From 7e8754bbd828c75aa05e9eb57a32bc2d52ec5aa6 Mon Sep 17 00:00:00 2001 From: rob1n Date: Fri, 6 Apr 2007 03:25:41 +0000 Subject: [PATCH] Add a function to unify private posts SQL based on capabilities -- get_private_posts_cap_sql(). Usage: get_private_posts_cap_sql($type), where $type is either 'post' or 'page'. Props molecularbear. fixes #3861 git-svn-id: https://develop.svn.wordpress.org/trunk@5189 602fd350-edb4-49c9-b593-d223f7449a82 --- wp-includes/post.php | 46 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/wp-includes/post.php b/wp-includes/post.php index 84d19d7625..e45a6601e7 100644 --- a/wp-includes/post.php +++ b/wp-includes/post.php @@ -1643,4 +1643,50 @@ function wp_check_for_changed_slugs($post_id) { return $post_id; } +/** + * This function provides a standardized way to appropriately select on + * the post_status of posts/pages. The function will return a piece of + * SQL code that can be added to a WHERE clause; this SQL is constructed + * to allow all published posts, and all private posts to which the user + * has access. + * + * @param string $post_type currently only supports 'post' or 'page'. + * @return string SQL code that can be added to a where clause. + */ +function get_private_posts_cap_sql($post_type) { + global $user_ID; + $cap = ''; + + // Private posts + if ($post_type == 'post') { + $cap = 'read_private_posts'; + // Private pages + } elseif ($post_type == 'page') { + $cap = 'read_private_pages'; + // Dunno what it is, maybe plugins have their own post type? + } else { + $cap = apply_filters('pub_priv_sql_capability', $cap); + + if (empty($cap)) { + // We don't know what it is, filters don't change anything, + // so set the SQL up to return nothing. + return '1 = 0'; + } + } + + $sql = '(post_status = \'publish\''; + + if (current_user_can($cap)) { + // Does the user have the capability to view private posts? Guess so. + $sql .= ' OR post_status = \'private\''; + } elseif (is_user_logged_in()) { + // Users can view their own private posts. + $sql .= ' OR post_status = \'private\' AND post_author \'' . $user_ID . '\''; + } + + $sql .= ')'; + + return $sql; +} + ?>