From 9e51c6e66cce995e1aa3f98bc1ccb0d7b1e33caf Mon Sep 17 00:00:00 2001
From: sanketio <sanket.parmar11@gmail.com>
Date: Mon, 6 Apr 2026 12:50:26 +0530
Subject: [PATCH 1/2] Users: Add autocomplete support to wp_dropdown_users()

---
 src/js/_enqueues/lib/user-suggest.js          |  48 +-
 src/wp-admin/includes/ajax-actions.php        | 172 ++++--
 src/wp-admin/users.php                        |   7 +-
 src/wp-includes/user.php                      |  99 +++-
 .../tests/ajax/wpAjaxAutocompleteUser.php     | 499 ++++++++++++++++++
 tests/phpunit/tests/user/wpDropdownUsers.php  | 250 +++++++++
 6 files changed, 1014 insertions(+), 61 deletions(-)
 create mode 100644 tests/phpunit/tests/ajax/wpAjaxAutocompleteUser.php

diff --git a/src/js/_enqueues/lib/user-suggest.js b/src/js/_enqueues/lib/user-suggest.js
index f05b7ffa8892f..1a204a013bfc8 100644
--- a/src/js/_enqueues/lib/user-suggest.js
+++ b/src/js/_enqueues/lib/user-suggest.js
@@ -1,10 +1,9 @@
 /**
- * Suggests users in a multisite environment.
+ * Suggests users in site admin and multisite environments.
  *
- * For input fields where the admin can select a user based on email or
- * username, this script shows an autocompletion menu for these inputs. Should
- * only be used in a multisite environment. Only users in the currently active
- * site are shown.
+ * For input fields where the admin can select a user by searching their name,
+ * login, or email, this script shows an autocompletion menu. On multisite,
+ * only users in the currently active site are shown for 'search' type requests.
  *
  * @since 3.4.0
  * @output wp-admin/js/user-suggest.js
@@ -36,19 +35,29 @@
 		 * - data-autocomplete-type (add, search)
 		 *   The action that is going to be performed: search for existing users
 		 *   or add a new one. Default: add
-		 * - data-autocomplete-field (user_login, user_email)
+		 * - data-autocomplete-field (user_login, user_email, user_id)
 		 *   The field that is returned as the value for the suggestion.
+		 *   When set to 'user_id', the input is expected to have an adjacent
+		 *   '.wp-suggest-user-helper' hidden input that stores the numeric ID
+		 *   while the visible input shows the display label.
 		 *   Default: user_login
+		 * - data-autocomplete-label
+		 *   A template string with {{tokens}} to build each result's display label.
+		 *   Supported tokens: {{user_login}}, {{user_email}}, {{display_name}}, {{user_id}}.
+		 *   Default: empty (server returns display_name).
 		 *
-		 * @see wp-admin/includes/admin-actions.php:wp_ajax_autocomplete_user()
+		 * @see wp-admin/includes/ajax-actions.php:wp_ajax_autocomplete_user()
 		 */
-		$( '.wp-suggest-user' ).each( function(){
-			var $this = $( this ),
-				autocompleteType = ( typeof $this.data( 'autocompleteType' ) !== 'undefined' ) ? $this.data( 'autocompleteType' ) : 'add',
-				autocompleteField = ( typeof $this.data( 'autocompleteField' ) !== 'undefined' ) ? $this.data( 'autocompleteField' ) : 'user_login';
+		$( '.wp-suggest-user' ).each( function() {
+			var $this           = $( this ),
+				autocompleteType  = ( typeof $this.data( 'autocompleteType' )  !== 'undefined' ) ? $this.data( 'autocompleteType' )  : 'add',
+				autocompleteField = ( typeof $this.data( 'autocompleteField' ) !== 'undefined' ) ? $this.data( 'autocompleteField' ) : 'user_login',
+				autocompleteLabel = ( typeof $this.data( 'autocompleteLabel' ) !== 'undefined' ) ? $this.data( 'autocompleteLabel' ) : '',
+				// True when using user_id field with a sibling helper input.
+				hasHelper = ( 'user_id' === autocompleteField && $this.next( '.wp-suggest-user-helper' ).length > 0 );
 
 			$this.autocomplete({
-				source:    ajaxurl + '?action=autocomplete-user&autocomplete_type=' + autocompleteType + '&autocomplete_field=' + autocompleteField + id,
+				source:    ajaxurl + '?action=autocomplete-user&autocomplete_type=' + autocompleteType + '&autocomplete_field=' + autocompleteField + '&autocomplete_label=' + encodeURIComponent( autocompleteLabel ) + id,
 				delay:     500,
 				minLength: 2,
 				position:  position,
@@ -57,6 +66,21 @@
 				},
 				close: function() {
 					$( this ).removeClass( 'open' );
+				},
+				focus: function( e, ui ) {
+					if ( hasHelper ) {
+						// Show the display label while navigating, not the raw ID value.
+						$( this ).val( ui.item.label );
+						return false;
+					}
+				},
+				select: function( e, ui ) {
+					if ( hasHelper ) {
+						// Store the user ID in the hidden helper; show the label in the text input.
+						$( this ).next( '.wp-suggest-user-helper' ).val( ui.item.value );
+						$( this ).val( ui.item.label );
+						return false;
+					}
 				}
 			});
 		});
diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php
index 2af08fba70af9..608f90bc1559f 100644
--- a/src/wp-admin/includes/ajax-actions.php
+++ b/src/wp-admin/includes/ajax-actions.php
@@ -284,80 +284,170 @@ function wp_ajax_oembed_cache() {
 /**
  * Handles user autocomplete via AJAX.
  *
+ * Works on both single-site and multisite installs. On multisite, the 'add'
+ * type searches the full network and is restricted to network admins; the
+ * 'search' type is restricted to users already on the current site.
+ * On single-site, only the 'search' type is supported and requires
+ * the 'list_users' capability.
+ *
  * @since 3.4.0
+ * @since 7.1.0 Added single-site support, the `user_id` autocomplete field,
+ *              label template tokens, and the `autocomplete_user_results` filter.
  */
 function wp_ajax_autocomplete_user() {
-	if ( ! is_multisite() || ! current_user_can( 'promote_users' ) || wp_is_large_network( 'users' ) ) {
-		wp_die( -1 );
-	}
+	/*
+	 * Validate the minimum search term length before anything else.
+	 * The same minimum is enforced in JS via the minLength option.
+	 */
+	$term = isset( $_REQUEST['term'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['term'] ) ) : '';
 
