Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#45883 closed defect (bug) (wontfix)

Recent Posts widget ignores private posts since replacing The Loop

Reported by: captaincrash's profile captain.crash Owned by: audrasjb's profile audrasjb
Milestone: Priority: normal
Severity: normal Version: 2.3
Component: Widgets Keywords: has-patch 2nd-opinion close
Focuses: Cc:

Description

Since changeset [41890] the Recent Posts widget has been ignoring posts marked as private.

Such posts do appear in normal archive listings (when logged in, obviously) and did so as well in the Recent Posts widget prior to said changeset that replaced The Loop with a foreach loop.

Attachments (2)

45883.diff (924 bytes) - added by audrasjb 6 years ago.
Add private posts to recent posts widget query if the user is connected.
45883.1.diff (543 bytes) - added by audrasjb 6 years ago.
Adds private posts to recent posts widget

Download all attachments as: .zip

Change History (19)

#1 @audrasjb
6 years ago

  • Owner set to audrasjb
  • Severity changed from minor to normal
  • Status changed from new to accepted

Hello and thanks for the ticket, I can reproduce the issue on my side.

@audrasjb
6 years ago

Add private posts to recent posts widget query if the user is connected.

#2 @audrasjb
6 years ago

  • Keywords has-patch added; needs-patch removed
  • Milestone changed from Awaiting Review to 5.1.1

45883.diff adds private posts to the Recent Posts Widget query if the user is connected.

Can you please test this patch? I tested it and the patch works on my side.

#3 @captain.crash
6 years ago

  • Resolution set to worksforme
  • Status changed from accepted to closed

Patch is working on my side as well.

[Edit] Sorry, but am I supposed to set the resolution (and close the ticket)?

Last edited 6 years ago by captain.crash (previous) (diff)

#4 @audrasjb
6 years ago

  • Resolution worksforme deleted
  • Status changed from closed to reopened

#5 @audrasjb
6 years ago

@captaincrash I reopened the ticket. You don't have anything to do except to wait for the next release lead(s) to include this ticket to the scope of the release. As this is a defect, I set the milestone to 5.1.1 minor release. It's up to release lead(s) to accept it or not for the release they are leading. Then, maybe it will land in 5.1.1, maybe in 5.2.

This ticket was mentioned in Slack in #core-customize by lukecarbis. View the logs.


6 years ago

#7 follow-up: @dlh
6 years ago

I'm having a little trouble following how [41890] might have caused a change in behavior like the one described here. If I revert [41890] from my test environment, for example, I still don't see private posts in the widget, but perhaps I'm testing incorrectly.

Regardless, I wonder whether the change in 45883.diff is too broad. Being logged in isn't usually sufficient in itself to view private posts; users typically need to be the post author or have the read_private_posts capability for the post type.

Removing the post_status clause from the query args entirely causes the default WP_Query logic to kick in, which checks authorship and capabilities.

However, if private posts weren't previously visible in the widget, that might constitute a backwards-compatibility break both for the widget output and the widget_posts_args filter.

#8 in reply to: ↑ 7 @captain.crash
6 years ago

Replying to dlh:

I'm having a little trouble following how [41890] might have caused a change in behavior like the one described here. If I revert [41890] from my test environment, for example, I still don't see private posts in the widget, but perhaps I'm testing incorrectly.

I'm terribly ashamed, but I cannot reproduce the issue either.

I was sure I was testing thoroughly. I did that now again - I hope (with clean installs back to 4.0) - and can confirm that the Recent Posts widget probably never showed private posts in the first place. I'm still sure I did not make this up, but I cannot reproduce my earlier tests. @audrasjb probably only tested that private posts do not appear now, but not whether or not they did prior to said changeset.

So, thanks for chiming in and sorry again. I guess this ticket's for the wastebin.

This ticket was mentioned in Slack in #core by lukecarbis. View the logs.


6 years ago

#10 @audrasjb
6 years ago

  • Status changed from reopened to assigned

You are absolutely right @dlh thanks for the feedback :)
45883.1.diff simply removes post_status entirely to let WP_Query handle private posts permissions.

@lukecarbis, it's up to you to move this one to 5.2 or not. But it doesn't looks like a regression from 5.1.

@audrasjb
6 years ago

Adds private posts to recent posts widget

#11 @lukecarbis
6 years ago

@audrasjb If we can get your patch tested in time, I'd like to keep it in 5.1.1.

#12 @audrasjb
6 years ago

  • Keywords 2nd-opinion added

@dlh can you add a feedback about removing post_status from recent post widget's query? I do not see any problem of backward compatibility but if you don't agree please feel free to add your thought about that :)

#13 @dlh
6 years ago

One backwards-compatibility break is changing the $args that are passed to widget_posts_args, which, I guess, isn't huge.

However, the current behavior has been in place for 12 years — see #4786. Although core no longer contains the caching behavior described in that ticket, plugin and theme developers may have implemented their own fragment caching for widgets or sidebars, and with this change, the widget output would no longer be safe to cache.

Additionally, as you noted, there doesn't appear to be a regression from 5.1. Plus, 12 years' worth of behavior just seems like a lot to alter in a maintenance release.

This ticket was mentioned in Slack in #core by pbiron. View the logs.


6 years ago

#15 @pbiron
6 years ago

  • Milestone changed from 5.1.1 to 5.2

During the bug scrub today it was decided to punt this to 5.2. While the fix looks good, since it is not actually a regression it doesn't fit to scope of 5.1.1.

#16 @SergeyBiryukov
6 years ago

  • Keywords close added
  • Version changed from 5.0.2 to 2.3

Limiting the recent entries query to published posts was done in [5973], changing the version accordingly.

The current patch simply reverts that changeset. I agree with the concerns in comment:13, changing this now would make the widget output unsafe to cache.

If someone needs to show private posts in Recent Posts widget, the widget_posts_args filter can be used for that.

#17 @audrasjb
6 years ago

  • Milestone 5.2 deleted
  • Resolution set to wontfix
  • Status changed from assigned to closed

Thanks for your contribution.
et's close that ticket as wontfix since the patch is not safe and also there is already a method to handle that need: the widget_posts_args filter.

Note: See TracTickets for help on using tickets.