Changeset 51276 for trunk/src/wp-includes/class-wp-query.php

Timestamp:

06/30/2021 04:59:10 AM (4 years ago)

Author:

peterwilsoncc

Message:

Query: Check each post-type's capabilities when querying multiple post-types.

When querying multiple post types, check the read_private_posts capability for each post type when determining which post statuses to return. This ensures private posts appear in search results and archives for users permitted to read them.

Props leogermani, hellofromTonya, jeffpaul, peterwilsoncc.
Fixes #48556.

File:

• trunk/src/wp-includes/class-wp-query.php (modified) (3 diffs)

trunk/src/wp-includes/class-wp-query.php

@@ -2421 +2421 @@
         }
 
+        $skip_post_status = false;
         if ( 'any' === $post_type ) {
             $in_search_post_types = get_post_types( array( 'exclude_from_search' => false ) );
             if ( empty( $in_search_post_types ) ) {
-                $where .= ' AND 1=0 ';
+                $post_type_where  = ' AND 1=0 ';
+                $skip_post_status = true;
             } else {
-                $where .= " AND {$wpdb->posts}.post_type IN ('" . implode( "', '", array_map( 'esc_sql', $in_search_post_types ) ) . "')";
+                $post_type_where = " AND {$wpdb->posts}.post_type IN ('" . implode( "', '", array_map( 'esc_sql', $in_search_post_types ) ) . "')";
             }
         } elseif ( ! empty( $post_type ) && is_array( $post_type ) ) {
-            $where .= " AND {$wpdb->posts}.post_type IN ('" . implode( "', '", esc_sql( $post_type ) ) . "')";
+            $post_type_where = " AND {$wpdb->posts}.post_type IN ('" . implode( "', '", esc_sql( $post_type ) ) . "')";
         } elseif ( ! empty( $post_type ) ) {
-            $where           .= $wpdb->prepare( " AND {$wpdb->posts}.post_type = %s", $post_type );
+            $post_type_where  = $wpdb->prepare( " AND {$wpdb->posts}.post_type = %s", $post_type );
             $post_type_object = get_post_type_object( $post_type );
         } elseif ( $this->is_attachment ) {
-            $where           .= " AND {$wpdb->posts}.post_type = 'attachment'";
+            $post_type_where  = " AND {$wpdb->posts}.post_type = 'attachment'";
             $post_type_object = get_post_type_object( 'attachment' );
         } elseif ( $this->is_page ) {
-            $where           .= " AND {$wpdb->posts}.post_type = 'page'";
+            $post_type_where  = " AND {$wpdb->posts}.post_type = 'page'";
             $post_type_object = get_post_type_object( 'page' );
         } else {
-            $where           .= " AND {$wpdb->posts}.post_type = 'post'";
+            $post_type_where  = " AND {$wpdb->posts}.post_type = 'post'";
             $post_type_object = get_post_type_object( 'post' );
         }
@@ -2458 +2460 @@
 
         $q_status = array();
-        if ( ! empty( $q['post_status'] ) ) {
+        if ( $skip_post_status ) {
+            $where .= $post_type_where;
+        } elseif ( ! empty( $q['post_status'] ) ) {
+
+            $where .= $post_type_where;
+
             $statuswheres = array();
             $q_status     = $q['post_status'];
@@ -2518 +2525 @@
             }
         } elseif ( ! $this->is_singular ) {
-            $where .= " AND ({$wpdb->posts}.post_status = 'publish'";
-
-            // Add public states.
-            $public_states = get_post_stati( array( 'public' => true ) );
-            foreach ( (array) $public_states as $state ) {
-                if ( 'publish' === $state ) { // Publish is hard-coded above.
-                    continue;
-                }
-                $where .= " OR {$wpdb->posts}.post_status = '$state'";
-            }
-
-            if ( $this->is_admin ) {
-                // Add protected states that should show in the admin all list.
-                $admin_all_states = get_post_stati(
-                    array(
-                        'protected'              => true,
-                        'show_in_admin_all_list' => true,
-                    )
-                );
-                foreach ( (array) $admin_all_states as $state ) {
-                    $where .= " OR {$wpdb->posts}.post_status = '$state'";
-                }
-            }
-
-            if ( is_user_logged_in() ) {
-                // Add private states that are limited to viewing by the author of a post or someone who has caps to read private states.
-                $private_states = get_post_stati( array( 'private' => true ) );
-                foreach ( (array) $private_states as $state ) {
-                    $where .= current_user_can( $read_private_cap ) ? " OR {$wpdb->posts}.post_status = '$state'" : " OR {$wpdb->posts}.post_author = $user_id AND {$wpdb->posts}.post_status = '$state'";
-                }
-            }
-
-            $where .= ')';
+            if ( 'any' === $post_type ) {
+                $queried_post_types = get_post_types( array( 'exclude_from_search' => false ) );
+            } elseif ( is_array( $post_type ) ) {
+                $queried_post_types = $post_type;
+            } elseif ( ! empty( $post_type ) ) {
+                $queried_post_types = array( $post_type );
+            } else {
+                $queried_post_types = array( 'post' );
+            }
+
+            if ( ! empty( $queried_post_types ) ) {
+
+                $status_type_clauses = array();
+
+                foreach ( $queried_post_types as $queried_post_type ) {
+
+                    $queried_post_type_object = get_post_type_object( $queried_post_type );
+
+                    $type_where = '(' . $wpdb->prepare( "{$wpdb->posts}.post_type = %s AND (", $queried_post_type );
+
+                    // Public statuses.
+                    $public_statuses = get_post_stati( array( 'public' => true ) );
+                    $status_clauses  = array();
+                    foreach ( (array) $public_statuses as $public_status ) {
+                        $status_clauses[] = "{$wpdb->posts}.post_status = '$public_status'";
+                    }
+                    $type_where .= implode( ' OR ', $status_clauses );
+
+                    // Add protected states that should show in the admin all list.
+                    if ( $this->is_admin ) {
+                        $admin_all_statuses = get_post_stati(
+                            array(
+                                'protected'              => true,
+                                'show_in_admin_all_list' => true,
+                            )
+                        );
+                        foreach ( (array) $admin_all_statuses as $admin_all_status ) {
+                            $type_where .= " OR {$wpdb->posts}.post_status = '$admin_all_status'";
+                        }
+                    }
+
+                    // Add private states that are visible to current user.
+                    if ( is_user_logged_in() && $queried_post_type_object instanceof WP_Post_Type ) {
+                        $read_private_cap = $queried_post_type_object->cap->read_private_posts;
+                        $private_statuses = get_post_stati( array( 'private' => true ) );
+                        foreach ( (array) $private_statuses as $private_status ) {
+                            $type_where .= current_user_can( $read_private_cap ) ? " \nOR {$wpdb->posts}.post_status = '$private_status'" : " \nOR ({$wpdb->posts}.post_author = $user_id AND {$wpdb->posts}.post_status = '$private_status')";
+                        }
+                    }
+
+                    $type_where .= '))';
+
+                    $status_type_clauses[] = $type_where;
+                }
+
+                if ( ! empty( $status_type_clauses ) ) {
+                    $where .= ' AND (' . implode( ' OR ', $status_type_clauses ) . ')';
+                }
+            } else {
+                $where .= ' AND 1=0 ';
+            }
+        } else {
+            $where .= $post_type_where;
         }