WordPress.org
Get WordPress

Make WordPress Core

Ticket #32243: post.2.diff

File post.2.diff, 2.4 KB (added by nikonratm, 10 years ago)

fixed get_posts_by_author_sql respects capabilities for all included post types

  • post.php

     
    53305330 *
    53315331 * @see get_private_posts_cap_sql()
    53325332 *
    5333  * @param string $post_type   Post type.
     5333 * @param array  $post_types  Post type(s).
    53345334 * @param bool   $full        Optional. Returns a full WHERE statement instead of just
    53355335 *                            an 'andalso' term. Default true.
    53365336 * @param int    $post_author Optional. Query posts having a single author ID. Default null.
     
    53385338 *                            $current_user.  Default false.
    53395339 * @return string SQL WHERE code that can be added to a query.
    53405340 */
    5341 function get_posts_by_author_sql( $post_type, $full = true, $post_author = null, $public_only = false ) {
     5341function get_posts_by_author_sql( $post_types, $full = true, $post_author = null, $public_only = false ) {
    53425342        global $wpdb;
    53435343
    53445344        // Private posts.
    5345         $post_type_obj = get_post_type_object( $post_type );
    5346         if ( ! $post_type_obj )
    5347                 return $full ? 'WHERE 1 = 0' : ' 1 = 0 ';
    5348 
     5345        $cap_final = true;
     5346        foreach ($post_types as $post_type) {
     5347                $post_type_obj = get_post_type_object( $post_type );
     5348                if ( ! $post_type_obj )
     5349                        return $full ? 'WHERE 1 = 0' : ' 1 = 0 ';
     5350                $cap_final = $cap_final && current_user_can( $post_type_obj->cap->read_private_posts );
     5351        }       
     5352       
    53495353        /**
    53505354         * Filter the capability to read private posts for a custom post type
    53515355         * when generating SQL for getting posts by author.
     
    53555359         *
    53565360         * @param string $cap Capability.
    53575361         */
    5358         if ( ! $cap = apply_filters( 'pub_priv_sql_capability', '' ) ) {
    5359                 $cap = $post_type_obj->cap->read_private_posts;
    5360         }
     5362        if ( ! $cap = apply_filters( 'pub_priv_sql_capability', '' ) ) $cap = $cap_final;
    53615363
    5362         $sql = $wpdb->prepare( 'post_type = %s', $post_type );
     5364        $post_type_sql = array_fill(0, count($post_types), '%s');
     5365        $where = '(post_type = '.implode(' OR post_type = ', $post_type_sql).')';
     5366        $sql = $wpdb->prepare($where, $post_types);
    53635367
    53645368        if ( null !== $post_author ) {
    53655369                $sql .= $wpdb->prepare( ' AND post_author = %d', $post_author );
     
    53685372        // Only need to check the cap if $public_only is false.
    53695373        $post_status_sql = "post_status = 'publish'";
    53705374        if ( false === $public_only ) {
    5371                 if ( current_user_can( $cap ) ) {
     5375                if ( $cap ) {
    53725376                        // Does the user have the capability to view private posts? Guess so.
    53735377                        $post_status_sql .= " OR post_status = 'private'";
    53745378                } elseif ( is_user_logged_in() ) {