[wp-trac] [WordPress Trac] #4073: get_posts: add query hooks (but
only apply to non-admin user)
WordPress Trac
wp-trac at lists.automattic.com
Tue Apr 3 03:51:19 GMT 2007
#4073: get_posts: add query hooks (but only apply to non-admin user)
-------------------------+--------------------------------------------------
Reporter: kevinB | Owner: markjaquith
Type: enhancement | Status: new
Priority: normal | Milestone: 2.2
Component: General | Version:
Severity: normal | Keywords:
-------------------------+--------------------------------------------------
(Replaces #4070)
get_posts exists as an unfiltered, minimal-parsing equivalent to
WP_Query->get_posts. A sort of back door, I gather, useful when you need
to efficiently retrieve what is actually in the database.
Unfortunately, this back door is a huge liability for plugins which hope
to add a custom access control layer via query hooks. It's SO easy for a
theme to inadvertently defeat such a system by adding a get_posts call.
Yes, a theme is always free to query wpdb directly. I'm just trying to
avoid accidental conflicts.
There is at least one example of a theme (Tarski) calling get_posts to
list posts in a context that has just as much reason to be filtered as the
WP_Query->get_posts output.
The attached patch file is a proposed compromise, much more moderate than
my last:
* rephrase query with LEFT JOIN statements
* apply join, where, request, results filters only for non-admin current
user
* rewrite include, exclude as IN() clause (could not resist)
* eliminate old $query construction block (was constructed but not used)
* add comment questioning why extracted vars are cast to int
The multiple category include/exclude code could be merged in as desired.
If even this patch is too much for 2.2, I would settle for the request and
results hooks only.
--
Ticket URL: <http://trac.wordpress.org/ticket/4073>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list