From e656053bce7792011ca87fb52cd7d29edb70d139 Mon Sep 17 00:00:00 2001
From: Boone Gorges <boonebgorges@git.wordpress.org>
Date: Thu, 21 May 2015 18:42:49 +0000
Subject: [PATCH] Support multiple post types in `count_user_posts()` and other
 functions that use `get_posts_by_author_sql()`.

Props nikonratm.
Fixes #32243.

git-svn-id: https://develop.svn.wordpress.org/trunk@32523 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/post.php                      | 101 ++++++++++--------
 src/wp-includes/user.php                      |  24 +++--
 .../tests/post/getPostsByAuthorSql.php        |  33 ++++++
 tests/phpunit/tests/user/countUserPosts.php   |  14 +++
 4 files changed, 119 insertions(+), 53 deletions(-)

diff --git a/src/wp-includes/post.php b/src/wp-includes/post.php
index 3716cbae72..679b0dd706 100644
--- a/src/wp-includes/post.php
+++ b/src/wp-includes/post.php
@@ -5327,7 +5327,8 @@ function wp_check_for_changed_slugs( $post_id, $post, $post_before ) {
  *
  * @since 2.2.0
  *
- * @param string $post_type Post type. Currently only supports 'post' or 'page'.
+ * @param string|array $post_type Array or comma-separated string of post types.
+ *                                Currently only supports 'post' or 'page'.
  * @return string SQL code that can be added to a where clause.
  */
 function get_private_posts_cap_sql( $post_type ) {
@@ -5338,63 +5339,77 @@ function get_private_posts_cap_sql( $post_type ) {
  * Retrieve the post SQL based on capability, author, and type.
  *
  * @since 3.0.0
+ * @since 4.3.0 Introduced the ability to pass multiple post types to `$post_type`.
  *
  * @see get_private_posts_cap_sql()
  *
- * @param string $post_type   Post type.
- * @param bool   $full        Optional. Returns a full WHERE statement instead of just
- *                            an 'andalso' term. Default true.
- * @param int    $post_author Optional. Query posts having a single author ID. Default null.
- * @param bool   $public_only Optional. Only return public posts. Skips cap checks for
- *                            $current_user.  Default false.
+ * @param array|string   $post_type   Array or comma-separated list of post type(s).
+ * @param bool           $full        Optional. Returns a full WHERE statement instead of just
+ *                                    an 'andalso' term. Default true.
+ * @param int            $post_author Optional. Query posts having a single author ID. Default null.
+ * @param bool           $public_only Optional. Only return public posts. Skips cap checks for
+ *                                    $current_user.  Default false.
  * @return string SQL WHERE code that can be added to a query.
  */
 function get_posts_by_author_sql( $post_type, $full = true, $post_author = null, $public_only = false ) {
 	global $wpdb;
 
-	// Private posts.
-	$post_type_obj = get_post_type_object( $post_type );
-	if ( ! $post_type_obj )
-		return $full ? 'WHERE 1 = 0' : ' 1 = 0 ';
-
-	/**
-	 * Filter the capability to read private posts for a custom post type
-	 * when generating SQL for getting posts by author.
-	 *
-	 * @since 2.2.0
-	 * @deprecated 3.2.0 The hook transitioned from "somewhat useless" to "totally useless".
-	 *
-	 * @param string $cap Capability.
-	 */
-	if ( ! $cap = apply_filters( 'pub_priv_sql_capability', '' ) ) {
-		$cap = $post_type_obj->cap->read_private_posts;
+	if ( is_array( $post_type ) ) {
+		$post_types = $post_type;
+	} else {
+		$post_types = preg_split( '/[\s,]+/', $post_type );
 	}
 
