Forms: Fix default author non existing still sends emails to form (page/post author)

[enejb]

Fixes FORMS-309

Proposed changes:

• Update the get_default_to method to only return the authors email address if they are can still edit the author. Otherwise we need to set that email explicitly.

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

p1759584451403339-slack-C086RGTJT1D

Does this pull request change what data or activity we track or use?

No

Testing instructions:

Create a user. That is able to edit a page.
Do not set the form email settings.

The user should get the email once the form is filled out.

Now set the users role to be an subscriber. Once you fill out the form the form shouldn't be sent to the author since the author doesn't have the edit privileges any more but it should be sent admin of the site.

[Copilot]

Pull Request Overview

This PR fixes a security/permission issue where form submission emails were being sent to post/page authors even when they no longer had edit permissions for the content. The fix adds proper permission checks to ensure only users who can still edit the associated post/page receive form notification emails.

• Enhanced the get_default_to method to validate author permissions before sending emails
• Added comprehensive validation including user membership, edit permissions, and source validation
• Updated tests to cover the new permission-based email routing logic

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
projects/plugins/jetpack/changelog/fix-default-author-non-existing	Changelog entry for the Jetpack plugin
projects/packages/forms/tests/php/contact-form/Contact_Form_Test.php	Updated tests to include proper source objects and permission validation
projects/packages/forms/src/contact-form/class-contact-form.php	Enhanced email routing logic with permission checks and source validation
projects/packages/forms/changelog/fix-default-author-non-existing	Changelog entry for the forms package

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack), and enable the fix/default-author-non-existing branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack fix/default-author-non-existing

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add a "[Type]" label (Bug, Enhancement, Janitorial, Task).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

---

Jetpack plugin:

The Jetpack plugin has different release cadences depending on the platform:

• WordPress.com Simple releases happen as soon as you deploy your changes after merging this PR (PCYsg-Jjm-p2).
• WoA releases happen weekly.
• Releases to self-hosted sites happen monthly:
  • Scheduled release: November 4, 2025
  • Code freeze: November 3, 2025

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

[jp-launch-control]

Code Coverage Summary

Coverage changed in 1 file.

File	Coverage	Δ%	Δ Uncovered
projects/packages/forms/src/contact-form/class-contact-form.php	633/1170 (54.10%)	0.13%	4 💔

Full summary · PHP report · JS report

_{If appropriate, add one of these labels to override the failing coverage check: Covered by non-unit tests Use to ignore the Code coverage requirement check when E2Es or other non-unit tests cover the code Coverage tests to be added later Use to ignore the Code coverage requirement check when tests will be added in a follow-up PR I don't care about code coverage for this PR Use this label to ignore the check for insufficient code coveage.}

[CGastrell]

Works as described! I left a comment for your consideration, but otherwise all good