Make WordPress Core

Opened 10 months ago

Last modified 7 months ago

#52094 new defect (bug)

Queries with perm readable/editable will not work for multiple post types and status queries

Reported by: leogermani Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Query Keywords: has-patch has-unit-tests
Focuses: Cc:


This ticket is a continuation of #48556, which fixes permission checks when querying for multiple post types.

If you make a query for multiple post types, and also specifying one or more post statuses, there will be a couple of problems in the results if your query also includes perm=readable or perm=editable.

perm=readable is supposed to do a check to see if the current user has permission to read the queried post statuses before adding it to the SQL statement. It works fine if you're querying for only one post type, but will fail for multiple post types.

The problem is the same we found in #48556. When multiple post types are queried, the permission checked will be read_private_multiple_post_types, instead of individually check for each post type's capabilities.

(The same happens for perm=editable, which will check for edit_others_multiple_post_types)

Another problem: Custom post statuses

When querying for multiple post types and perm=readable, WP_Query also will not handle custom post statuses properly.

Any custom post status will be treated as a public post status, ignoring how it was registered. You can see it happening here: https://github.com/WordPress/wordpress-develop/blob/master/src/wp-includes/class-wp-query.php#L2478


The fix should be similar to what we are doing in #48556, and I think we should work on the patch after we finish #48556.


I'm going to attach a test file that reproduces all the bugs described here.

Attachments (1)

statusPerm.php (3.4 KB) - added by leogermani 10 months ago.
Tests that reproduces the bugs described in this ticket

Download all attachments as: .zip

Change History (5)

10 months ago

Tests that reproduces the bugs described in this ticket

#1 @leogermani
7 months ago

Here's a first proposed fix -> https://github.com/leogermani/wordpress-develop/pull/2

This is a PR that depends on the PR that fixes #48556 and a patch should be properly created once #48556 is merged. (or we should turn both in one single patch)

This patch also addresses the bug described in #51094 and adds a specific test for that.

What this patch does:

  1. It fixed #51094 by checking if at least one valid post status was found in the query
  1. It fixes support for custom post statuses in the block of code that goes:
foreach ( get_post_stati( array(), 'objects' ) as $status => $status_object ) {
        if ( in_array( $status, $q_status, true ) ) {
                if ( $status_object->private ) {

  1. It adds the current post Status logic inside a Loop and treat each post type differently, depending on the specific capabilities for each of them


This patch introduces the same logic introduced by #48556 to the status query, so there's a bit of duplicate logic.

I considered doing everything in the same block of code and simplifying the whole thing, but this would "fix" some current inconsistencies and, therefore, change some behavior I'm not sure we want to change. It could also end up being a bit more complicated to read. But I can give it a go if anyone thinks it's worth it. It's not very difficult

The main "inconsistency" is that when we query for multiple post types, we do not consider the perm parameter. We basically assume perm=readable but there's no support for perm=editable for example. So we would start supporting it.

Also there is how we handle "protected states that should show in the admin all list", that are not considered when querying for post statuses.

This ticket was mentioned in PR #1183 on WordPress/wordpress-develop by leogermani.

7 months ago

  • Keywords has-patch has-unit-tests added; needs-patch removed

#3 @leogermani
7 months ago

  • Keywords needs-patch added; has-patch has-unit-tests removed

Edit: Here's a PR that joins everything in a single block, fixing both this and #48556


#4 @leogermani
7 months ago

  • Keywords has-patch has-unit-tests added; needs-patch removed
Note: See TracTickets for help on using tickets.