[wp-trac] [WordPress Trac] #54966: Inconsistent checking of read permission for singular vs non-singular queries
WordPress Trac
noreply at wordpress.org
Fri Jan 28 04:42:50 UTC 2022
#54966: Inconsistent checking of read permission for singular vs non-singular
queries
--------------------------+-----------------------------
Reporter: manfcarlo | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Apologies if this has already been reported, as I wasn't sure exactly what
to search for, but I expect it's a very old behaviour.
When performing a singular query, the `read_post` meta capability is
[https://github.com/WordPress/WordPress/blob/5.9/wp-includes/class-wp-
query.php#L3190 checked] and the post not returned if the user is not
allowed to read it.
The same does not happen for non-singular queries. Instead, a primitive
capability is [https://github.com/WordPress/WordPress/blob/5.9/wp-includes
/class-wp-query.php#L2593 checked], which may not always yield an accurate
result if the post type is using some non-standard capability mapping.
It would be good if `read_post` could be checked individually on each of
the posts being returned.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/54966>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list