-	/** This filter is documented in wp-admin/user-new.php */
-	if ( ! current_user_can( 'manage_network_users' ) && ! apply_filters( 'autocomplete_users_for_site_admins', false ) ) {
+	/**
+	 * Filters the minimum search term length for user autocomplete.
+	 *
+	 * The same minimum should be mirrored in the JavaScript minLength option.
+	 *
+	 * @since 7.1.0
+	 *
+	 * @param int    $length  Minimum number of characters required. Default 2.
+	 * @param string $context Context for the autocomplete search. Currently 'users'.
+	 */
+	if ( strlen( $term ) < apply_filters( 'autocomplete_term_length', 2, 'users' ) ) {
 		wp_die( -1 );
 	}
 
-	$return = array();
-
 	/*
 	 * Check the type of request.
-	 * Current allowed values are `add` and `search`.
+	 * Allowed values are `add` (multisite only) and `search`.
 	 */
-	if ( isset( $_REQUEST['autocomplete_type'] ) && 'search' === $_REQUEST['autocomplete_type'] ) {
-		$type = $_REQUEST['autocomplete_type'];
-	} else {
-		$type = 'add';
-	}
+	$type = ( isset( $_REQUEST['autocomplete_type'] ) && 'search' === $_REQUEST['autocomplete_type'] )
+		? 'search'
+		: 'add';
 
 	/*
-	 * Check the desired field for value.
-	 * Current allowed values are `user_email` and `user_login`.
+	 * Determine the user field to return as the suggestion value.
+	 * Allowed values are `user_email`, `user_login`, and `user_id`.
 	 */
-	if ( isset( $_REQUEST['autocomplete_field'] ) && 'user_email' === $_REQUEST['autocomplete_field'] ) {
-		$field = $_REQUEST['autocomplete_field'];
+	$requested_field = isset( $_REQUEST['autocomplete_field'] ) ? $_REQUEST['autocomplete_field'] : '';
+	if ( 'user_email' === $requested_field ) {
+		$field = 'user_email';
+	} elseif ( 'user_id' === $requested_field ) {
+		$field = 'ID';
 	} else {
 		$field = 'user_login';
 	}
 
-	// Exclude current users of this blog.
-	if ( isset( $_REQUEST['site_id'] ) ) {
-		$id = absint( $_REQUEST['site_id'] );
+	/*
+	 * Resolve the label template. Supported tokens:
+	 * {{user_login}}, {{user_email}}, {{display_name}}, {{user_id}}.
+	 */
+	$label_template = ( isset( $_REQUEST['autocomplete_label'] ) && '' !== $_REQUEST['autocomplete_label'] )
+		? sanitize_text_field( wp_unslash( $_REQUEST['autocomplete_label'] ) )
+		: '{{display_name}}';
+
+	$blog_id            = false;
+	$include_blog_users = array();
+	$exclude_blog_users = array();
+	$search_columns     = array( 'user_login', 'user_nicename', 'display_name' );
+
+	if ( is_multisite() && 'add' === $type ) {
+		/*
+		 * Adding a user to a site requires network-level permissions and should
+		 * not run on very large networks where the search would be slow.
+		 */
+		if ( ! current_user_can( 'promote_users' ) || wp_is_large_network( 'users' ) ) {
+			wp_die( -1 );
+		}
+
+		/** This filter is documented in wp-admin/user-new.php */
+		if ( ! current_user_can( 'manage_network_users' ) && ! apply_filters( 'autocomplete_users_for_site_admins', false ) ) {
+			wp_die( -1 );
+		}
+
+		// Search the full network; exclude users already on the target site.
+		$site_id            = isset( $_REQUEST['site_id'] ) ? absint( $_REQUEST['site_id'] ) : get_current_blog_id();
+		$exclude_blog_users = get_users(
+			array(
+				'blog_id' => $site_id,
+				'fields'  => 'ID',
+			)
+		);
+
+		// Super-admins may search by email as well.
+		$search_columns[] = 'user_email';
 	} else {
-		$id = get_current_blog_id();
-	}
+		/*
+		 * Single-site search, or multisite 'search' type.
+		 * Requires the ability to list users on this site.
+		 */
+		if ( ! current_user_can( 'list_users' ) ) {
+			wp_die( -1 );
+		}
 
-	$include_blog_users = ( 'search' === $type ? get_users(
-		array(
-			'blog_id' => $id,
-			'fields'  => 'ID',
-		)
-	) : array() );
+		$blog_id = get_current_blog_id();
 
-	$exclude_blog_users = ( 'add' === $type ? get_users(
-		array(
-			'blog_id' => $id,
-			'fields'  => 'ID',
-		)
-	) : array() );
+		if ( is_multisite() ) {
+			// Restrict results to users already on this site.
+			$include_blog_users = get_users(
+				array(
+					'blog_id' => $blog_id,
+					'fields'  => 'ID',
+				)
+			);
+		}
+
+		// Include email in search columns only for users who can edit others.
+		if ( current_user_can( 'edit_users' ) ) {
+			$search_columns[] = 'user_email';
+		}
+	}
+
+	// Email tokens in the label should only be visible to users who can edit others.
+	if ( ! current_user_can( 'edit_users' ) ) {
+		$label_template = str_replace( '{{user_email}}', '', $label_template );
+	}
 
