[wp-trac] [WordPress Trac] #50123: Roles & Caps: give anonymous users the `read_post` meta cap for public posts.
WordPress Trac
noreply at wordpress.org
Thu May 7 23:30:23 UTC 2020
#50123: Roles & Caps: give anonymous users the `read_post` meta cap for public
posts.
-----------------------------+------------------------------------------
Reporter: peterwilsoncc | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Role/Capability | Version:
Severity: normal | Keywords: needs-patch needs-unit-tests
Focuses: |
-----------------------------+------------------------------------------
The meta capability `read_post` is used to determine if a user is
permitted to read a post. For public posts (ie, both a public post type
and public post status), it returns the `$post_type->cap->read` as the
required primitive capability.
As logged out users do not have any primitive capabilities, this causes
`current_user_can( 'read_post', $post_id )` to return a false negative for
logged out users wishing to read a public post.
**Approach one:**
For public posts the `read_post` meta capability returns an empty array of
primitives.
**Approach two:**
Logged out users are given the `$post_type->cap->read` capability for
public post types.
**Approach three:**
WP gives logged out users the `read` primitive capability, if a developer
uses an alternative primitive for public custom post types, then the
developer is responsible for ensuring anonymous users have the capability.
**Notes:**
* Private multisite sites should not allow logged out users to see such
posts
* Many, many unit tests will be required
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50123>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list