Forms: Fix default author non existing still sends emails to form (page/post author) (#45515)

* Forms: Check that the user is memeber of blog before adding setting them to be the default form author

* Forms: Improve default recipient logic in contact form

Refactored get_default_to to consider Feedback_Source and post author permissions when determining the default recipient email. Updated related tests to cover new logic and ensure correct behavior for valid and invalid authors.

* changelog

* minor fix

Co-authored-by: Copilot <[email protected]>

* Add more tests and improve the order of things for better performance.

---------

Co-authored-by: Copilot <[email protected]>

Author: enejb

projects/packages/forms/changelog/fix-default-author-non-existing

@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Forms: do not send emails to the author of the form if they are no longer able to edit it

projects/packages/forms/src/contact-form/class-contact-form.php

@@ -150,9 +150,15 @@ public function __construct( $attributes, $content = null, $set_id = true ) {
 
 		$this->is_response_without_reload_enabled = apply_filters( 'jetpack_forms_enable_ajax_submission', true );
 
+		// Initialize the source before setting defaults
+		if ( ! $this->source ) {
+			$attributes   = is_array( $attributes ) ? $attributes : array();
+			$this->source = Feedback_Source::get_current( $attributes );
+		}
+
 		// Set up the default subject and recipient for this form.
 		$post_author_id  = self::get_post_property( $this->current_post, 'post_author' );
-		$default_to      = self::get_default_to( $post_author_id );
+		$default_to      = self::get_default_to( $post_author_id, $this->source );
 		$default_subject = self::get_default_subject( $attributes, $this->current_post );
 
 		if ( ! isset( $attributes ) || ! is_array( $attributes ) ) {
@@ -434,19 +440,42 @@ public static function get_forms_context_count( $context ) {
 	/**
 	 * Get the default recipient email address for the contact form.
 	 *
-	 * @param int|null $post_author_id The ID of the post author. If provided, will return the author's email.
+	 * @param int|null             $post_author_id The ID of the post author. If provided, will return the author's email.
+	 * @param Feedback_Source|null $source The source of the feedback entry. Optional, not used currently.
 	 *
 	 * @return string The default recipient email address.
 	 */
-	public static function get_default_to( $post_author_id = null ) {
-		if ( $post_author_id ) {
-			$post_author = get_userdata( $post_author_id );
-			if ( ! empty( $post_author->user_email ) ) {
-				return $post_author->user_email;
-			}
-		}
+	public static function get_default_to( $post_author_id = null, $source = null ) {
 		// Get the default recipient email address.
 		$default_to = get_option( 'admin_email' );
+		// Check that the user has edit permissions for this blog and has an email address
+		if ( ! $post_author_id ) {
+			return $default_to;
+		}
+
+		// Check that source is of type Feedback_Source
+		if ( ! $source instanceof Feedback_Source ) {
+			return $default_to;
+		}
+
+		if ( absint( $source->get_id() ) === 0 ) {
+			return $default_to;
+		}
+
+		$post_author = get_userdata( $post_author_id );
+		if ( empty( $post_author ) || empty( $post_author->user_email ) ) {
+			return $default_to;
+		}
+
+		// Check that the user is still a member of the blog.
+		if ( ! is_user_member_of_blog( $post_author_id ) ) {
+			return $default_to;
+		}
+
+		// Check that the author can still edit the post or page.
+		if ( user_can( $post_author_id, 'edit_post', $source->get_id() ) ) {
+			return $post_author->user_email;
+		}
 
 		return $default_to;
 	}

projects/packages/forms/tests/php/contact-form/Contact_Form_Test.php

@@ -256,6 +256,7 @@ public function set_up_test_case() {
 				'user_email' => '[email protected]',
 				'user_login' => 'test_user',
 				'user_pass'  => 'abc123',
+				'role'       => 'author',
 			)
 		);
 
@@ -2507,27 +2508,73 @@ public function test_form_defaults_to_admin_email_on_no_user_data() {
 	 * Tests get_default_to method with valid post author.
 	 */
 	public function test_get_default_to_with_valid_post_author() {
+		$email     = '[email protected]';
 		$author_id = wp_insert_user(
 			array(
-				'user_email' => '[email protected]',
+				'user_email' => $email,
 				'user_login' => 'test_author',
 				'user_pass'  => 'password123',
+				'role'       => 'editor',
 			)
 		);
+		$source    = $this->get_source( $author_id );
+		$result    = Contact_Form::get_default_to( $author_id, $source );
 
-		$result = Contact_Form::get_default_to( $author_id );
+		$this->assertEquals( $email, $result );
 
-		$this->assertEquals( '[email protected]', $result );
+		wp_delete_user( $author_id );
+		wp_delete_post( $source->get_id(), true );
+	}
+
+	/**
+	 * Tests get_default_to method with valid post author.
+	 */
+	public function test_get_default_to_with_valid_post_author_subscriber() {
+		$author_id = wp_insert_user(
+			array(
+				'user_email' => '[email protected]',
+				'user_login' => 'test_author',
+				'user_pass'  => 'password123',
+				'role'       => 'subscriber',
+			)
+		);
+		$source    = $this->get_source( $author_id );
+		$result    = Contact_Form::get_default_to( $author_id, $source );
+
+		$this->assertEquals( get_option( 'admin_email' ), $result );
 
 		wp_delete_user( $author_id );
+		wp_delete_post( $source->get_id(), true );
+	}
+	/**
+	 * Helper function to create a Feedback_Source object from a post.
+	 */
+	public function get_source( $author_id ) {
+		$post_id = wp_insert_post(
+			array(
+				'post_title'   => 'Test Post',
+				'post_content' => 'This is a test post.',
+				'post_status'  => 'publish',
+				'post_author'  => $author_id,
+			)
+		);
+
+		return Feedback_Source::from_serialized(
+			array(
+				'source_id' => $post_id,
+				'title'     => 'Test Post',
+			)
+		);
 	}
 
 	/**
 	 * Tests get_default_to method with invalid post author ID.
 	 */
 	public function test_get_default_to_with_invalid_post_author() {
-		$result = Contact_Form::get_default_to( 99999 ); // Non-existent user ID
+		$source = $this->get_source( 99999 );
+		$result = Contact_Form::get_default_to( 99999, $source ); // Non-existent user ID
 
+		wp_delete_post( $source->get_id(), true );
 		$this->assertEquals( get_option( 'admin_email' ), $result );
 	}
 
@@ -2549,14 +2596,18 @@ public function test_get_default_to_with_empty_author_email() {
 				'user_email' => '',
 				'user_login' => 'test_author_no_email',
 				'user_pass'  => 'password123',
+				'role'       => 'editor',
 			)
 		);
 
-		$result = Contact_Form::get_default_to( $author_id );
+		$source = $this->get_source( $author_id );
+
+		$result = Contact_Form::get_default_to( $author_id, $source );
 
 		$this->assertEquals( get_option( 'admin_email' ), $result );
 
 		wp_delete_user( $author_id );
+		wp_delete_post( $source->get_id(), true );
 	}
 
 	/**

projects/plugins/jetpack/changelog/fix-default-author-non-existing

@@ -0,0 +1,4 @@
+Significance: patch
+Type: bugfix
+
+Forms: do not send emails to the author of the form if they are no longer able to edit it