 	$users = get_users(
 		array(
-			'blog_id'        => false,
-			'search'         => '*' . $_REQUEST['term'] . '*',
+			'blog_id'        => $blog_id,
+			'search'         => '*' . $term . '*',
 			'include'        => $include_blog_users,
 			'exclude'        => $exclude_blog_users,
-			'search_columns' => array( 'user_login', 'user_nicename', 'user_email' ),
+			'search_columns' => $search_columns,
+			'number'         => 20,
 		)
 	);
 
+	$return = array();
+
 	foreach ( $users as $user ) {
+		// Replace supported tokens in the label template.
+		$label = $label_template;
+		foreach ( array( 'user_login', 'user_email', 'display_name' ) as $token ) {
+			$label = str_replace( '{{' . $token . '}}', $user->$token, $label );
+		}
+		$label = str_replace( '{{user_id}}', $user->ID, $label );
+
+		if ( '' === trim( $label ) ) {
+			$label = '(' . $user->user_login . ')';
+		}
+
 		$return[] = array(
-			/* translators: 1: User login, 2: User email address. */
-			'label' => sprintf( _x( '%1$s (%2$s)', 'user autocomplete result' ), $user->user_login, $user->user_email ),
-			'value' => $user->$field,
+			'label' => esc_html( $label ),
+			'value' => ( 'ID' === $field ) ? $user->ID : $user->$field,
 		);
 	}
 
-	wp_die( wp_json_encode( $return ) );
+	/**
+	 * Filters the user autocomplete results array.
+	 *
+	 * @since 7.1.0
+	 *
+	 * @param array  $return Array of result objects with 'label' and 'value' keys.
+	 * @param string $term   The sanitized search term.
+	 */
+	$return = apply_filters( 'autocomplete_user_results', $return, $term );
+
+	wp_send_json( $return );
 }
 
 /**
diff --git a/src/wp-admin/users.php b/src/wp-admin/users.php
index 650f81027592c..aa64df1339a70 100644
--- a/src/wp-admin/users.php
+++ b/src/wp-admin/users.php
@@ -218,7 +218,12 @@
 					wp_delete_user( $id );
 					break;
 				case 'reassign':
-					wp_delete_user( $id, $_REQUEST['reassign_user'] );
+					$reassign_id = isset( $_REQUEST['reassign_user'] ) ? absint( $_REQUEST['reassign_user'] ) : 0;
+					if ( $reassign_id > 0 && $reassign_id !== $id ) {
+						wp_delete_user( $id, $reassign_id );
+					} else {
+						wp_delete_user( $id );
+					}
 					break;
 			}
 
diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
index 9c635f63d288a..d677331cbae0f 100644
--- a/src/wp-includes/user.php
+++ b/src/wp-includes/user.php
@@ -1652,6 +1652,7 @@ function setup_userdata( $for_user_id = 0 ) {
  * @since 4.7.0 Added the 'role', 'role__in', and 'role__not_in' parameters.
  * @since 5.9.0 Added the 'capability', 'capability__in', and 'capability__not_in' parameters.
  *              Deprecated the 'who' parameter.
+ * @since 7.1.0 Added the 'autocomplete' parameter.
  *
  * @param array|string $args {
  *     Optional. Array or string of arguments to generate a drop-down of users.
@@ -1713,6 +1714,11 @@ function setup_userdata( $for_user_id = 0 ) {
  *                                                    of these capabilities will not be included in results.
  *                                                    Does NOT work for capabilities not in the database or filtered
  *                                                    via {@see 'map_meta_cap'}. Default empty array.
+ *     @type bool            $autocomplete            Whether to replace the drop-down with a jQuery UI autocomplete
+ *                                                    text input backed by an AJAX user search. In the admin, this
+ *                                                    is automatically enabled when wp_is_large_user_count() is true
+ *                                                    and no 'include' list or 'show_option_all' is set.
+ *                                                    Default false.
  * }
  * @return string HTML dropdown list of users.
  */
@@ -1742,6 +1748,7 @@ function wp_dropdown_users( $args = '' ) {
 		'capability'              => '',
 		'capability__in'          => array(),
 		'capability__not_in'      => array(),
+		'autocomplete'            => false,
 	);
 
 	$defaults['selected'] = is_author() ? get_query_var( 'author' ) : 0;
@@ -1781,9 +1788,37 @@ function wp_dropdown_users( $args = '' ) {
 	$show_option_none  = $parsed_args['show_option_none'];
 	$option_none_value = $parsed_args['option_none_value'];
 
+	// Determine whether to use autocomplete mode before running the full user query.
+	// Auto-enable in the admin when the site has a large user count, unless the
+	// result set is already bounded by an explicit 'include' list or the caller
+	// requires a 'show_option_all' placeholder (which has no autocomplete equivalent).
+	$use_autocomplete = (bool) $parsed_args['autocomplete'];
+	if ( ! $use_autocomplete && ! $show_option_all && empty( $query_args['include'] ) && is_admin() ) {
+		$use_autocomplete = wp_is_large_user_count();
+	}
+
+	/**
+	 * Filters whether to replace the user drop-down with a jQuery UI autocomplete input.
+	 *
+	 * In the admin, this automatically enables when wp_is_large_user_count() returns
+	 * true and no bounded 'include' list or 'show_option_all' is present. Callers
+	 * may also pass `'autocomplete' => true` to force autocomplete mode explicitly.
+	 *
+	 * @since 7.1.0
+	 *
+	 * @param bool  $use_autocomplete Whether to use autocomplete.
+	 * @param array $parsed_args      The parsed arguments passed to wp_dropdown_users().
+	 */
+	$use_autocomplete = (bool) apply_filters( 'wp_dropdown_users_autocomplete', $use_autocomplete, $parsed_args );
+
 	/**
 	 * Filters the query arguments for the list of users in the dropdown.
 	 *
+	 * Always fires so that existing hooks continue to work regardless of whether
+	 * autocomplete mode is active. In autocomplete mode the result of get_users()
+	 * is not used to render options, but plugins may still rely on this filter
+	 * to observe or modify the intended query arguments.
+	 *
 	 * @since 4.4.0
 	 *
 	 * @param array $query_args  The query arguments for get_users().
@@ -1791,16 +1826,66 @@ function wp_dropdown_users( $args = '' ) {
 	 */
 	$query_args = apply_filters( 'wp_dropdown_users_args', $query_args, $parsed_args );
 
