[wp-trac] [WordPress Trac] #48556: Query for multiple post types not considering user permission to retrieve private posts

WordPress Trac noreply at wordpress.org
Sun Nov 10 23:01:30 UTC 2019 

#48556: Query for multiple post types not considering user permission to retrieve
private posts
--------------------------+-----------------------------
 Reporter:  leogermani    |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Query         |    Version:
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 When you query for posts not informing a specific post_status, WordPress
 will return posts that the current user can read (if there is a user
 logged in).

 However, if you query for multiple post types, passing an array, or if you
 query for `any` post type, WordPress will ignore this behavior and won't
 return any private posts at all.

 Expected behavior is that it would return posts with private status if
 they belong to a post type for which the user has the `read_private_posts`
 capability.

 An existing, and rather undocumented, workaround is to grant the user the
 `read_multiple_post_types` capability. But this, again, will not check the
 permission current user have in each queried post type and will simply
 return all private posts for all queried post types.

 == Proposal ==

 The proposed solution for this is to change the SQL query when querying
 for multiple post types without informing a post status, and combining the
 post_status and post_type WHERE clauses, checking user capability for each
 post type and returning the appropriate query in the very same way
 WordPress already does when you query for only one post type.

 Sample Query when querying for posts and pages, for a user that HAS
 `read_private_posts` cap but DOES NOT HAVE `read_private_pages`:

 {{{
 SELECT SQL_CALC_FOUND_ROWS  wptests_posts.ID FROM wptests_posts  WHERE 1=1
 AND
 (
   (wptests_posts.post_type = 'post' AND
     (wptests_posts.post_status = 'publish' OR wptests_posts.post_status =
 'private')
   )
   OR
   (wptests_posts.post_type = 'page' AND
     (wptests_posts.post_status = 'publish'
      OR wptests_posts.post_author = 4
      AND wptests_posts.post_status = 'private'
     )
   )
 )  ORDER BY wptests_posts.post_date DESC LIMIT 0, 10 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/48556>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list