There should be a capability for "publish private posts"

[t.schwarz]

I've been working on a simple membership site with only two membership levels: logged in and logged out, which is a situation that theoretically could be easily managed in WP without any plugins. However, logged in members should not be able o post publicly, while they are allowed to post whatever they want inside the membership walls, so the review system doesn't help in this situation either.

Currently, I have to use a custom post type and force the status to private on publishing with a plugin to achieve the intended scenario.

But I think the most parsimonious solution would be to include a capability that would allow people to "publish_private_posts" yet not "publish_posts".

[DrewAPicture]

But I think the most parsimonious solution would be to include a capability that would allow people to "publish_private_posts" yet not "publish_posts".

I don't think we need another capability for this.

I'd suggest taking a look at the ​map_meta_cap filter for granting publish_posts in the case where they're set to private, as that seems to be the ultimate goal of your suggestion.

[jfarthing84]

+1. The map_meta_cap solution is not really feasible, considering the context in which the status is forcibly changed. Have a look at _wp_translate_postdata():

if ( isset( $post_data['post_status'] ) && 'private' == $post_data['post_status'] && ! current_user_can( $ptype->cap->publish_posts ) ) {
	$post_data['post_status'] = $previous_status ? $previous_status : 'pending';
}

Of course, _wp_translate_postdata() simply works with the global $_POST data. So, it would take some pretty silly logic (inside a map_meta_cap filter callback) to determine the current page, the current action and the desired post status.

[jfarthing84]

FWIW, here's my current solution:

function map_publish_private_posts_to_edit_posts( $caps, $cap ) {
	global $pagenow;

	if ( 'publish_posts' == $cap && 'post.php' == $pagenow &&
		isset( $_POST['action'] ) && 'editpost' == $_POST['action'] &&
		isset( $_POST['post_status'] ) && 'private' == $_POST['post_status']
	) {
		$caps = array( 'edit_posts' );
	}

	return $caps;
}
add_filter( 'map_meta_cap', 'map_publish_private_posts_to_edit_posts', 10, 2 );

[callumbw95]

After reviewing this proposal, it appears that the functionality you're seeking is already covered by existing core capabilities:

• Users with the publish_posts capability can create new posts and set their visibility to 'private' during the creation process.
• Users with the edit_private_posts capability can manage existing private posts, including updating their status from, for example, a draft to a published private post. Introducing a separate publish_private_posts capability would add an additional layer of complexity to the core capability system for a use case that is largely managed by current permissions.

For the level of detailed control over permissions that you are requesting, you'll definitely want to use a plugin or make modifications in your theme. The core roles are meant as a solid foundation, but dedicated 'capability manager' plugins are the standard way to handle highly specific user access.

As of such I recommend we close this ticket, and have added the close tag so we can get any more feedback around this issue before it is closed completely. 😃

[mindctrl]

Hi all,

I'm not sure a new capability like publish_private_posts is the right move, since capabilities indicate what you are able to do, not what you are forced to do.

It's possible to filter the post data before it's saved to change the post_status to private. One way you can do this is via the wp_insert_post_data filter, and in your callback function you can run some conditional logic to determine if you want to enforce the private status.

It's been over a decade since this ticket was opened and there hasn't been any movement. I'm going to close this ticket to help clean up Trac, but feel free to continue discussion or reopen if you think this is essential for WordPress.