Opened 6 years ago
Last modified 2 years ago
#50123 new defect (bug)
Roles & Caps: give anonymous users the `read_post` meta cap for public posts.
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Role/Capability | Keywords: | needs-patch needs-unit-tests |
| Focuses: | Cc: |
Description (last modified by )
The meta capability read_post is used to determine if a user is permitted to read a post. For public posts (ie, both a public post type and public post status), it returns the $post_type->cap->read as the required primitive capability.
As logged out users do not have any primitive capabilities, this causes current_user_can( 'read_post', $post_id ) to return a false negative for logged out users wishing to read a public post.
Approach one:
For public posts the read_post meta capability returns an empty array of primitives.
Approach two:
Logged out users are given the $post_type->cap->read capability for public post types.
Approach three:
WP gives logged out users the read primitive capability, if a developer uses an alternative primitive for public custom post types, then the developer is responsible for ensuring anonymous users have the capability.
Notes:
Private multisite sites should not allow logged out users to see such postsEdit: removed as it's not a core feature of Multisite- Many, many unit tests will be required
Refer https://core.trac.wordpress.org/ticket/50123