Restricting Subscriber user (self-hosted) access to the app

[reginabally]

It was reported in 3864798-zd-woothemes that a Subscriber user on a self-hosted WordPress site was able to access the Blog Posts menu in the app and create a post. The post wasn't able to be uploaded to the site but it'll be saved in the app locally.

Expected behavior

I would expect the Subscriber user will not be able to log in to the app since they're not able to manage the site.

Actual behavior

The Subscriber user is able to log in to the app, access the Blog Posts menu, and create a post. Though the post will not get uploaded to the site, I'm able to view the comments published on the site through My Site > Comments.

Steps to reproduce the behavior

1. Create a Subscriber user on a self-hosted WordPress site
2. Log in as the Subscriber user to the app with the "Enter your existing site address" login option
3. Once logged in, the user will see Stats, Blog Posts, Media, Comments, Settings, View Site, and View Admin options.
4. Tap the floating button to create a new blog post.
5. Tapping the "PUBLISH" button to upload the post, an error will occur and says the post can't be uploaded.
6. Go to My Site > Comment will see the list of comments published on the site.

Tested on OPPO Reno 4, Android 11, WPAndroid 17.1-rc-2

[thehenrybyrd]

Thanks for reporting @reginabally! I was able to reproduce this and see the same areas you can:

I also found I could trash a comment. It looks successful in the app, but doesn't effect things on the site itself.

Tested on: Samsung Galaxy S21, Android 11, WPAndroid 17.1-rc-1

[stale[bot]]

This issue has been marked as stale because:

• It has been inactive for the past year.
• It isn't in a project or a milestone.
• It hasn’t been labeled [Pri] Blocker, [Pri] High, or good first issue.

Please comment with an update if you believe this issue is still valid or if it can be closed. This issue will also be reviewed for validity and priority during regularly scheduled triage sessions.