Clarify intended behavior of API response "roles" property following WP security patch

[kadamwhite]

In WP 6.6.1 (current on-dev version used in testing, as of the time this issue is opened), the prepare_item_for_response method had

if ( in_array( 'roles', $fields, true ) ) {
    // Defensively call array_values() to ensure an array is returned.
    $data['roles'] = array_values( $user->roles );
}

But after updating in WP 6.9, a role guard was added:

if ( in_array( 'roles', $fields, true ) && ( current_user_can( 'list_users' ) || current_user_can( 'edit_user', $user->ID ) ) ) {
    // Defensively call array_values() to ensure an array is returned.
    $data['roles'] = array_values( $user->roles );
}

This was part of a security patch, changeset 60814 going back I believe to 6.6.5.

It breaks our unit test testGuestAuthorCanBeCreatedWithJustAName, which uses the $users['editor'] user to POST a user creation to the authorship/v1/users endpoint (because Users_Controller extends WP_REST_Users_Controller).

@johnbillion In #180 (not yet merged) I've adjusted the unit test to create the user with an admin user role, to make the test pass; but if the intention is that an editor is able to create additional users on this endpoint when Authorship is present, would we need to have Authorship more explicitly adjust user roles, or (my instinct) to manually re-query and append the Roles property when it's missing while fulfilling an authorship/v1/users response?