[wp-trac] [WordPress Trac] #48556: Query for multiple post types not considering user permission to retrieve private posts
WordPress Trac
noreply at wordpress.org
Mon Jun 7 03:07:33 UTC 2021
#48556: Query for multiple post types not considering user permission to retrieve
private posts
-------------------------------------------------+-------------------------
Reporter: leogermani | Owner:
| SergeyBiryukov
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: Future
| Release
Component: Query | Version:
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests early | Focuses:
needs-dev-note |
-------------------------------------------------+-------------------------
Comment (by peterwilsoncc):
I've asked for the testing team to take a look at this during the next
session.
---
@hellofromTonya Here are the testing notes you asked for:
Testing Notes:
See
[https://gist.github.com/peterwilsoncc/99257a8f3161cd8fe0c403ca5d538ce5
the testing gist] I have created:
* The PHP file `48556-testing-plugin.php` should be added to the `mu-
plugins` directory.
* The bash script `48556-testing-plugin.sh` will allow you to create a
number of posts and users very quickly. The final line of the script
installs the [https://wordpress.org/plugins/user-switching/ user switching
plugin] so you don't need to login and out constantly.
Notes:
* The bash script sets the passwords to `password` to not run this on a
public server
* The plugin includes a hack to bypass the blocking of private post types
from the front end. Really do not run this on a public server.
* You may wish to run the `wp site empty` before hand
* The notes below assume your test site is running at `http://wordpress-
develop.local/`
This plugin will allow you to query post types directly by including the
query string `?trac48556=trac48556_private` (or another post type).
Permissions:
- "A public post", "A trac48556_public post", "A trac48556_custom_cap
post"
- All users
- "A private post", "A trac48556_public private post"
- `Admin`, `Editor`
- "A trac48556_custom_cap private post"
- `trac48556_admin`
- None of the post types registered as private (ie, with `public =>
false`) should be visible on the front end.
When viewing WP Query dumps directly, each logged in role should also see:
- "A trac48556_private post"
- All users (as it's got a publish status)
- "A trac48556_private private post"
- `Admin`, `Editor`
- "A trac48556_custom_cap post"
- All users (as it's got a publish status)
- A trac48556_custom_cap private post
- `trac48556_admin`
The URL to view all post types on the front end is `http://wordpress-
develop.local/?post_type[]=post&post_type[]=trac48556_custom_cap&post_type[]=trac48556_public&post_type[]=trac48556_private&post_type[]=trac48556_c_priv_cap`
To get a dump of WP Query with `any` post status visit
`http://wordpress-develop.local/?trac48556=any`
You can also use this with an array of post types or any of the custom
post types that are private.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/48556#comment:48>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list