[wp-trac] [WordPress Trac] #48556: Query for multiple post types not considering user permission to retrieve private posts

WordPress Trac noreply at wordpress.org
Wed Dec 23 00:43:27 UTC 2020 

#48556: Query for multiple post types not considering user permission to retrieve
private posts
-------------------------------------------------+-------------------------
 Reporter:  leogermani                           |       Owner:
                                                 |  SergeyBiryukov
     Type:  defect (bug)                         |      Status:  reopened
 Priority:  normal                               |   Milestone:  5.7
Component:  Query                                |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch has-unit-tests early       |     Focuses:
  needs-dev-note                                 |
-------------------------------------------------+-------------------------
Changes (by peterwilsoncc):

 * status:  closed => reopened
 * resolution:  fixed =>


Comment:

 Reopening this with the intent to revert [49830]

 Passing an invalid post type to WP_Query is causing the post type and post
 status parameters from being dropped from the resulting SQL query for all
 users.

 Prior to the above commit both of the following tests would pass,
 generating the SQL query:

 {{{#!mysql
 SELECT SQL_CALC_FOUND_ROWS  wptests_posts.*
 FROM wptests_posts
 WHERE 1=1
   AND wptests_posts.post_type = 'unregistered_cpt'
   AND (wptests_posts.post_status = 'publish')
 ORDER BY wptests_posts.post_date DESC LIMIT 0, 10
 }}}


 Following the change they generate the query:

 {{{#!mysql
 SELECT SQL_CALC_FOUND_ROWS  wptests_posts.*
 FROM wptests_posts
 WHERE 1=1
 ORDER BY wptests_posts.post_date DESC LIMIT 0, 10
 }}}

 The result is that all post types and statuses are returned.

 I'll revert the commit today and subsequently add theses and any other
 relevant tests I can think of. Once this is looked at again, the tests
 will need to be updated.

 {{{#!php
 <?php
 class Tests_Query_InvalidPostTypes extends WP_UnitTestCase {
         public $last_posts_request;

         public function setUp() {
                 parent::setUp();

                 // Clean up variable before each test.
                 $this->last_posts_request = '';
                 // Store last query for tests.
                 add_filter( 'posts_request', array( $this,
 '_set_last_posts_request' ) );
         }

         public function _set_last_posts_request( $request ) {
                 $this->last_posts_request = $request;
                 return $request;
         }

         function test_unregistered_post_type_wp_query() {
                 global $wpdb;

                 new WP_Query( array( 'post_type' => 'unregistered_cpt' )
 );

                 $this->assertContains( "{$wpdb->posts}.post_type =
 'unregistered_cpt'", $this->last_posts_request );
                 $this->assertContains( "{$wpdb->posts}.post_status =
 'publish'", $this->last_posts_request );
         }

         function test_unregistered_post_type_goto() {
                 global $wpdb;

                 $this->go_to( home_url( '?post_type=unregistered_cpt' ) );

                 $this->assertContains( "{$wpdb->posts}.post_type =
 'unregistered_cpt'", $this->last_posts_request );
                 $this->assertContains( "{$wpdb->posts}.post_status =
 'publish'", $this->last_posts_request );
         }
 }
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/48556#comment:31>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list