Make WordPress Core


Ignore:
Timestamp:
02/05/2020 01:31:38 AM (5 years ago)
Author:
SergeyBiryukov
Message:

Posts, Post Types: Fail gracefully when checking whether a single post with an unregistered post status should be displayed in WP_Query::get_posts().

If the post status is not registered, assume it's not public, but still allow access to users with edit permissions (same as for a protected post status, e.g. draft), so that they could recover orphaned content.

Add unit tests.

Follow-up to [47178].

Props roytanck, SergeyBiryukov.
Fixes #48653.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/query/postStatus.php

    r46586 r47181  
    263263    }
    264264
     265    public function test_single_post_with_nonpublic_status_should_not_be_shown_for_any_user() {
     266        register_post_type( 'foo_pt' );
     267        register_post_status( 'foo_ps', array( 'public' => false ) );
     268        $p = self::factory()->post->create(
     269            array(
     270                'post_status' => 'foo_ps',
     271                'post_author' => self::$author_user_id,
     272            )
     273        );
     274
     275        wp_set_current_user( self::$editor_user_id );
     276
     277        $q = new WP_Query(
     278            array(
     279                'p' => $p,
     280            )
     281        );
     282
     283        $this->assertEmpty( $q->posts );
     284    }
     285
    265286    public function test_single_post_with_nonpublic_and_protected_status_should_not_be_shown_for_user_who_cannot_edit_others_posts() {
    266287        register_post_type( 'foo_pt' );
     
    371392    }
    372393
    373     public function test_single_post_with_nonpublic_and_protected_status_should_not_be_shown_for_any_user() {
    374         register_post_type( 'foo_pt' );
    375         register_post_status( 'foo_ps', array( 'public' => false ) );
    376         $p = self::factory()->post->create(
    377             array(
    378                 'post_status' => 'foo_ps',
    379                 'post_author' => self::$author_user_id,
    380             )
    381         );
    382 
    383         wp_set_current_user( self::$editor_user_id );
    384 
    385         $q = new WP_Query(
    386             array(
    387                 'p' => $p,
    388             )
    389         );
    390 
    391         $this->assertEmpty( $q->posts );
     394    /**
     395     * @ticket 48653
     396     */
     397    public function test_single_post_with_nonexisting_status_should_not_be_shown_for_user_who_cannot_edit_others_posts() {
     398        register_post_type( 'foo_pt' );
     399        register_post_status( 'foo_ps', array( 'public' => true ) );
     400        $p = self::factory()->post->create(
     401            array(
     402                'post_status' => 'foo_ps',
     403                'post_author' => self::$editor_user_id,
     404            )
     405        );
     406        _unregister_post_status( 'foo_ps' );
     407
     408        wp_set_current_user( self::$author_user_id );
     409
     410        $q = new WP_Query(
     411            array(
     412                'p' => $p,
     413            )
     414        );
     415
     416        $this->assertEmpty( $q->posts );
     417    }
     418
     419    /**
     420     * @ticket 48653
     421     */
     422    public function test_single_post_with_nonexisting_status_should_be_shown_for_user_who_can_edit_others_posts() {
     423        register_post_type( 'foo_pt' );
     424        register_post_status( 'foo_ps', array( 'public' => true ) );
     425        $p = self::factory()->post->create(
     426            array(
     427                'post_status' => 'foo_ps',
     428                'post_author' => self::$author_user_id,
     429            )
     430        );
     431        _unregister_post_status( 'foo_ps' );
     432
     433        wp_set_current_user( self::$editor_user_id );
     434
     435        $q = new WP_Query(
     436            array(
     437                'p' => $p,
     438            )
     439        );
     440
     441        $this->assertEquals( array( $p ), wp_list_pluck( $q->posts, 'ID' ) );
    392442    }
    393443
Note: See TracChangeset for help on using the changeset viewer.