search

Automattic / wp-calypso

The JavaScript and API powered WordPress.com
https://developer.wordpress.com
GNU General Public License v2.0
12.42k stars 1.99k forks source link

Video Uploads on AT Sites Shows Site Owner Username In WP-Admin Meta Data Even When Uploaded From Another User Account #72900

Open gwensmithx opened 1 year ago

gwensmithx commented 1 year ago

Quick summary

I worked with a site owner today who had multiple user accounts on their site and they were saying that regardless of what account a video file was uploaded from, it always showed their username (the site owner) in the wp-admin meta data window (clicking edit in the wp-admin).

This seems to only affect AT sites and it also shows the site owner perform the action in the Activity log as well even though they did not upload the video from their account.

Steps to reproduce

  1. You'll need 2 WP accounts for this - Account A (site owner) and Account B (the invited user)
  2. On an AT site in account A add your other test account (Account B) as an admin to the site
  3. Accept the invite as Account B and login to WordPress and access Account A's site
  4. Upload a video the media library
  5. Once that is uploaded, click edit to see the file details
  6. You'll see the username linked to that upload is Account A even though you are logged in as Account B
  7. You can also visit Jetpack --> Activity log and it will show Account A uploaded the video

What you expected to happen

I expected the username to reflect the account username that performed the action.

What actually happened

The account username that is associated with the media uploads is always the site owner regardless of which user account performed the action.

Impact

All

Available workarounds?

No but the platform is still usable

Platform (Simple and/or Atomic)

Atomic

Logs or notes

No response

karenroldan commented 1 year ago

I was able to replicate it on an atomic site. Account B uploaded a video on Account A's site and the activity logs show that it was Account A who uploaded the video. It should be Account B.

upload-video-atomic

Issue is not replicated on a simple premium site.

upload-video-simple

cuemarie commented 1 year ago

📌 ACTIONS

vykes-mac commented 2 weeks ago

Based on initials findings it seem that videopress calls out to the /media/new endpoint using a blog token that was generated in Jetpack with wpcom_json_api_request_as_blog. I suspect that because it uses the blog token to manage uploads the attachment is created under the site owners name as it does not know who uploaded the file. Maybe uploading with a user token instead of a blog token might resolve the issue.