-	$sql = $wpdb->prepare( 'post_type = %s', $post_type );
+	$post_type_clauses = array();
+	foreach ( $post_types as $post_type ) {
+		$post_type_obj = get_post_type_object( $post_type );
+		if ( ! $post_type_obj ) {
+			continue;
+		}
+
+		/**
+		 * Filter the capability to read private posts for a custom post type
+		 * when generating SQL for getting posts by author.
+		 *
+		 * @since 2.2.0
+		 * @deprecated 3.2.0 The hook transitioned from "somewhat useless" to "totally useless".
+		 *
+		 * @param string $cap Capability.
+		 */
+		if ( ! $cap = apply_filters( 'pub_priv_sql_capability', '' ) ) {
+			$cap = current_user_can( $post_type_obj->cap->read_private_posts );
+		}
+
+		// Only need to check the cap if $public_only is false.
+		$post_status_sql = "post_status = 'publish'";
+		if ( false === $public_only ) {
+			if ( $cap ) {
+				// Does the user have the capability to view private posts? Guess so.
+				$post_status_sql .= " OR post_status = 'private'";
+			} elseif ( is_user_logged_in() ) {
+				// Users can view their own private posts.
+				$id = get_current_user_id();
+				if ( null === $post_author || ! $full ) {
+					$post_status_sql .= " OR post_status = 'private' AND post_author = $id";
+				} elseif ( $id == (int) $post_author ) {
+					$post_status_sql .= " OR post_status = 'private'";
+				} // else none
+			} // else none
+		}
+
+		$post_type_clauses[] = "( post_type = '" . $post_type . "' AND ( $post_status_sql ) )";
+	}
+
+	if ( empty( $post_type_clauses ) ) {
+		return $full ? 'WHERE 1 = 0' : '1 = 0';
+	}
+
+	$sql = '( '. implode( ' OR ', $post_type_clauses ) . ' )';
 
 	if ( null !== $post_author ) {
 		$sql .= $wpdb->prepare( ' AND post_author = %d', $post_author );
 	}
 
-	// Only need to check the cap if $public_only is false.
-	$post_status_sql = "post_status = 'publish'";
-	if ( false === $public_only ) {
-		if ( current_user_can( $cap ) ) {
-			// Does the user have the capability to view private posts? Guess so.
-			$post_status_sql .= " OR post_status = 'private'";
-		} elseif ( is_user_logged_in() ) {
-			// Users can view their own private posts.
-			$id = get_current_user_id();
-			if ( null === $post_author || ! $full ) {
-				$post_status_sql .= " OR post_status = 'private' AND post_author = $id";
-			} elseif ( $id == (int) $post_author ) {
-				$post_status_sql .= " OR post_status = 'private'";
-			} // else none
-		} // else none
-	}
-
-	$sql .= " AND ($post_status_sql)";
-
 	if ( $full ) {
 		$sql = 'WHERE ' . $sql;
 	}
diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
index e602a3ece8..9e6ca0efa4 100644
--- a/src/wp-includes/user.php
+++ b/src/wp-includes/user.php
@@ -251,17 +251,19 @@ function wp_validate_logged_in_cookie( $user_id ) {
  *
  * @since 3.0.0
  * @since 4.1.0 Added `$post_type` argument.
+ * @since 4.3.0 Added `$public_only` argument.
  *
  * @global wpdb $wpdb WordPress database object for queries.
  *
- * @param int    $userid    User ID.
- * @param string $post_type Optional. Post type to count the number of posts for. Default 'post'.
+ * @param int          $userid      User ID.
+ * @param array|string $post_type   Optional. Post type(s) to count the number of posts for. Default 'post'.
+ * @param bool         $public_only Optional. Only return counts for public posts. Defaults to false.
  * @return int Number of posts the user has written in this post type.
  */
-function count_user_posts( $userid, $post_type = 'post' ) {
+function count_user_posts( $userid, $post_type = 'post', $public_only = false ) {
 	global $wpdb;
 
-	$where = get_posts_by_author_sql( $post_type, true, $userid );
+	$where = get_posts_by_author_sql( $post_type, true, $userid, $public_only );
 
 	$count = $wpdb->get_var( "SELECT COUNT(*) FROM $wpdb->posts $where" );
 