-	$users = get_users( $query_args );
+	if ( $use_autocomplete ) {
+		// Users are fetched on demand via the AJAX handler; skip the bulk query.
+		$users = array();
+	} else {
+		$users = get_users( $query_args );
+	}
 
 	$output = '';
-	if ( ! empty( $users ) && ( empty( $parsed_args['hide_if_only_one_author'] ) || count( $users ) > 1 ) ) {
-		$name = esc_attr( $parsed_args['name'] );
-		if ( $parsed_args['multi'] && ! $parsed_args['id'] ) {
-			$id = '';
-		} else {
-			$id = $parsed_args['id'] ? " id='" . esc_attr( $parsed_args['id'] ) . "'" : " id='$name'";
+	$name   = esc_attr( $parsed_args['name'] );
+	if ( $parsed_args['multi'] && ! $parsed_args['id'] ) {
+		$id = '';
+	} else {
+		$id = $parsed_args['id'] ? " id='" . esc_attr( $parsed_args['id'] ) . "'" : " id='$name'";
+	}
+
+	if ( $use_autocomplete ) {
+		wp_enqueue_script( 'user-suggest' );
+
+		// Resolve the display value for the currently selected user.
+		$display = '';
+		if ( (int) $parsed_args['selected'] > 0 ) {
+			$selected_user = get_userdata( $parsed_args['selected'] );
+			if ( $selected_user ) {
+				if ( 'display_name_with_login' === $show ) {
+					/* translators: 1: User's display name, 2: User login. */
+					$display = sprintf( _x( '%1$s (%2$s)', 'user dropdown' ), $selected_user->display_name, $selected_user->user_login );
+				} elseif ( ! empty( $selected_user->$show ) ) {
+					$display = $selected_user->$show;
+				} else {
+					$display = '(' . $selected_user->user_login . ')';
+				}
+			}
 		}
+
+		$input_class = $parsed_args['class'] ? esc_attr( $parsed_args['class'] ) . ' ' : '';
+
+		/*
+		 * Map the 'show' arg to an autocomplete label template so that the
+		 * suggestion items match what would have appeared as <option> text
+		 * in the classic <select> drop-down.
+		 */
+		$label_tokens = array(
+			'display_name_with_login' => '{{display_name}} ({{user_login}})',
+			'user_login'              => '{{user_login}}',
+			'user_email'              => '{{user_email}}',
+			'display_name'            => '{{display_name}}',
+		);
+
+		$autocomplete_label = isset( $label_tokens[ $show ] ) ? $label_tokens[ $show ] : '{{display_name}}';
+
+		// Visible text input — triggers jQuery UI autocomplete on keyup.
+		$output  = '<input type="text"' . $id . ' class="' . $input_class . 'wp-suggest-user"';
+		$output .= ' data-autocomplete-type="search" data-autocomplete-field="user_id"';
+		$output .= ' data-autocomplete-label="' . esc_attr( $autocomplete_label ) . '"';
+		$output .= ' value="' . esc_attr( $display ) . '" />';
+
+		// Hidden input — stores the selected user ID for form submission.
+		$output .= '<input type="hidden" name="' . $name . '" class="wp-suggest-user-helper"';
+		$output .= ' value="' . esc_attr( (string) $parsed_args['selected'] ) . '" />';
+	} elseif ( ! empty( $users ) && ( empty( $parsed_args['hide_if_only_one_author'] ) || count( $users ) > 1 ) ) {
 		$output = "<select name='{$name}'{$id} class='" . $parsed_args['class'] . "'>\n";
 
