:7:394527 at Vb (https://c0.wp.com/c/5.5.1/wp-includes/js/dist/vendor/react-dom.min.js:104:431) at Xi (https://c0.wp.com/c/5.5.1/wp-includes/js/dist/vendor/react-dom.min.js:151:136) at unstable_runWithPriority (https://c0.wp.com/c/5.5.1/wp-includes/js/dist/vendor/react.min.js:26:340) at Ma (https://c0.wp.com/c/5.5.1/wp-includes/js/dist/vendor/react-dom.min.js:52:280) at Yb (https://c0.wp.com/c/5.5.1/wp-includes/js/dist/vendor/react-dom.min.js:150:420) at Ae (https://c0.wp.com/c/5.5.1/wp-includes/js/dist/vendor/react-dom.min.js:118:178) at xi (https://c0.wp.com/c/5.5.1/wp-includes/js/dist/vendor/react-dom.min.js:39:146)

Shared the fix is deployed, and it can take some while for it to come into effect.

[pablinos]

I think the only thing in common is that they were using the deprecated editor,

Are we sure that's the case? It seems to be in the majority of cases, but 24579192-hc wasn't part of the editor deprecation group (so didn't receive our emails about the change). It could be that they used the Calypso editor more than a year ago (which looks possible). I'm not sure what about the editor deprecation could cause a problem with cookies, though.

The other thing I notice is that a lot of these people are returning after a period of inactivity. I'm wondering if the cookies were set before some change (perhaps the third party cookie updates) then perhaps they're not getting updated in some circumstances.

I'm seeing reports of it not working in wp-admin but working when they try in Calypso, which is strange. Any cookie issues I would expect to be related to the iframe. If authentication via the cookie fails for some reason it does get reset, so that could be the reason we're not seeing the wordpress_sec and wp_api_sec cookies on the failed requests.

Also, most (not all) failed attempts lack of wordpress, wordpress_sec, wp_api, wp_api_sec cookies.

Do we have any examples where the sec cookies are set, but the request is failing?

[cpapazoglou]

24877533-hc I advised to clear cache and see how that goes, but user left. I had no issues saving/updating on my end

3166423-hc I was unable to replicate the issue when SU. Clearing cache or trying a different browser did not help. Pushed to ticket in 3406703-zd

https://toocoolformiddleschool.com

24877829-hc

Error: "The editor has encountered an unexpected error"

24877533-hc, 3406703-zen, 24877829-hc Seems to have another problem. They get a blank / freezed page when they load the editor. They are on atomic. https://github.com/Automattic/wp-calypso/pull/46475 may have resolve the issues

[cpapazoglou]

Are we sure that's the case?

Hey @pablinos , it is more the fact that issues have emerged right after the deprecation. But I agree, I am not sure. It is true that a user 3371540-zd-woothemes had success through the block-editor but failed in wp-admin...

Do we have any examples where the sec cookies are set, but the request is failing?

No, all logs suggest that wordpress, wordpress_sec, wp_api, wp_api_sec cookies are missing. Since wordpress_sec is missing, wp_api_sec cannot be set, so we now have to find why wordpress_sec is missing!

[supernovia]

Another report here. https://wordpress.com/forums/topic/i-cant-add-a-page-like-i-use-to/#post-3578743

[lakellie]

Another report in 8919599-hc Browser details: Firefox 81 on Windows 7

[druesome]

24655356-hc

[druesome]

20437344-hc

[kylemcph]

Another report: 3417101-zen

Asked the user to log out, clear their cookies and cache, and log back in again.

[rachelwinspear]

Report here: 3398051-zen Browser: https://www.whatsmybrowser.org/b/WSOLE

[serabi]

Report here: 192163920-hc

[pablinos]

I've been doing some investigation into this, and the bit that's confusing me the most is that this problem seems to persist between reloads of the editor. I can break the cookies in some way but that will always be solved by a refresh, which will reset the cookies or redirect me to log back in.

@cpapazoglou Were you able to reproduce this in a way that it would persist between reloads of the browser?

