New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Users can't see their own private posts #115

Closed
billerickson opened this Issue Jun 14, 2016 · 2 comments

Comments

Projects
None yet
1 participant
@billerickson
Owner

billerickson commented Jun 14, 2016

First reported here.

Currently if a post has a status of 'private', we limit its visibility to users with a capability of 'read_private_posts' (code). By default this capability is only available to editors, administrators and super-admins.

But the standard WP loop will show a user the private posts oh which he is the author, regardless of user role or capability. A subscriber with a private post will see that post on the frontend of the site.

Display Posts Shortcode should replicate this expected behavior.

@billerickson billerickson added the bug label Jun 14, 2016

@billerickson

This comment has been minimized.

Show comment
Hide comment
@billerickson

billerickson Jun 14, 2016

Owner

Here's the original discussion relating to this change: #12 - Post Status Should Be Removed

Looking back, this was an issue with WordPress core not doing permission checks when doing the initial query. At some point between 2012 and now this was fixed, so our limitation is no longer necessary.

Also, the limitation I made was overly strict in that it only allowed editors and admins to see private posts. By removing this limitation and letting WordPress handle the permission check, Display Posts Shortcode now replicates the behavior of other WordPress queries throughout the site.

Example for testing

I created a new WP install with an admin and author user. I created three posts:

  • Standard Post, published by admin and set to 'public'
  • Private Post 1, published by admin and set to 'private'
  • Private Post 2, published by author and set to 'private'

On the sample page page, I added [display-posts post_status="any"]

  1. When logged out, I only saw the "Standard Post"
  2. When logged in as author, I saw "Standard Post" and "Private Post 2"
  3. When logged in as admin, I saw "Standard Post", "Private Post 1" and "Private Post 2"

This matched the results found on the homepage (main blog listing).

Owner

billerickson commented Jun 14, 2016

Here's the original discussion relating to this change: #12 - Post Status Should Be Removed

Looking back, this was an issue with WordPress core not doing permission checks when doing the initial query. At some point between 2012 and now this was fixed, so our limitation is no longer necessary.

Also, the limitation I made was overly strict in that it only allowed editors and admins to see private posts. By removing this limitation and letting WordPress handle the permission check, Display Posts Shortcode now replicates the behavior of other WordPress queries throughout the site.

Example for testing

I created a new WP install with an admin and author user. I created three posts:

  • Standard Post, published by admin and set to 'public'
  • Private Post 1, published by admin and set to 'private'
  • Private Post 2, published by author and set to 'private'

On the sample page page, I added [display-posts post_status="any"]

  1. When logged out, I only saw the "Standard Post"
  2. When logged in as author, I saw "Standard Post" and "Private Post 2"
  3. When logged in as admin, I saw "Standard Post", "Private Post 1" and "Private Post 2"

This matched the results found on the homepage (main blog listing).

billerickson added a commit that referenced this issue Jun 14, 2016

Merge pull request #116 from billerickson/issue/115
remove code that limits private post visibility, fixes #115
@billerickson

This comment has been minimized.

Show comment
Hide comment
@billerickson

billerickson Jun 14, 2016

Owner

You can use the display_posts_shortcode_args filter to modify the query arguments allowed. If you would like to return to the previous behavior (private posts only visible to editors and admins, even if user is author of post), add this to your theme's functions.php file or a core functionality plugin:

/**
 * Limit DPS private post visibility
 *
 * @author Bill Erickson
 * @see https://github.com/billerickson/display-posts-shortcode/issues/115
 *
 * @param array $args, query arguments 
 * @param array $atts, original shortcode attributes (unsanitized)
 * @return array $args, modified query arguments
 */
function be_dps_private_post_visibility( $args, $atts ) {

    // If current user cannot read private posts (editor or admin), restrict to publicly published posts
    if ( ! ( is_user_logged_in() && current_user_can( 'read_private_posts' ) ) ) {
        $args['post_status'] = 'publish';
    }

    return $args;
}
add_filter( 'display_posts_shortcode_args', 'be_dps_private_post_visibility', 10, 2 );
Owner

billerickson commented Jun 14, 2016

You can use the display_posts_shortcode_args filter to modify the query arguments allowed. If you would like to return to the previous behavior (private posts only visible to editors and admins, even if user is author of post), add this to your theme's functions.php file or a core functionality plugin:

/**
 * Limit DPS private post visibility
 *
 * @author Bill Erickson
 * @see https://github.com/billerickson/display-posts-shortcode/issues/115
 *
 * @param array $args, query arguments 
 * @param array $atts, original shortcode attributes (unsanitized)
 * @return array $args, modified query arguments
 */
function be_dps_private_post_visibility( $args, $atts ) {

    // If current user cannot read private posts (editor or admin), restrict to publicly published posts
    if ( ! ( is_user_logged_in() && current_user_can( 'read_private_posts' ) ) ) {
        $args['post_status'] = 'publish';
    }

    return $args;
}
add_filter( 'display_posts_shortcode_args', 'be_dps_private_post_visibility', 10, 2 );
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment