Solvedwp calypso Editor: Permission Errors when trying to Update/Publish Post/Pages

We are receiving several reports of customers getting errors when trying to update or publish posts/page. Initial P2 #p2EDhh-19p-p2

HEs Warning P2: p7DVsv-9vm-p2

Systems P2: pMz3w-c2B-p2

Demographics: https://docs.google.com/spreadsheets/d/1dcsU96Q7ChdQGnest975BLG5HBXmysSPkQ6dEN0d-iU/edit?usp=sharing

Logging added here: D50847-code and D50934-code
Logs: in kibana for feature : update_item_permissions_check_failure
If a cookie is not set, it will not appear. If wp_api_sec is set and valid it will have the user id as value. If not valid it will have false as value. The rest cookies false values are a side effect only.

Steps to reproduce

It's hard to say as all cases are different and not necessarily corrected in the same way. I am adding the comments from the original P2 here to have it all in one place.

• #23849977-hc, #24239938-hc - Scheduling failed. Sorry, you are not allowed to edit this post.”

• #3254656-zen: “Scheduling failed. Sorry, you are not allowed to edit this post.” error as shown in this screenshot: https://d.pr/i/QncCb4/VxdNKTS4Xi

https://wordpress.com/forums/topic/red-line-says-updating-failed-sorry-you-are-not-allowed-to-edit-this-post/

• #23849977-hc: “Sorry, you are not allowed to edit this post” as shown in this screenshot: https://d.pr/i/Xt7KAf

• #3299020-hc – “Sorry, you are not allowed to edit this post”

• #3302662-zen - “Sorry, you are not allowed to edit this post”

• Social Post 1

• Social Post 2

• #3315500-zen - Only occurring in Edge and not Chrome.

• #24239938-hc - They used Chrome and tried clearing cache in Chrome but the issue persists. It works when they used Firefox though.

• #11163274-hc I can’t get my blog posts to update or save- I can’t get HTML blocks to show up. I keep getting the message that I am not allowed to edit something when I am the only person who does have permissions for this site. It deletes my work and won’t save. This is not a common error message.”

• Error: “Updating failed. Sorry, you are not allowed to edit this post.”
  Domain: (unspecified, presumably multiple sites as this user has many, but I’ll ask)
  Ticket: https://wordpress.com/forums/topic/block-editor-preventing-me-to-publish-as-usual/
  Browser: Chrome
  Theme: (unspecified)
  Plan: Free

Action: since they’re having issues with “liking” posts, too, I’m wondering if it’s a login issue. I’m having them log out, clear cache, and log back in to see if that will help.

Otherwise, is this related to samesite browser cookie changes?

• #3340559-zen - Clearing cache works immediately – but the problem keeps recurring regularly.

They also report this happening more widely with people they know:

This is not a solitary issue with just my blog. I run a group that attempts to post daily in November and the current problems makes it almost impossible to think about attempting this on the WordPress platform. A blogger in that group who is open to their blog being examined over this recurring error is behindthewillows.com.

@davemart-in @cathymcbride

The fix has been deployed today to wpcom as D57128, after the first attempt had to be reverted due to a mistake.

I'll now close the issue. Don't hesitate to add further reports if the issue happens to any customer. We're not 100% sure that the issue is gone for good. 🙂

Since the issue seems to point there is a cookies problem, I analyzed the cookies we use when making a request to the API, and found out that when the wp_api_sec cookie is missing / has expired / contains an invalid value, the API returns a "Sorry, you are not allowed to edit this post." error.

I confirmed it by manually deleting the cookie using the Chrome dev tools. Reloading the editor always brings the cookie back for me. Would it be possible to ask users to provide an screenshot of the browser dev tool showing the wp_api_sec cookie stored for the API? In Chrome this can be done by opening the menu and then going to More tools > Developer Tools > Application > Storage > Cookies > public-api.wordpress.com.

I can reproduce the issue. As the issue is security-related and doesn't have much to do with the Calypso frontend itself, I shared the details in an internal P2 post: pcNnmV-x-p2#comment-38

Quick way to reproduce is:

1. Start editing a post in Gutenframe
2. Open a new tab with the /log-in page and login there as the same user. That resets your auth cookies.
3. Switch back to the editor tab and click "Update" or "Save". The original tab is confused by the new auth cookies and will send a REST request with inconsistent auth info. And it will fail.

Wooo! Thanks @jsnajdr. This has been a long standing issue. It's great to see this fixed.

I have posted a P2 p7DVsv-9vm-p2 to raise HEs awareness and collect some feedback. Next steps:

1. Collect some demographics about users / sites in conjunction with evidence collected
2. Add an error logging mechanism that will log the cookies currently set