Ticket #32243: 32243_5.diff

src/wp-includes/post.php

@@ -5341 +5341 @@
  *
  * @see get_private_posts_cap_sql()
  *
- * @param string $post_type   Post type.
- * @param bool   $full        Optional. Returns a full WHERE statement instead of just
- *                            an 'andalso' term. Default true.
- * @param int    $post_author Optional. Query posts having a single author ID. Default null.
- * @param bool   $public_only Optional. Only return public posts. Skips cap checks for
- *                            $current_user.  Default false.
+ * @param array/string   $post_types  Post type(s). Either array or string list separated by commas.
+ * @param bool           $full        Optional. Returns a full WHERE statement instead of just
+ *                                    an 'andalso' term. Default true.
+ * @param int            $post_author Optional. Query posts having a single author ID. Default null.
+ * @param bool           $public_only Optional. Only return public posts. Skips cap checks for
+ *                                    $current_user.  Default false.
  * @return string SQL WHERE code that can be added to a query.
  */
-function get_posts_by_author_sql( $post_type, $full = true, $post_author = null, $public_only = false ) {
+function get_posts_by_author_sql( $post_types, $full = true, $post_author = null, $public_only = false ) {
         global $wpdb;
 
-        // Private posts.
-        $post_type_obj = get_post_type_object( $post_type );
-        if ( ! $post_type_obj )
-                return $full ? 'WHERE 1 = 0' : ' 1 = 0 ';
+        if ( is_string( $post_types ) ) $post_types = explode(',', $post_types);
 
-        /**
-         * Filter the capability to read private posts for a custom post type
-         * when generating SQL for getting posts by author.
-         *
-         * @since 2.2.0
-         * @deprecated 3.2.0 The hook transitioned from "somewhat useless" to "totally useless".
-         *
-         * @param string $cap Capability.
-         */
-        if ( ! $cap = apply_filters( 'pub_priv_sql_capability', '' ) ) {
-                $cap = $post_type_obj->cap->read_private_posts;
+        $post_types_w_caps = array();
+        foreach ($post_types as $post_type) {
+                $post_type_obj = get_post_type_object( $post_type );
+                if ( ! $post_type_obj )
+                        return $full ? 'WHERE 1 = 0' : ' 1 = 0 ';
+        
+                /**
+                 * Filter the capability to read private posts for a custom post type
+                 * when generating SQL for getting posts by author.
+                 *
+                 * @since 2.2.0
+                 * @deprecated 3.2.0 The hook transitioned from "somewhat useless" to "totally useless".
+                 *
+                 * @param string $cap Capability.
+                 */
+                if ( ! $cap = apply_filters( 'pub_priv_sql_capability', '' ) ) $cap = current_user_can( $post_type_obj->cap->read_private_posts );
+
+                // Only need to check the cap if $public_only is false.
+                $post_status_sql = "post_status = 'publish'";
+                if ( false === $public_only ) {
+                        if ( $cap ) {
+                                // Does the user have the capability to view private posts? Guess so.
+                                $post_status_sql .= " OR post_status = 'private'";
+                        } elseif ( is_user_logged_in() ) {
+                                // Users can view their own private posts.
+                                $id = get_current_user_id();
+                                if ( null === $post_author || ! $full ) {
+                                        $post_status_sql .= " OR post_status = 'private' AND post_author = $id";
+                                } elseif ( $id == (int) $post_author ) {
+                                        $post_status_sql .= " OR post_status = 'private'";
+                                } // else none
+                        } // else none
+                }
+                
+                $post_types_w_caps[] = "( post_type = '" . $post_type . "' AND ( $post_status_sql ) )";
         }
 
-        $sql = $wpdb->prepare( 'post_type = %s', $post_type );
-
+        $sql = '( '.implode(' OR ', $post_types_w_caps).' )';
+        
         if ( null !== $post_author ) {
                 $sql .= $wpdb->prepare( ' AND post_author = %d', $post_author );
         }
 
