Make WordPress Core

Opened 3 years ago

#54268 new defect (bug)

Using `author_name` in URL parameter gives unexpected results when logged into contributor account

Reported by: lschuyler's profile lschuyler Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version: 5.8.1
Component: Query Keywords:
Focuses: administration Cc:

Description

When logged into a contributor account, and trying to view the post listing on the dashboard of an administrator user, the query changes unexpectedly when the URL uses the author_name parameter rather than the default url.

Assuming a user ID of 1 for an administrator user, and a user ID of 2 for a contributor user:

When logged into the contributor account, and displaying the admin user's posts in the dashboard, the URL looks like this and works as expected:

/wp-admin/edit.php?post_type=post&author=1

The main query is:

SELECT SQL_CALC_FOUND_ROWS wp_posts.ID
FROM wp_posts
WHERE 1=1
AND wp_posts.post_author IN (1)
AND wp_posts.post_type = 'post'
AND (wp_posts.post_status = 'publish'
OR wp_posts.post_status = 'future'
OR wp_posts.post_status = 'draft'
OR wp_posts.post_status = 'pending'
OR wp_posts.post_author = 2
AND wp_posts.post_status = 'private')
ORDER BY wp_posts.post_date DESC
LIMIT 0, 20

But if the URL is switched to the username of the administrator user, example, admin, like this /wp-admin/edit.php?post_type=post&author_name=admin or even just /wp-admin/edit.php?author_name=admin I would expect the same results, but they are different:

SELECT SQL_CALC_FOUND_ROWS wp_posts.ID
FROM wp_posts
WHERE 1=1
AND wp_posts.post_author IN (2)
AND (wp_posts.post_author = 1)
AND wp_posts.post_type = 'post'
AND (wp_posts.post_status = 'publish'
OR wp_posts.post_status = 'future'
OR wp_posts.post_status = 'draft'
OR wp_posts.post_status = 'pending'
OR wp_posts.post_author = 2
AND wp_posts.post_status = 'private')
ORDER BY wp_posts.post_date DESC
LIMIT 0, 20

The IN (2) and the OR wp_posts.post_author = 2 here is unexpected, because the 2 is the user ID of the contributor user that is logged in, and it isn't relevant to a query for the posts of user ID 1 (admin).

For comparison, when logged into the administrator's account, this query looks like this:

SELECT SQL_CALC_FOUND_ROWS wp_posts.ID
FROM wp_posts
WHERE 1=1
AND (wp_posts.post_author = 1)
AND wp_posts.post_type = 'post'
AND (wp_posts.post_status = 'publish'
OR wp_posts.post_status = 'future'
OR wp_posts.post_status = 'draft'
OR wp_posts.post_status = 'pending'
OR wp_posts.post_status = 'private')
ORDER BY wp_posts.post_date DESC
LIMIT 0, 20

To replicate:

  1. Create two users, one with the administrator role, and another with a contributor role.
  2. Publish a post for the admin user.
  3. While logged into the contributor user's account, view the administrator user's posts in the dashboard. The link will look like /wp-admin/edit.php?post_type=post&author=1. Take note of the main query and the search results.
  4. Alter the url to look for the username of that administrator user, in this format: /wp-admin/edit.php?post_type=post&author_name=admin. Check the main query and search results again.

This appears to be coming from the get_posts function in the wp-includes/class-wp-query.php file.

This is a low severity issue that I stumbled upon while investigating a Co Authors Plus issue, a plugin that uses the author_name in the URL. However, even when that plugin is not installed, the above described behavior is replicable.

Change History (0)

Note: See TracTickets for help on using tickets.