[wp-trac] [WordPress Trac] #54268: Using `author_name` in URL parameter gives unexpected results when logged into contributor account
WordPress Trac
noreply at wordpress.org
Thu Oct 14 22:22:49 UTC 2021
#54268: Using `author_name` in URL parameter gives unexpected results when logged
into contributor account
----------------------------+-----------------------------
Reporter: lschuyler | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Query | Version: 5.8.1
Severity: minor | Keywords:
Focuses: administration |
----------------------------+-----------------------------
When logged into a contributor account, and trying to view the post
listing on the dashboard of an administrator user, the query changes
unexpectedly when the URL uses the `author_name` parameter rather than the
default url.
Assuming a user ID of 1 for an administrator user, and a user ID of 2 for
a contributor user:
When logged into the contributor account, and displaying the admin user's
posts in the dashboard, the URL looks like this and works as expected:
`/wp-admin/edit.php?post_type=post&author=1`
The main query is:
{{{
SELECT SQL_CALC_FOUND_ROWS wp_posts.ID
FROM wp_posts
WHERE 1=1
AND wp_posts.post_author IN (1)
AND wp_posts.post_type = 'post'
AND (wp_posts.post_status = 'publish'
OR wp_posts.post_status = 'future'
OR wp_posts.post_status = 'draft'
OR wp_posts.post_status = 'pending'
OR wp_posts.post_author = 2
AND wp_posts.post_status = 'private')
ORDER BY wp_posts.post_date DESC
LIMIT 0, 20
}}}
But if the URL is switched to the username of the administrator user,
example, admin, like this `/wp-
admin/edit.php?post_type=post&author_name=admin` or even just `/wp-
admin/edit.php?author_name=admin` I would expect the same results, but
they are different:
{{{
SELECT SQL_CALC_FOUND_ROWS wp_posts.ID
FROM wp_posts
WHERE 1=1
AND wp_posts.post_author IN (2)
AND (wp_posts.post_author = 1)
AND wp_posts.post_type = 'post'
AND (wp_posts.post_status = 'publish'
OR wp_posts.post_status = 'future'
OR wp_posts.post_status = 'draft'
OR wp_posts.post_status = 'pending'
OR wp_posts.post_author = 2
AND wp_posts.post_status = 'private')
ORDER BY wp_posts.post_date DESC
LIMIT 0, 20
}}}
The `IN (2)` and the `OR wp_posts.post_author = 2` here is unexpected,
because the 2 is the user ID of the contributor user that is logged in,
and it isn't relevant to a query for the posts of user ID 1 (admin).
For comparison, when logged into the administrator's account, this query
looks like this:
{{{
SELECT SQL_CALC_FOUND_ROWS wp_posts.ID
FROM wp_posts
WHERE 1=1
AND (wp_posts.post_author = 1)
AND wp_posts.post_type = 'post'
AND (wp_posts.post_status = 'publish'
OR wp_posts.post_status = 'future'
OR wp_posts.post_status = 'draft'
OR wp_posts.post_status = 'pending'
OR wp_posts.post_status = 'private')
ORDER BY wp_posts.post_date DESC
LIMIT 0, 20
}}}
To replicate:
1. Create two users, one with the administrator role, and another with a
contributor role.
2. Publish a post for the admin user.
3. While logged into the contributor user's account, view the
administrator user's posts in the dashboard. The link will look like `/wp-
admin/edit.php?post_type=post&author=1`. Take note of the main query and
the search results.
4. Alter the url to look for the username of that administrator user, in
this format: `/wp-admin/edit.php?post_type=post&author_name=admin`. Check
the main query and search results again.
This appears to be coming from the `get_posts` function in the wp-includes
/class-wp-query.php file.
This is a low severity issue that I stumbled upon while investigating a Co
Authors Plus [https://github.com/Automattic/Co-Authors-Plus/issues/820
issue], a plugin that uses the `author_name` in the URL. However, even
when that plugin is not installed, the above described behavior is
replicable.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/54268>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list