 		if ( $show_option_all ) {
diff --git a/tests/phpunit/tests/ajax/wpAjaxAutocompleteUser.php b/tests/phpunit/tests/ajax/wpAjaxAutocompleteUser.php
new file mode 100644
index 0000000000000..1c38bc3df05b0
--- /dev/null
+++ b/tests/phpunit/tests/ajax/wpAjaxAutocompleteUser.php
@@ -0,0 +1,499 @@
+<?php
+
+/**
+ * Admin Ajax functions to be tested.
+ */
+require_once ABSPATH . 'wp-admin/includes/ajax-actions.php';
+
+/**
+ * Tests for the wp_ajax_autocomplete_user() AJAX handler.
+ *
+ * @package    WordPress
+ * @subpackage UnitTests
+ *
+ * @group ajax
+ * @group user
+ *
+ * @ticket 19867
+ *
+ * @covers ::wp_ajax_autocomplete_user
+ */
+class Tests_Ajax_wpAjaxAutocompleteUser extends WP_Ajax_UnitTestCase {
+
+	/**
+	 * User IDs created for tests.
+	 *
+	 * @var int[]
+	 */
+	protected static $user_ids = array();
+
+	/**
+	 * Create shared fixtures.
+	 *
+	 * @param WP_UnitTest_Factory $factory
+	 */
+	public static function wpSetUpBeforeClass( WP_UnitTest_Factory $factory ) {
+		self::$user_ids['editor'] = $factory->user->create(
+			array(
+				'role'         => 'editor',
+				'user_login'   => 'autocomplete_editor',
+				'display_name' => 'Autocomplete Editor',
+				'user_email'   => 'autocomplete_editor@example.com',
+			)
+		);
+		// Editors don't have list_users by default. Grant it explicitly so this
+		// fixture can reach the search endpoint while still lacking edit_users,
+		// which is needed for the email-token stripping tests.
+		get_userdata( self::$user_ids['editor'] )->add_cap( 'list_users' );
+
+		self::$user_ids['subscriber']    = $factory->user->create(
+			array(
+				'role'       => 'subscriber',
+				'user_login' => 'autocomplete_subscriber',
+			)
+		);
+		self::$user_ids['administrator'] = $factory->user->create(
+			array(
+				'role'       => 'administrator',
+				'user_login' => 'autocomplete_admin',
+			)
+		);
+	}
+
+	/**
+	 * Reset request superglobals between each test.
+	 */
+	public function set_up() {
+		parent::set_up();
+		$_REQUEST = array();
+		$_GET     = array();
+	}
+
+	// -----------------------------------------------------------------------
+	// Permission / capability checks
+	// -----------------------------------------------------------------------
+
+	/**
+	 * Users without list_users capability should receive -1 (search type).
+	 *
+	 * @ticket 19867
+	 */
+	public function test_search_type_requires_list_users_capability() {
+		$this->_setRole( 'subscriber' );
+
+		$_GET['term']              = 'autocomplete';
+		$_GET['autocomplete_type'] = 'search';
+
+		$this->expectException( WPAjaxDieStopException::class );
+		$this->expectExceptionMessage( '-1' );
+
+		$this->_handleAjax( 'autocomplete-user' );
+	}
+
+	/**
+	 * Users with list_users capability (editor+) should be able to search.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_search_type_allowed_for_editor() {
+		wp_set_current_user( self::$user_ids['editor'] );
+
+		$_GET['term']              = 'autocomplete';
+		$_GET['autocomplete_type'] = 'search';
+
+		try {
+			$this->_handleAjax( 'autocomplete-user' );
+		} catch ( WPAjaxDieContinueException $e ) {
+			unset( $e );
+		}
+
+		$results = json_decode( $this->_last_response, true );
+		$this->assertIsArray( $results );
+	}
+
+	/**
+	 * Administrator should be able to search.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_search_type_allowed_for_administrator() {
+		$this->_setRole( 'administrator' );
+
+		$_GET['term']              = 'autocomplete';
+		$_GET['autocomplete_type'] = 'search';
+
+		try {
+			$this->_handleAjax( 'autocomplete-user' );
+		} catch ( WPAjaxDieContinueException $e ) {
+			unset( $e );
+		}
+
+		$results = json_decode( $this->_last_response, true );
+		$this->assertIsArray( $results );
+	}
+
+	// -----------------------------------------------------------------------
+	// Term length validation
+	// -----------------------------------------------------------------------
+
+	/**
+	 * An empty term should be rejected.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_empty_term_is_rejected() {
+		$this->_setRole( 'administrator' );
+
+		$_GET['term']              = '';
+		$_GET['autocomplete_type'] = 'search';
+
+		$this->expectException( WPAjaxDieStopException::class );
+		$this->expectExceptionMessage( '-1' );
+
+		$this->_handleAjax( 'autocomplete-user' );
+	}
+
+	/**
+	 * A single-character term should be rejected (minimum is 2).
+	 *
+	 * @ticket 19867
+	 */
+	public function test_single_char_term_is_rejected() {
+		$this->_setRole( 'administrator' );
+
+		$_GET['term']              = 'a';
+		$_GET['autocomplete_type'] = 'search';
+
+		$this->expectException( WPAjaxDieStopException::class );
+		$this->expectExceptionMessage( '-1' );
+
+		$this->_handleAjax( 'autocomplete-user' );
+	}
+
+	/**
+	 * The `autocomplete_term_length` filter should allow raising the minimum.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_autocomplete_term_length_filter_raises_minimum() {
+		$this->_setRole( 'administrator' );
+
+		// Raise minimum to 5.
+		add_filter(
+			'autocomplete_term_length',
+			static function () {
+				return 5;
+			}
+		);
+
+		$_GET['term']              = 'auto'; // 4 chars – below new minimum.
+		$_GET['autocomplete_type'] = 'search';
+
+		try {
+			$this->_handleAjax( 'autocomplete-user' );
+			$this->fail( 'Expected WPAjaxDieStopException was not thrown.' );
+		} catch ( WPAjaxDieStopException $e ) {
+			$this->assertSame( '-1', $e->getMessage() );
+		} finally {
+			remove_all_filters( 'autocomplete_term_length' );
+		}
+	}
+
+	// -----------------------------------------------------------------------
+	// Return value / field selection
+	// -----------------------------------------------------------------------
+
+	/**
+	 * Default field should be user_login when no autocomplete_field is supplied.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_default_field_is_user_login() {
+		$this->_setRole( 'administrator' );
+
+		$_GET['term']              = 'autocomplete_editor';
+		$_GET['autocomplete_type'] = 'search';
+
+		try {
+			$this->_handleAjax( 'autocomplete-user' );
+		} catch ( WPAjaxDieContinueException $e ) {
+			unset( $e );
+		}
+
+		$results = json_decode( $this->_last_response, true );
+		$this->assertNotEmpty( $results );
+		$this->assertSame( 'autocomplete_editor', $results[0]['value'] );
+	}
+
+	/**
+	 * When autocomplete_field=user_id the value should be the numeric user ID.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_user_id_field_returns_numeric_id() {
+		$this->_setRole( 'administrator' );
+
+		$_GET['term']               = 'autocomplete_editor';
+		$_GET['autocomplete_type']  = 'search';
+		$_GET['autocomplete_field'] = 'user_id';
+
+		try {
+			$this->_handleAjax( 'autocomplete-user' );
+		} catch ( WPAjaxDieContinueException $e ) {
+			unset( $e );
+		}
+
+		$results = json_decode( $this->_last_response, true );
+		$this->assertNotEmpty( $results );
+		$this->assertSame( self::$user_ids['editor'], $results[0]['value'] );
+	}
+
+	/**
+	 * When autocomplete_field=user_email the value should be the email address.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_user_email_field_returns_email() {
+		$this->_setRole( 'administrator' );
+
+		$_GET['term']               = 'autocomplete_editor';
+		$_GET['autocomplete_type']  = 'search';
+		$_GET['autocomplete_field'] = 'user_email';
+
+		try {
+			$this->_handleAjax( 'autocomplete-user' );