-        // Only need to check the cap if $public_only is false.
-        $post_status_sql = "post_status = 'publish'";
-        if ( false === $public_only ) {
-                if ( current_user_can( $cap ) ) {
-                        // Does the user have the capability to view private posts? Guess so.
-                        $post_status_sql .= " OR post_status = 'private'";
-                } elseif ( is_user_logged_in() ) {
-                        // Users can view their own private posts.
-                        $id = get_current_user_id();
-                        if ( null === $post_author || ! $full ) {
-                                $post_status_sql .= " OR post_status = 'private' AND post_author = $id";
-                        } elseif ( $id == (int) $post_author ) {
-                                $post_status_sql .= " OR post_status = 'private'";
-                        } // else none
-                } // else none
-        }
-
-        $sql .= " AND ($post_status_sql)";
-
         if ( $full ) {
                 $sql = 'WHERE ' . $sql;
         }

src/wp-includes/user.php

@@ -254 +254 @@
  *
  * @global wpdb $wpdb WordPress database object for queries.
  *
- * @param int    $userid    User ID.
- * @param string $post_type Optional. Post type to count the number of posts for. Default 'post'.
+ * @param int           $userid User ID.
+ * @param array/string  $post_types Optional. Post type(s) to count the number of posts for. Default 'post'.
+ * @param bool          $public_only Optional. Only return counts for public posts.  Defaults to false.
  * @return int Number of posts the user has written in this post type.
  */
-function count_user_posts( $userid, $post_type = 'post' ) {
+function count_user_posts( $userid, $post_types = 'post', $public_only = false ) {
         global $wpdb;
+        
+        if ( is_string( $post_types ) ) $post_types = explode(',', $post_types);
 
-        $where = get_posts_by_author_sql( $post_type, true, $userid );
+        $where = get_posts_by_author_sql( $post_types, true, $userid, $public_only );
 
         $count = $wpdb->get_var( "SELECT COUNT(*) FROM $wpdb->posts $where" );
 
@@ -273 +276 @@
          *
          * @param int    $count     The user's post count.
          * @param int    $userid    User ID.
-         * @param string $post_type Post type to count the number of posts for.
+         * @param array  $post_types Post types to count the number of posts for.
          */
-        return apply_filters( 'get_usernumposts', $count, $userid, $post_type );
+        return apply_filters( 'get_usernumposts', $count, $userid, $post_types );
 }
 
 /**

tests/phpunit/tests/post/getPostsByAuthorSql.php

@@ -20 +20 @@
                 $this->assertContains( '1 = 0', $maybe_string );
         }
 
+        public function test_multiple_post_types(){
+                register_post_type( 'foo' );
+                register_post_type( 'bar' );
+
+                $maybe_string = get_posts_by_author_sql( 'foo,bar' );
+                $this->assertContains( "post_type = 'foo'", $maybe_string );
+                $this->assertContains( "post_type = 'bar'", $maybe_string );
+
+                _unregister_post_type( 'foo' );
+                _unregister_post_type( 'bar' );
+        }
+
         public function test_full_true(){
                 $maybe_string = get_posts_by_author_sql( 'post', true );
                 $this->assertRegExp( '/^WHERE /', $maybe_string );
@@ -112 +124 @@
 
                 wp_set_current_user( $current_user );
         }
+
+        public function test_user_has_access_only_to_private_posts_for_certain_post_types(){
+                register_post_type( 'foo', array( 'capabilities' => array( 'read_private_posts' => 'read_private_foo' ) )  );
+                register_post_type( 'bar', array( 'capabilities' => array( 'read_private_posts' => 'read_private_bar' ) ) );
+                register_post_type( 'baz', array( 'capabilities' => array( 'read_private_posts' => 'read_private_baz' ) ) );
+                $current_user = get_current_user_id();
+                $u = $this->factory->user->create( array( 'role' => 'editor' ) );
+                $editor_role = get_role('editor');
+                $editor_role->add_cap( 'read_private_baz' );
+                wp_set_current_user( $u );
+
+                $maybe_string = get_posts_by_author_sql( 'foo,bar,baz' );
+                $this->assertNotContains( "post_type = 'foo' AND ( post_status = 'publish' OR post_status = 'private' )", $maybe_string );
+                $this->assertNotContains( "post_type = 'bar' AND ( post_status = 'publish' OR post_status = 'private' )", $maybe_string );
+                $this->assertContains( "post_type = 'baz' AND ( post_status = 'publish' OR post_status = 'private' )", $maybe_string );
+
+                _unregister_post_type( 'foo' );
+                _unregister_post_type( 'bar' );
+                _unregister_post_type( 'baz' );
+                wp_set_current_user( $current_user );
+        }
 }