[cpapazoglou]

I've been doing some investigation into this, and the bit that's confusing me the most is that this problem seems to persist between reloads of the editor. I can break the cookies in some way but that will always be solved by a refresh, which will reset the cookies or redirect me to log back in.

@cpapazoglou Were you able to reproduce this in a way that it would persist between reloads of the browser?

Nope, not really. The only way to mimic the error is by firstly loading the editor and then changing if ( isset( $_COOKIE[SECURE_AUTH_COOKIE] ) ) { to if ( ! isset( $_COOKIE[SECURE_AUTH_COOKIE] ) ) { so that the wp_api_sec cookie gets cleared and you get the error when you click update / publish.

[pablinos]

Right, but once it's cleared then you are logged out. Refresh your browser and you'll be asked to log back in, or if there are cookies still set against .wordpress.com then we log them back into the API, and everything's fine. The reports here seem to have the editor consistently loading successfully, but that the save action on the API becomes unauthenticated for some reason.

There are many requests made against the API as the editor loads, and while it's being used. Why would this manifest only when someone goes to update or publish the post? Autosave requests happen around every 30 seconds. It would be interesting to know if the error is also appearing when that happens or if it only comes from an explicit click of the 'Update/Publish' button.

I'm wondering about whether we should get a HAR export from the network tab of an affected customer, but that's not particularly simple to walk someone through, and there are security implications, as it will have all their cookies in it.

[metabreakr]

3423097-zen

[ivan-ottinger]

Another report: 3412031-zen → I have suggested them to try a different browser and asked for details on their setup (browser version, ...)

[metabreakr]

Another report: 3412031-zen → I have suggested them to try a different browser and asked for details on their setup (browser version, ...)

User has replied in the ticket with the information requested.

[villanovachile]

Another report here: 3405308-zen

[metabreakr]

3429014-zen

[philnick206]

21102742-hc

[nagpai]

25089175-hc

Microsoft Edge 86 browser https://www.whatsmybrowser.org/b/7R8KV

No ad blockers, Cookies enabled, JS enabled.

[pauloeaquino]

25090405-hc

I suggested to try clearing cache or edit on a different browser for now.

[kaitohm]

Another report 25113936-hc

After creating a new post, the user added a new Image Block. Selecting images from the Media work fine. But if the user goes to add an image from their computer, or drag-drops an image into the block, the editor says

Updating failed. Sorry, you are not allowed to edit this post.

And the image block says

Sorry, you are not allowed to create posts as this user.

Browser: Edge We are in the process of clearing cache. (Follow-up: 3432655-zd-woothemes)

[kaitohm]

Another report: 3369575-zd-woothemes Clearing the cache on Edge didn't work. Installing Chrome and logging into their account there did work.

[geekinthegirl]

Just had another issue here: 25142582-hc

User came across the 'Updating failed. Sorry, you are not allowed to edit this post.' error when trying to edit any post or page - specifically when using Chrome and running on PC (it seems to work fine on Mac). I suggested logging out and back in, but no indication of whether that worked for them or not.

[kdevnel]

Just noting this person that also had the issue. I've reached out to see if they're still having issues and to guage if they're in the mood to provide us any of the info you ask or maybe run the screenshare session with them. At this point, what information would you like us to get from them to help troubleshoot?

3440851-zd-woothemes

[pablinos]

I'm curious to understand if people seeing this issue can reload the editor and if it's just the updating/saving of the post that is not working. Looking at the reports it seems that it can persist between loads of the editor, but updating/saving the post fails. This suggests that there's a particular API call that is causing the issue.

If that's the case, then I think we need to find a way of getting a more detailed log for someone while they're stuck in this state. I was wondering about getting a HAR export from the network tab, but that seems laden with problems.

Could someone confirm that people are getting stuck not being able to update posts, but can otherwise load the editor, come in and out of editing posts etc.? Then we can work out toggling some detailed logging for these customers.

[happychait]

@pablinos

Could someone confirm that people are getting stuck not being able to update posts, but can otherwise load the editor, come in and out of editing posts etc.? Then we can work out toggling some detailed logging for these customers.