+		} catch ( WPAjaxDieContinueException $e ) {
+			unset( $e );
+		}
+
+		$results = json_decode( $this->_last_response, true );
+		$this->assertNotEmpty( $results );
+		$this->assertSame( 'autocomplete_editor@example.com', $results[0]['value'] );
+	}
+
+	// -----------------------------------------------------------------------
+	// Label template tokens
+	// -----------------------------------------------------------------------
+
+	/**
+	 * The default label template should use {{display_name}}.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_default_label_is_display_name() {
+		$this->_setRole( 'administrator' );
+
+		$_GET['term']              = 'autocomplete_editor';
+		$_GET['autocomplete_type'] = 'search';
+
+		try {
+			$this->_handleAjax( 'autocomplete-user' );
+		} catch ( WPAjaxDieContinueException $e ) {
+			unset( $e );
+		}
+
+		$results = json_decode( $this->_last_response, true );
+		$this->assertNotEmpty( $results );
+		$this->assertSame( 'Autocomplete Editor', $results[0]['label'] );
+	}
+
+	/**
+	 * A custom label template with {{user_login}} should populate correctly.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_custom_label_template_with_user_login_token() {
+		$this->_setRole( 'administrator' );
+
+		$_GET['term']               = 'autocomplete_editor';
+		$_GET['autocomplete_type']  = 'search';
+		$_GET['autocomplete_label'] = '{{display_name}} ({{user_login}})';
+
+		try {
+			$this->_handleAjax( 'autocomplete-user' );
+		} catch ( WPAjaxDieContinueException $e ) {
+			unset( $e );
+		}
+
+		$results = json_decode( $this->_last_response, true );
+		$this->assertNotEmpty( $results );
+		$this->assertSame( 'Autocomplete Editor (autocomplete_editor)', $results[0]['label'] );
+	}
+
+	/**
+	 * Users without edit_users capability should have {{user_email}} stripped from label.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_email_token_stripped_for_non_edit_users() {
+		// This fixture user has list_users but not edit_users.
+		wp_set_current_user( self::$user_ids['editor'] );
+
+		$_GET['term']               = 'autocomplete_editor';
+		$_GET['autocomplete_type']  = 'search';
+		$_GET['autocomplete_label'] = '{{display_name}} - {{user_email}}';
+
+		try {
+			$this->_handleAjax( 'autocomplete-user' );
+		} catch ( WPAjaxDieContinueException $e ) {
+			unset( $e );
+		}
+
+		$results = json_decode( $this->_last_response, true );
+		$this->assertNotEmpty( $results );
+		// Email token should be stripped; the raw email should not appear in the label.
+		$this->assertStringNotContainsString( '@example.com', $results[0]['label'] );
+		// Display name portion should still be present.
+		$this->assertStringContainsString( 'Autocomplete Editor', $results[0]['label'] );
+	}
+
+	/**
+	 * Administrators (edit_users) should see {{user_email}} token in label.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_email_token_visible_for_administrator() {
+		$this->_setRole( 'administrator' );
+
+		$_GET['term']               = 'autocomplete_editor';
+		$_GET['autocomplete_type']  = 'search';
+		$_GET['autocomplete_label'] = '{{display_name}} - {{user_email}}';
+
+		try {
+			$this->_handleAjax( 'autocomplete-user' );
+		} catch ( WPAjaxDieContinueException $e ) {
+			unset( $e );
+		}
+
+		$results = json_decode( $this->_last_response, true );
+		$this->assertNotEmpty( $results );
+		$this->assertStringContainsString( '@example.com', $results[0]['label'] );
+	}
+
+	// -----------------------------------------------------------------------
+	// autocomplete_user_results filter
+	// -----------------------------------------------------------------------
+
+	/**
+	 * The autocomplete_user_results filter should fire and be able to modify results.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_autocomplete_user_results_filter_fires() {
+		$this->_setRole( 'administrator' );
+
+		$_GET['term']              = 'autocomplete_editor';
+		$_GET['autocomplete_type'] = 'search';
+
+		$filter_fired = false;
+
+		$cb = static function ( $results, $term ) use ( &$filter_fired ) {
+			$filter_fired = true;
+			return $results;
+		};
+
+		add_filter( 'autocomplete_user_results', $cb, 10, 2 );
+
+		try {
+			$this->_handleAjax( 'autocomplete-user' );
+		} catch ( WPAjaxDieContinueException $e ) {
+			unset( $e );
+		}
+
+		remove_filter( 'autocomplete_user_results', $cb );
+
+		$this->assertTrue( $filter_fired, 'autocomplete_user_results filter should have fired.' );
+	}
+
+	/**
+	 * The autocomplete_user_results filter should be able to alter the response.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_autocomplete_user_results_filter_can_modify_results() {
+		$this->_setRole( 'administrator' );
+
+		$_GET['term']              = 'autocomplete_editor';
+		$_GET['autocomplete_type'] = 'search';
+
+		add_filter(
+			'autocomplete_user_results',
+			static function () {
+				return array(
+					array(
+						'label' => 'Overridden',
+						'value' => 'overridden',
+					),
+				);
+			}
+		);
+
+		try {
+			$this->_handleAjax( 'autocomplete-user' );
+		} catch ( WPAjaxDieContinueException $e ) {
+			unset( $e );
+		}
+
+		remove_all_filters( 'autocomplete_user_results' );
+
+		$results = json_decode( $this->_last_response, true );
+		$this->assertCount( 1, $results );
+		$this->assertSame( 'Overridden', $results[0]['label'] );
+	}
+
+	// -----------------------------------------------------------------------
+	// Response format
+	// -----------------------------------------------------------------------
+
+	/**
+	 * Each result must have both 'label' and 'value' keys.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_each_result_has_label_and_value_keys() {
+		$this->_setRole( 'administrator' );
+
+		$_GET['term']              = 'autocomplete';
+		$_GET['autocomplete_type'] = 'search';
+
+		try {
+			$this->_handleAjax( 'autocomplete-user' );
+		} catch ( WPAjaxDieContinueException $e ) {
+			unset( $e );
+		}
+
+		$results = json_decode( $this->_last_response, true );
+		$this->assertNotEmpty( $results );
+
+		foreach ( $results as $result ) {
+			$this->assertArrayHasKey( 'label', $result );
+			$this->assertArrayHasKey( 'value', $result );
+		}
+	}
+
+	/**
+	 * The result set should be capped (no more than 20 results by default).
+	 *
+	 * @ticket 19867
+	 */
+	public function test_results_are_capped_at_twenty() {
+		$this->_setRole( 'administrator' );
+
+		// Create 25 users whose login starts with 'resultcap_'.
+		for ( $i = 1; $i <= 25; $i++ ) {
+			self::factory()->user->create( array( 'user_login' => 'resultcap_' . $i ) );
+		}
+
+		$_GET['term']              = 'resultcap_';
+		$_GET['autocomplete_type'] = 'search';
+
+		try {
+			$this->_handleAjax( 'autocomplete-user' );
+		} catch ( WPAjaxDieContinueException $e ) {
+			unset( $e );
+		}
+
+		$results = json_decode( $this->_last_response, true );
+		$this->assertLessThanOrEqual( 20, count( $results ) );
+	}
+}
diff --git a/tests/phpunit/tests/user/wpDropdownUsers.php b/tests/phpunit/tests/user/wpDropdownUsers.php
index a0b6501eb96d4..276f2a2434022 100644
--- a/tests/phpunit/tests/user/wpDropdownUsers.php
+++ b/tests/phpunit/tests/user/wpDropdownUsers.php
@@ -201,4 +201,254 @@ public function test_role__not_in() {
 		$this->assertStringNotContainsString( $u1->user_login, $found );
 		$this->assertStringContainsString( $u2->user_login, $found );
 	}
+
+	/**
