Make WordPress Core

Opened 4 years ago

Last modified 4 months ago

#50123 new defect (bug)

Roles & Caps: give anonymous users the `read_post` meta cap for public posts.

Reported by: peterwilsoncc's profile peterwilsoncc Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Role/Capability Keywords: needs-patch needs-unit-tests
Focuses: Cc:

Description (last modified by peterwilsoncc)

The meta capability read_post is used to determine if a user is permitted to read a post. For public posts (ie, both a public post type and public post status), it returns the $post_type->cap->read as the required primitive capability.

As logged out users do not have any primitive capabilities, this causes current_user_can( 'read_post', $post_id ) to return a false negative for logged out users wishing to read a public post.

Approach one:

For public posts the read_post meta capability returns an empty array of primitives.

Approach two:

Logged out users are given the $post_type->cap->read capability for public post types.

Approach three:

WP gives logged out users the read primitive capability, if a developer uses an alternative primitive for public custom post types, then the developer is responsible for ensuring anonymous users have the capability.


  • Private multisite sites should not allow logged out users to see such posts Edit: removed as it's not a core feature of Multisite
  • Many, many unit tests will be required

Change History (2)

Note: See TracTickets for help on using tickets.