VideoPress: use user token for video deletion API requests

[obenland]

Fixes https://linear.app/automattic/issue/VIDP-219

Proposed changes:

• Switch Client::wpcom_json_api_request_as_blog to Client::wpcom_json_api_request_as_user in Attachment_Handler::delete_video_wpcom(), so that the VideoPress video deletion API request carries the acting user's identity.
• Explicitly pass 'rest' as base_api_path since _as_user defaults to 'wpcom' while _as_blog defaults to 'rest'.

Context:

When a VideoPress video is deleted, the Jetpack site calls the wp.com /videos/{guid}/delete endpoint. Previously this used a blog token (_as_blog), which carries no user identity. On wp.com, the endpoint calls wp_delete_attachment(), which fires deleted_post locally — and the WPCOM Sync Listener captures this event with an empty actor (user_id=0). This Activity Log entry preempts the Sync event from the Jetpack site that carries the correct user data, resulting in the deletion appearing with no attribution in the Activity Log.

Switching to _as_user ensures the API request is authenticated with the deleting user's token, so the wp.com-side activity is properly attributed.

This is safe because non-connected users are already blocked from deleting VideoPress attachments via disable_delete_if_disconnected, which strips the delete_post capability when Data::can_perform_action() returns false.

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Does this pull request change what data or activity we track or use?

No. The same API request is made — only the authentication method changes from blog token to user token.

Testing instructions:

• Upload a VideoPress video to a Jetpack-connected site.
• Wait for the video to finish processing.
• Delete the video from the Media Library.
• Check the Activity Log on wp.com (or Jetpack → Activity Log) for the deletion event.
• Verify that the deletion is attributed to the user who performed it (shows username and avatar), rather than appearing with a grey silhouette and no actor.

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack), and enable the fix/videopress-deletion-attribution branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack fix/videopress-deletion-attribution

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

[Copilot]

Pull request overview

This pull request fixes Activity Log attribution for VideoPress video deletions by switching from blog token to user token authentication. When a VideoPress video is deleted from a Jetpack site, the wp.com API request now carries the acting user's identity, ensuring proper attribution in Activity Log entries.

Changes:

• Switch video deletion API requests from blog token to user token authentication
• Add explicit 'rest' base_api_path parameter to maintain correct API endpoint behavior
• Update changelog to document the fix

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
projects/packages/videopress/src/class-attachment-handler.php	Changed delete_video_wpcom to use user token (wpcom_json_api_request_as_user) instead of blog token (wpcom_json_api_request_as_blog) for deletion API requests, with explicit 'rest' base_api_path
projects/packages/videopress/changelog/fix-videopress-deletion-attribution	Added changelog entry documenting the bug fix for Activity Log attribution

[jp-launch-control]

Code Coverage Summary

This PR did not change code coverage!

That could be good or bad, depending on the situation. Everything covered before, and still is? Great! Nothing was covered before? Not so great. 🤷

Full summary · PHP report · JS report