Opened 5 years ago
Last modified 11 months ago
#50123 new defect (bug)
Roles & Caps: give anonymous users the `read_post` meta cap for public posts.
Reported by: | peterwilsoncc | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Role/Capability | Keywords: | needs-patch needs-unit-tests |
Focuses: | Cc: |
Description (last modified by )
The meta capability read_post
is used to determine if a user is permitted to read a post. For public posts (ie, both a public post type and public post status), it returns the $post_type->cap->read
as the required primitive capability.
As logged out users do not have any primitive capabilities, this causes current_user_can( 'read_post', $post_id )
to return a false negative for logged out users wishing to read a public post.
Approach one:
For public posts the read_post
meta capability returns an empty array of primitives.
Approach two:
Logged out users are given the $post_type->cap->read
capability for public post types.
Approach three:
WP gives logged out users the read
primitive capability, if a developer uses an alternative primitive for public custom post types, then the developer is responsible for ensuring anonymous users have the capability.
Notes:
Private multisite sites should not allow logged out users to see such postsEdit: removed as it's not a core feature of Multisite- Many, many unit tests will be required
Refer https://core.trac.wordpress.org/ticket/50123