Make WordPress Core

Opened 17 years ago

Closed 17 years ago

Last modified 15 years ago

#6052 closed defect (bug) (fixed)

edit.php private post filter does not restrict by user

Reported by: ryan's profile ryan Owned by:
Milestone: 2.5 Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:

Description

edit.php?post_status=private can leak private post titles. We need to check if the user can read_private_posts. If not, other people's private posts should not be showned. The same restriction needs to be applied when counting the number of private posts.

Change History (3)

#1 @ryan
17 years ago

Proposed: Add 'perm' private query argument that can be 'readable' or editable. Change WP_Query::get_posts() to check perm when querying by post_status. Change wp_counts_posts() to accept a 'perm' argument and do the same perm check when querying the number of posts.

#2 @ryan
17 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [7109]) Add option to check caps when querying a particular post status. fixes #6052

#3 @ryan
17 years ago

(In [7112]) Add option to check caps when querying a particular page status. fixes #6052

Note: See TracTickets for help on using tickets.