Opened 3 years ago
#54268 new defect (bug)
Using `author_name` in URL parameter gives unexpected results when logged into contributor account
Reported by: | lschuyler | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | minor | Version: | 5.8.1 |
Component: | Query | Keywords: | |
Focuses: | administration | Cc: |
Description
When logged into a contributor account, and trying to view the post listing on the dashboard of an administrator user, the query changes unexpectedly when the URL uses the author_name
parameter rather than the default url.
Assuming a user ID of 1 for an administrator user, and a user ID of 2 for a contributor user:
When logged into the contributor account, and displaying the admin user's posts in the dashboard, the URL looks like this and works as expected:
/wp-admin/edit.php?post_type=post&author=1
The main query is:
SELECT SQL_CALC_FOUND_ROWS wp_posts.ID FROM wp_posts WHERE 1=1 AND wp_posts.post_author IN (1) AND wp_posts.post_type = 'post' AND (wp_posts.post_status = 'publish' OR wp_posts.post_status = 'future' OR wp_posts.post_status = 'draft' OR wp_posts.post_status = 'pending' OR wp_posts.post_author = 2 AND wp_posts.post_status = 'private') ORDER BY wp_posts.post_date DESC LIMIT 0, 20
But if the URL is switched to the username of the administrator user, example, admin, like this /wp-admin/edit.php?post_type=post&author_name=admin
or even just /wp-admin/edit.php?author_name=admin
I would expect the same results, but they are different:
SELECT SQL_CALC_FOUND_ROWS wp_posts.ID FROM wp_posts WHERE 1=1 AND wp_posts.post_author IN (2) AND (wp_posts.post_author = 1) AND wp_posts.post_type = 'post' AND (wp_posts.post_status = 'publish' OR wp_posts.post_status = 'future' OR wp_posts.post_status = 'draft' OR wp_posts.post_status = 'pending' OR wp_posts.post_author = 2 AND wp_posts.post_status = 'private') ORDER BY wp_posts.post_date DESC LIMIT 0, 20
The IN (2)
and the OR wp_posts.post_author = 2
here is unexpected, because the 2 is the user ID of the contributor user that is logged in, and it isn't relevant to a query for the posts of user ID 1 (admin).
For comparison, when logged into the administrator's account, this query looks like this:
SELECT SQL_CALC_FOUND_ROWS wp_posts.ID FROM wp_posts WHERE 1=1 AND (wp_posts.post_author = 1) AND wp_posts.post_type = 'post' AND (wp_posts.post_status = 'publish' OR wp_posts.post_status = 'future' OR wp_posts.post_status = 'draft' OR wp_posts.post_status = 'pending' OR wp_posts.post_status = 'private') ORDER BY wp_posts.post_date DESC LIMIT 0, 20
To replicate:
- Create two users, one with the administrator role, and another with a contributor role.
- Publish a post for the admin user.
- While logged into the contributor user's account, view the administrator user's posts in the dashboard. The link will look like
/wp-admin/edit.php?post_type=post&author=1
. Take note of the main query and the search results. - Alter the url to look for the username of that administrator user, in this format:
/wp-admin/edit.php?post_type=post&author_name=admin
. Check the main query and search results again.
This appears to be coming from the get_posts
function in the wp-includes/class-wp-query.php file.
This is a low severity issue that I stumbled upon while investigating a Co Authors Plus issue, a plugin that uses the author_name
in the URL. However, even when that plugin is not installed, the above described behavior is replicable.