sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Posts, Post Types: Fail gracefully when checking whether a single post with an unregistered post status should be displayed in WP_Query::get_posts().

Browse Source 
If the post status is not registered, assume it's not public, but still allow access to users with edit permissions (same as for a protected post status, e.g. `draft`), so that they could recover orphaned content.

Add unit tests.

Follow-up to [47178].

Props roytanck, SergeyBiryukov.
Fixes #48653.

git-svn-id: https://develop.svn.wordpress.org/trunk@47181 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Sergey Biryukov 2020-02-05 01:31:38 +00:00
parent 5ada288488
commit 5e8563eb6b
2 changed files with 81 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
src/wp-includes/class-wp-query.php
View File

@ -3066,35 +3066,43 @@ class WP_Query {
// Check post status to determine if post should be displayed. // Check post status to determine if post should be displayed.
if ( ! empty( $this->posts ) && ( $this->is_single || $this->is_page ) ) { if ( ! empty( $this->posts ) && ( $this->is_single || $this->is_page ) ) {
$status = get_post_status( $this->posts[0] ); $status = get_post_status( $this->posts[0] );
if ( 'attachment' === $this->posts[0]->post_type && 0 === (int) $this->posts[0]->post_parent ) { if ( 'attachment' === $this->posts[0]->post_type && 0 === (int) $this->posts[0]->post_parent ) {
$this->is_page = false; $this->is_page = false;
$this->is_single = true; $this->is_single = true;
$this->is_attachment = true; $this->is_attachment = true;
} }
$post_status_obj = get_post_status_object( $status );
// If the post_status was specifically requested, let it pass through. // If the post_status was specifically requested, let it pass through.
if ( ! $post_status_obj->public && ! in_array( $status, $q_status ) ) { if ( ! in_array( $status, $q_status ) ) {
$post_status_obj = get_post_status_object( $status );
if ( ! is_user_logged_in() ) { if ( $post_status_obj && ! $post_status_obj->public ) {
// User must be logged in to view unpublished posts. if ( ! is_user_logged_in() ) {
$this->posts = array(); // User must be logged in to view unpublished posts.
} else { $this->posts = array();
if ( $post_status_obj->protected ) {
// User must have edit permissions on the draft to preview.
if ( ! current_user_can( $edit_cap, $this->posts[0]->ID ) ) {
$this->posts = array();
} else {
$this->is_preview = true;
if ( 'future' != $status ) {
$this->posts[0]->post_date = current_time( 'mysql' );
}
}
} elseif ( $post_status_obj->private ) {
if ( ! current_user_can( $read_cap, $this->posts[0]->ID ) ) {
$this->posts = array();
}
} else { } else {
if ( $post_status_obj->protected ) {
// User must have edit permissions on the draft to preview.
if ( ! current_user_can( $edit_cap, $this->posts[0]->ID ) ) {
$this->posts = array();
} else {
$this->is_preview = true;
if ( 'future' != $status ) {
$this->posts[0]->post_date = current_time( 'mysql' );
}
}
} elseif ( $post_status_obj->private ) {
if ( ! current_user_can( $read_cap, $this->posts[0]->ID ) ) {
$this->posts = array();
}
} else {
$this->posts = array();
}
}
} elseif ( ! $post_status_obj ) {
// Post status is not registered, assume it's not public.
if ( ! current_user_can( $edit_cap, $this->posts[0]->ID ) ) {
$this->posts = array(); $this->posts = array();
} }
} }

56
tests/phpunit/tests/query/postStatus.php
View File

@ -262,6 +262,27 @@ class Tests_Query_PostStatus extends WP_UnitTestCase {
$this->assertEmpty( $q->posts ); $this->assertEmpty( $q->posts );
} }
public function test_single_post_with_nonpublic_status_should_not_be_shown_for_any_user() {
register_post_type( 'foo_pt' );
register_post_status( 'foo_ps', array( 'public' => false ) );
$p = self::factory()->post->create(
array(
'post_status' => 'foo_ps',
'post_author' => self::$author_user_id,
)
);
wp_set_current_user( self::$editor_user_id );
$q = new WP_Query(
array(
'p' => $p,
)
);
$this->assertEmpty( $q->posts );
}
public function test_single_post_with_nonpublic_and_protected_status_should_not_be_shown_for_user_who_cannot_edit_others_posts() { public function test_single_post_with_nonpublic_and_protected_status_should_not_be_shown_for_user_who_cannot_edit_others_posts() {
register_post_type( 'foo_pt' ); register_post_type( 'foo_pt' );
register_post_status( register_post_status(
@ -370,15 +391,44 @@ class Tests_Query_PostStatus extends WP_UnitTestCase {
$this->assertEquals( array( $p ), wp_list_pluck( $q->posts, 'ID' ) ); $this->assertEquals( array( $p ), wp_list_pluck( $q->posts, 'ID' ) );
} }
public function test_single_post_with_nonpublic_and_protected_status_should_not_be_shown_for_any_user() { /**
* @ticket 48653
*/
public function test_single_post_with_nonexisting_status_should_not_be_shown_for_user_who_cannot_edit_others_posts() {
register_post_type( 'foo_pt' ); register_post_type( 'foo_pt' );
register_post_status( 'foo_ps', array( 'public' => false ) ); register_post_status( 'foo_ps', array( 'public' => true ) );
$p = self::factory()->post->create(
array(
'post_status' => 'foo_ps',
'post_author' => self::$editor_user_id,
)
);
_unregister_post_status( 'foo_ps' );
wp_set_current_user( self::$author_user_id );
$q = new WP_Query(
array(
'p' => $p,
)
);
$this->assertEmpty( $q->posts );
}
/**
* @ticket 48653
*/
public function test_single_post_with_nonexisting_status_should_be_shown_for_user_who_can_edit_others_posts() {
register_post_type( 'foo_pt' );
register_post_status( 'foo_ps', array( 'public' => true ) );
$p = self::factory()->post->create( $p = self::factory()->post->create(
array( array(
'post_status' => 'foo_ps', 'post_status' => 'foo_ps',
'post_author' => self::$author_user_id, 'post_author' => self::$author_user_id,
) )
); );
_unregister_post_status( 'foo_ps' );
wp_set_current_user( self::$editor_user_id ); wp_set_current_user( self::$editor_user_id );
@ -388,7 +438,7 @@ class Tests_Query_PostStatus extends WP_UnitTestCase {
) )
); );
$this->assertEmpty( $q->posts ); $this->assertEquals( array( $p ), wp_list_pluck( $q->posts, 'ID' ) );
} }
/** /**