@@ -270,10 +272,12 @@ function count_user_posts( $userid, $post_type = 'post' ) {
 	 *
 	 * @since 2.7.0
 	 * @since 4.1.0 Added `$post_type` argument.
+	 * @since 4.3.0 Added `$public_only` argument.
 	 *
-	 * @param int    $count     The user's post count.
-	 * @param int    $userid    User ID.
-	 * @param string $post_type Post type to count the number of posts for.
+	 * @param int          $count       The user's post count.
+	 * @param int          $userid      User ID.
+	 * @param string|array $post_types  Post types to count the number of posts for.
+	 * @param bool         $public_only Whether to limit counted posts to public posts.
 	 */
 	return apply_filters( 'get_usernumposts', $count, $userid, $post_type );
 }
@@ -283,9 +287,9 @@ function count_user_posts( $userid, $post_type = 'post' ) {
  *
  * @since 3.0.0
  *
- * @param array $users Array of user IDs.
- * @param string $post_type Optional. Post type to check. Defaults to post.
- * @param bool $public_only Optional. Only return counts for public posts.  Defaults to false.
+ * @param array        $users       Array of user IDs.
+ * @param string|array $post_type   Optional. Array or comma-separated list of post types to check. Defaults to 'post'.
+ * @param bool         $public_only Optional. Only return counts for public posts.  Defaults to false.
  * @return array Amount of posts each user has written.
  */
 function count_many_users_posts( $users, $post_type = 'post', $public_only = false ) {
diff --git a/tests/phpunit/tests/post/getPostsByAuthorSql.php b/tests/phpunit/tests/post/getPostsByAuthorSql.php
index 4c5f33dfb4..70b2f4e878 100644
--- a/tests/phpunit/tests/post/getPostsByAuthorSql.php
+++ b/tests/phpunit/tests/post/getPostsByAuthorSql.php
@@ -20,6 +20,18 @@ class Tests_Post_GetPostsByAuthorSql extends WP_UnitTestCase {
 		$this->assertContains( '1 = 0', $maybe_string );
 	}
 
+	public function test_multiple_post_types(){
+		register_post_type( 'foo' );
+		register_post_type( 'bar' );
+
+		$maybe_string = get_posts_by_author_sql( 'foo,bar' );
+		$this->assertContains( "post_type = 'foo'", $maybe_string );
+		$this->assertContains( "post_type = 'bar'", $maybe_string );
+
+		_unregister_post_type( 'foo' );
+		_unregister_post_type( 'bar' );
+	}
+
 	public function test_full_true(){
 		$maybe_string = get_posts_by_author_sql( 'post', true );
 		$this->assertRegExp( '/^WHERE /', $maybe_string );
@@ -112,4 +124,25 @@ class Tests_Post_GetPostsByAuthorSql extends WP_UnitTestCase {
 
 		wp_set_current_user( $current_user );
 	}
+
+	public function test_user_has_access_only_to_private_posts_for_certain_post_types(){
+		register_post_type( 'foo', array( 'capabilities' => array( 'read_private_posts' => 'read_private_foo' ) )  );
+		register_post_type( 'bar', array( 'capabilities' => array( 'read_private_posts' => 'read_private_bar' ) ) );
+		register_post_type( 'baz', array( 'capabilities' => array( 'read_private_posts' => 'read_private_baz' ) ) );
+		$current_user = get_current_user_id();
+		$u = $this->factory->user->create( array( 'role' => 'editor' ) );
+		$editor_role = get_role('editor');
+		$editor_role->add_cap( 'read_private_baz' );
+		wp_set_current_user( $u );
+
+		$maybe_string = get_posts_by_author_sql( 'foo,bar,baz' );
+		$this->assertNotContains( "post_type = 'foo' AND ( post_status = 'publish' OR post_status = 'private' )", $maybe_string );
+		$this->assertNotContains( "post_type = 'bar' AND ( post_status = 'publish' OR post_status = 'private' )", $maybe_string );
+		$this->assertContains( "post_type = 'baz' AND ( post_status = 'publish' OR post_status = 'private' )", $maybe_string );
+
+		_unregister_post_type( 'foo' );
+		_unregister_post_type( 'bar' );
+		_unregister_post_type( 'baz' );
+		wp_set_current_user( $current_user );
+	}
 }
diff --git a/tests/phpunit/tests/user/countUserPosts.php b/tests/phpunit/tests/user/countUserPosts.php
index 00367c8e2c..d969a4305e 100644
--- a/tests/phpunit/tests/user/countUserPosts.php
+++ b/tests/phpunit/tests/user/countUserPosts.php
@@ -78,4 +78,18 @@ class Tests_User_CountUserPosts extends WP_UnitTestCase {
 	public function test_count_user_posts_post_type_cpt() {
 		$this->assertEquals( 3, count_user_posts( self::$user_id, 'wptests_pt' ) );
 	}
+
+	/**
+	 * @ticket 32243
+	 */
+	public function test_count_user_posts_with_multiple_post_types() {
+		$this->assertEquals( 7, count_user_posts( self::$user_id, array( 'wptests_pt', 'post' ) ) );
+	}
+
+	/**
+	 * @ticket 32243
+	 */
+	public function test_count_user_posts_should_ignore_non_existent_post_types() {
+		$this->assertEquals( 4, count_user_posts( self::$user_id, array( 'foo', 'post' ) ) );
+	}
 }