+	 * Passing `'autocomplete' => true` should render a text input + hidden
+	 * helper instead of a <select> element.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_autocomplete_arg_renders_inputs_not_select() {
+		self::factory()->user->create( array( 'user_login' => 'autocomplete_user' ) );
+
+		$found = wp_dropdown_users(
+			array(
+				'echo'         => false,
+				'autocomplete' => true,
+			)
+		);
+
+		$this->assertStringNotContainsString( '<select', $found );
+		$this->assertStringContainsString( 'wp-suggest-user', $found );
+		$this->assertStringContainsString( 'wp-suggest-user-helper', $found );
+		$this->assertStringContainsString( 'type="hidden"', $found );
+	}
+
+	/**
+	 * In autocomplete mode the hidden input should carry the `name` attribute
+	 * so that form submission sends the user ID under the right key.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_autocomplete_hidden_input_has_correct_name() {
+		self::factory()->user->create();
+
+		$found = wp_dropdown_users(
+			array(
+				'echo'         => false,
+				'name'         => 'reassign_user',
+				'autocomplete' => true,
+			)
+		);
+
+		$this->assertStringContainsString( 'name="reassign_user"', $found );
+		// The visible text input should NOT carry the name (the hidden helper does).
+		$this->assertStringNotContainsString( '<select', $found );
+	}
+
+	/**
+	 * When a user is pre-selected in autocomplete mode the visible input
+	 * should show their display name and the hidden helper should hold the ID.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_autocomplete_selected_user_is_pre_populated() {
+		$u = self::factory()->user->create_and_get(
+			array(
+				'display_name' => 'Jane Doe',
+			)
+		);
+
+		$found = wp_dropdown_users(
+			array(
+				'echo'         => false,
+				'selected'     => $u->ID,
+				'autocomplete' => true,
+			)
+		);
+
+		$this->assertStringContainsString( 'value="Jane Doe"', $found );
+		$this->assertStringContainsString( 'value="' . $u->ID . '"', $found );
+	}
+
+	/**
+	 * The `wp_dropdown_users_autocomplete` filter must be able to override the mode.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_wp_dropdown_users_autocomplete_filter_can_enable_autocomplete() {
+		self::factory()->user->create();
+
+		add_filter( 'wp_dropdown_users_autocomplete', '__return_true' );
+		$found = wp_dropdown_users( array( 'echo' => false ) );
+		remove_filter( 'wp_dropdown_users_autocomplete', '__return_true' );
+
+		$this->assertStringContainsString( 'wp-suggest-user', $found );
+		$this->assertStringNotContainsString( '<select', $found );
+	}
+
+	/**
+	 * The `wp_dropdown_users_autocomplete` filter must be able to disable autocomplete
+	 * even when the arg is explicitly set to true.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_wp_dropdown_users_autocomplete_filter_can_disable_autocomplete() {
+		self::factory()->user->create();
+
+		add_filter( 'wp_dropdown_users_autocomplete', '__return_false' );
+		$found = wp_dropdown_users(
+			array(
+				'echo'         => false,
+				'autocomplete' => true,
+			)
+		);
+		remove_filter( 'wp_dropdown_users_autocomplete', '__return_false' );
+
+		$this->assertStringContainsString( '<select', $found );
+		$this->assertStringNotContainsString( 'wp-suggest-user', $found );
+	}
+
+	/**
+	 * The `wp_dropdown_users_args` filter must still fire in autocomplete mode
+	 * so existing hooks are not broken.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_wp_dropdown_users_args_filter_fires_in_autocomplete_mode() {
+		self::factory()->user->create();
+		$fired = false;
+
+		$cb = static function ( $args ) use ( &$fired ) {
+			$fired = true;
+			return $args;
+		};
+
+		add_filter( 'wp_dropdown_users_args', $cb );
+		wp_dropdown_users(
+			array(
+				'echo'         => false,
+				'autocomplete' => true,
+			)
+		);
+		remove_filter( 'wp_dropdown_users_args', $cb );
+
+		$this->assertTrue( $fired, 'wp_dropdown_users_args filter should fire even in autocomplete mode.' );
+	}
+
+	/**
+	 * The `wp_dropdown_users` HTML output filter must still fire in autocomplete mode.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_wp_dropdown_users_html_filter_fires_in_autocomplete_mode() {
+		self::factory()->user->create();
+		$fired = false;
+
+		$cb = static function ( $html ) use ( &$fired ) {
+			$fired = true;
+			return $html;
+		};
+
+		add_filter( 'wp_dropdown_users', $cb );
+		wp_dropdown_users(
+			array(
+				'echo'         => false,
+				'autocomplete' => true,
+			)
+		);
+		remove_filter( 'wp_dropdown_users', $cb );
+
+		$this->assertTrue( $fired, 'wp_dropdown_users HTML filter should fire even in autocomplete mode.' );
+	}
+
+	/**
+	 * Calls with an explicit `include` list should never auto-enable autocomplete,
+	 * even on a "large" site, because the result set is already bounded.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_autocomplete_not_auto_enabled_when_include_is_set() {
+		$u = self::factory()->user->create();
+
+		// Force the site to look "large" via the filter.
+		add_filter( 'wp_is_large_user_count', '__return_true' );
+
+		$found = wp_dropdown_users(
+			array(
+				'echo'    => false,
+				'include' => array( $u ),
+			)
+		);
+
+		remove_filter( 'wp_is_large_user_count', '__return_true' );
+
+		// Must still render a <select> because 'include' was passed.
+		$this->assertStringContainsString( '<select', $found );
+		$this->assertStringNotContainsString( 'wp-suggest-user', $found );
+	}
+
+	/**
+	 * Calls with `show_option_all` should never auto-enable autocomplete,
+	 * because that option has no autocomplete equivalent.
+	 *
+	 * @ticket 19867
+	 */
+	public function test_autocomplete_not_auto_enabled_when_show_option_all_is_set() {
+		self::factory()->user->create();
+
+		add_filter( 'wp_is_large_user_count', '__return_true' );
+
+		$found = wp_dropdown_users(
+			array(
+				'echo'            => false,
+				'show_option_all' => 'All Users',
+			)
+		);
+
+		remove_filter( 'wp_is_large_user_count', '__return_true' );
+
+		$this->assertStringContainsString( '<select', $found );
+		$this->assertStringContainsString( 'All Users', $found );
+	}
+
+	/**
+	 * The data-autocomplete-label attribute should match the rendered text in the
+	 * classic <select> drop-down for each value of the `show` arg.
+	 *
+	 * @ticket 19867
+	 *
+	 * @dataProvider data_autocomplete_label_matches_show_arg
+	 */
+	public function test_autocomplete_label_matches_show_arg( string $show, string $expected_template ) {
+		self::factory()->user->create();
+
+		$found = wp_dropdown_users(
+			array(
+				'echo'         => false,
+				'show'         => $show,
+				'autocomplete' => true,
+			)
+		);
+
+		$this->assertStringContainsString(
+			'data-autocomplete-label="' . esc_attr( $expected_template ) . '"',
+			$found
+		);
+	}
+
+	/**
+	 * Data provider for test_autocomplete_label_matches_show_arg.
+	 *
+	 * @return array[]
+	 */
+	public function data_autocomplete_label_matches_show_arg() {
+		return array(
+			'display_name'            => array( 'display_name', '{{display_name}}' ),
+			'display_name_with_login' => array( 'display_name_with_login', '{{display_name}} ({{user_login}})' ),
+			'user_login'              => array( 'user_login', '{{user_login}}' ),
+			'user_email'              => array( 'user_email', '{{user_email}}' ),
+			'unknown_field_fallback'  => array( 'user_registered', '{{display_name}}' ),
+		);
+	}
 }