I just confirmed with a customer in 25215346-hc. Customer gets Updating failed. Sorry, you are not allowed to edit this post. in Chrome and Edge even after clearing cache and cookies. They didn't find wp_api_sec cookie, but they found wordpress_test_cookie in their Chrome.

Their site is https://brianjump.net/

Could you suggest the next steps to toggle additional logging for this site?

[pablinos]

Thanks @chaitanyamsv We haven't got the additional logging in place yet, we'll have to add that.

Before clearing their cache and cookies were they still logged in? Could they load the editor and use Calypso? I assume they must have been, because they were still in chat. It seems odd that they were authenticated at all if they had cleared the cookies.

I'll see about how we might be able to get some more information for specific users.

[hacchism]

Another report: 12727590-hc They were on Chrome. Clearing browser cache worked!

[metabreakr]

3449178-zen

Clearing cache did not work.

[ivan-ottinger]

Another report: 2383900-hc,

They were quite unhappy and didn't want to clear the cache to resolve the issue - since they are logged into multiple services and don't want to get kicked out.

I didn't ask them for details, as I didn't want them to become even more frustrated.

Browser: Chrome 86.0 on Windows 10.0.0.

They noticed the issue just today (October 30), but they don't post frequently. They were not able to do a site export either.

[rinazrina]

Another report: 25269983-hc

They're seeing Updating failed. User cannot access this private blog whenever they try to save a post as a draft or even try to publish it.

• Browser: Microsoft Edge
• They noticed the issue today.
• They're using password to log in as Administrator.
• Not using VPN, proxy, antivirus and all cookies are accepted.

It worked after they clearing cache and cookies.

[TeniCola]

Probable case in 156262-hc

They said they have a RST API issue on one of their posts. Saving and publishing their post via WP Admin seemed to work for them. No browser info was provided in transcript.

[blackjackkent]

The cookie is only valid for 2 days, but it gets extended with every request to the API. Maybe there are some users who keep the editor opened for more than 2 days but without any interaction at all, so there are no API request extending the cookie expiration?

I don't know if anyone followed up on this possibility from @mmtr (and given that the issue seems to persist between reloads for reporting users, it may be a red herring) but on the off chance that it leads anywhere, I have a post editor open in a browser on my personal computer and will try to reproduce the issue later this week.

[dolgelukkig]

Another case #3458328-zd

They're on a Personal plan, browser is chrome, issue happens in Calypso and in wp-admin.

[pablinos]

(and given that the issue seems to persist between reloads for reporting users, it may be a red herring)

That's my feeling @blackjackkent. I think you could probably get it to fail on that basis, but I'm not sure if it would be reproducing this problem. It would be great if we could reproduce it though!

Another report: 25269983-hc

This one is interesting. The error message mentions that they haven't got access to a private blog, but the blog isn't private. Maybe it hadn't been launched at the time, but it seems odd. Perhaps a request is being made without the site ID and it's defaulting to one. An invalid request would also clear the authentication cookies.

[dolgelukkig]

This looks like another one: #3449089-zd which is a follow up for #3395522-zd

[blackjackkent]

In the hopes of getting some more specific info about what's happening here, I'm going to work on adding some logstash logging to the places in the codebase where this message can manifest, which should hopefully help narrow down what we should be looking at.

Let me know if there's any particular info that I should be sure to include in the logs.

[cpapazoglou]

In the hopes of getting some more specific info about what's happening here, I'm going to work on adding some logstash logging to the places in the codebase where this message can manifest, which should hopefully help narrow down what we should be looking at.

Let me know if there's any particular info that I should be sure to include in the logs.

There are already some logs, you can append any info needed there I assume!

Logging added here: D50847-code and D50934-code Logs: in kibana for feature : update_item_permissions_check_failure If a cookie is not set, it will not appear. If wp_api_sec is set and valid it will have the user id as value. If not valid it will have false as value. The rest cookies false values are a side effect only.