[wp-trac] [WordPress Trac] #56962: current_user_can( 'read_post' ) not working.

WordPress Trac noreply at wordpress.org
Wed Nov 2 19:40:14 UTC 2022 

#56962: current_user_can( 'read_post' )  not working.
-----------------------------+------------------------------
 Reporter:  jcorbin          |       Owner:  (none)
     Type:  defect (bug)     |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Role/Capability  |     Version:  6.1
 Severity:  major            |  Resolution:
 Keywords:  close            |     Focuses:
-----------------------------+------------------------------

Old description:

> current_user_can( 'read_post' ) is not working in our case.
>
> current 6.0.3 sites (https://upstatetoday.com for instance) feature the
> following in out single.php:
>
>         if (
>
>                  current_user_can( 'read_post' )
>
> ... Allow access...
>
> This exists so that logged in WP users in WP backend can see the actual
> content, no our paywall)
>
> In WP 6.1  current_user_can( 'read_post'  ) does not appear to work;
> logged in WP admins, etc are given the paywall.
>
> rolling back to 6.0.3 fixes this.

New description:

 current_user_can( 'read_post' ) is not working in our case.

 current 6.0.3 sites (https://upstatetoday.com for instance) feature the
 following in out single.php:
 {{{
         if (

                  current_user_can( 'read_post' )

 ... Allow access...
 }}}
 This exists so that logged in WP users in WP backend can see the actual
 content, no our paywall)

 In WP 6.1  current_user_can( 'read_post'  ) does not appear to work;
 logged in WP admins, etc are given the paywall.

 rolling back to 6.0.3 fixes this.

--

Comment (by SergeyBiryukov):

 Hi there, welcome to WordPress Trac! Thanks for the ticket.

 Replying to [comment:1 TimothyBlynJacobs]:
 > However, I did want to note that that is improper use of the `read_post`
 capability. You ''must'' pass the post ID that you want to check the user
 has permission for as the second parameter to the function call.
 >
 > This would be the correct usage:
 >
 > {{{#!php
 > current_user_can( 'read_post', $post->ID )
 > }}}

 Yes, that is correct.

 As noted in comment:10:ticket:44591, these capabilities check for a
 particular post and do require a post ID:

 * `current_user_can( 'delete_post', $post_id )`
 * `current_user_can( 'edit_post', $post_id )`
 * `current_user_can( 'read_post', $post_id )`
 * `current_user_can( 'publish_post', $post_id )`

 [53408] / #44591 aimed to address this in a consistent way. Performing
 these checks without passing in a post ID is not supported and could only
 work by accident.

 If you need a more general check, I would suggest using one of the
 capabilities that don't require a post ID, or just `is_user_logged_in()`,
 based on your use case.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/56962#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list