From 58b9ce7befb9c6a9a5cbf53e13732cfc097a80fa Mon Sep 17 00:00:00 2001
From: sanketio <sanket.parmar11@gmail.com>
Date: Mon, 6 Apr 2026 13:46:21 +0530
Subject: [PATCH 2/2] Tests: Fix multisite edit_users cap check for AJAX tests

---
 .../phpunit/tests/ajax/wpAjaxAutocompleteUser.php | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/tests/phpunit/tests/ajax/wpAjaxAutocompleteUser.php b/tests/phpunit/tests/ajax/wpAjaxAutocompleteUser.php
index 1c38bc3df05b0..7183206789f23 100644
--- a/tests/phpunit/tests/ajax/wpAjaxAutocompleteUser.php
+++ b/tests/phpunit/tests/ajax/wpAjaxAutocompleteUser.php
@@ -353,7 +353,16 @@ public function test_email_token_stripped_for_non_edit_users() {
 	 * @ticket 19867
 	 */
 	public function test_email_token_visible_for_administrator() {
-		$this->_setRole( 'administrator' );
+		/*
+		 * On multisite, map_meta_cap('edit_users') returns 'do_not_allow' for any
+		 * non-super-admin regardless of what is stored in user capabilities meta.
+		 * grant_super_admin() is the only way to pass this check reliably on multisite.
+		 */
+		if ( is_multisite() ) {
+			grant_super_admin( self::$user_ids['administrator'] );
+		}
+
+		wp_set_current_user( self::$user_ids['administrator'] );
 
 		$_GET['term']               = 'autocomplete_editor';
 		$_GET['autocomplete_type']  = 'search';
@@ -365,6 +374,10 @@ public function test_email_token_visible_for_administrator() {
 			unset( $e );
 		}
 
+		if ( is_multisite() ) {
+			revoke_super_admin( self::$user_ids['administrator'] );
+		}
+
 		$results = json_decode( $this->_last_response, true );
 		$this->assertNotEmpty( $results );
 		$this->assertStringContainsString( '@example.com', $results[0]['label'] );