Ticket #6052 (closed defect: fixed)

Opened 6 months ago

Last modified 6 months ago

edit.php private post filter does not restrict by user

Reported by: ryan Assigned to: anonymous
Priority: normal Milestone: 2.5
Component: General Version:
Severity: normal Keywords:
Cc:

Description

edit.php?post_status=private can leak private post titles. We need to check if the user can read_private_posts. If not, other people's private posts should not be showned. The same restriction needs to be applied when counting the number of private posts.

Change History

02/29/08 21:48:49 changed by ryan

Proposed: Add 'perm' private query argument that can be 'readable' or editable. Change WP_Query::get_posts() to check perm when querying by post_status. Change wp_counts_posts() to accept a 'perm' argument and do the same perm check when querying the number of posts.

02/29/08 21:49:50 changed by ryan

  • status changed from new to closed.
  • resolution set to fixed.

(In [7109]) Add option to check caps when querying a particular post status. fixes #6052

02/29/08 22:34:29 changed by ryan

(In [7112]) Add option to check caps when querying a particular page status. fixes #6052