#6052 closed defect (bug) (fixed)
edit.php private post filter does not restrict by user
Reported by: | ryan | Owned by: | |
---|---|---|---|
Milestone: | 2.5 | Priority: | normal |
Severity: | normal | Version: | |
Component: | General | Keywords: | |
Focuses: | Cc: |
Description
edit.php?post_status=private can leak private post titles. We need to check if the user can read_private_posts. If not, other people's private posts should not be showned. The same restriction needs to be applied when counting the number of private posts.
Change History (3)
Note: See
TracTickets for help on using
tickets.
Proposed: Add 'perm' private query argument that can be 'readable' or editable. Change WP_Query::get_posts() to check perm when querying by post_status. Change wp_counts_posts() to accept a 'perm' argument and do the same perm check when querying the number of posts.