[wp-trac] [WordPress Trac] #50123: Roles & Caps: give anonymous users the `read_post` meta cap for public posts.
WordPress Trac
noreply at wordpress.org
Wed May 20 23:15:10 UTC 2020
#50123: Roles & Caps: give anonymous users the `read_post` meta cap for public
posts.
------------------------------------------+------------------------------
Reporter: peterwilsoncc | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Role/Capability | Version:
Severity: normal | Resolution:
Keywords: needs-patch needs-unit-tests | Focuses:
------------------------------------------+------------------------------
Description changed by peterwilsoncc:
Old description:
> The meta capability `read_post` is used to determine if a user is
> permitted to read a post. For public posts (ie, both a public post type
> and public post status), it returns the `$post_type->cap->read` as the
> required primitive capability.
>
> As logged out users do not have any primitive capabilities, this causes
> `current_user_can( 'read_post', $post_id )` to return a false negative
> for logged out users wishing to read a public post.
>
> **Approach one:**
>
> For public posts the `read_post` meta capability returns an empty array
> of primitives.
>
> **Approach two:**
>
> Logged out users are given the `$post_type->cap->read` capability for
> public post types.
>
> **Approach three:**
>
> WP gives logged out users the `read` primitive capability, if a developer
> uses an alternative primitive for public custom post types, then the
> developer is responsible for ensuring anonymous users have the
> capability.
>
> **Notes:**
>
> * Private multisite sites should not allow logged out users to see such
> posts
> * Many, many unit tests will be required
New description:
The meta capability `read_post` is used to determine if a user is
permitted to read a post. For public posts (ie, both a public post type
and public post status), it returns the `$post_type->cap->read` as the
required primitive capability.
As logged out users do not have any primitive capabilities, this causes
`current_user_can( 'read_post', $post_id )` to return a false negative for
logged out users wishing to read a public post.
**Approach one:**
For public posts the `read_post` meta capability returns an empty array of
primitives.
**Approach two:**
Logged out users are given the `$post_type->cap->read` capability for
public post types.
**Approach three:**
WP gives logged out users the `read` primitive capability, if a developer
uses an alternative primitive for public custom post types, then the
developer is responsible for ensuring anonymous users have the capability.
**Notes:**
* ~~Private multisite sites should not allow logged out users to see such
posts~~ ''Edit: removed as it's not a core feature of Multisite''
* Many, many unit tests will be required
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50123#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list