[wp-trac] [WordPress Trac] #64455: WordPress Core Abilities

WordPress Trac noreply at wordpress.org
Thu Feb 12 23:36:00 UTC 2026 

#64455: WordPress Core Abilities
------------------------------+---------------------
 Reporter:  jorgefilipecosta  |       Owner:  (none)
     Type:  enhancement       |      Status:  new
 Priority:  normal            |   Milestone:  7.0
Component:  AI                |     Version:
 Severity:  normal            |  Resolution:
 Keywords:  has-patch         |     Focuses:
------------------------------+---------------------

Comment (by peterwilsoncc):

 Replying to [comment:10 jorgefilipecosta]:
 > Regarding security: the post abilities follow the same pattern
 established by the existing abilities. Each ability has a
 `permission_callback` that checks whether the current user can perform the
 action using the existing roles and capabilities system. For the specific
 case of `meta_query`, `tax_query`, and `date_query`, the intent is not to
 expose new information. A consumer could already use the REST API to
 retrieve all posts and then filter by meta, taxonomy, or date client-side,
 it would just be a very inefficient way of doing it. To avoid accidental
 data leakage, we will rely on the `show_in_abilities` pattern that was
 introduced for settings, so only meta keys or taxonomies that explicitly
 opt in will be queryable; the rest will be filtered out.

 I'm seeing some big problems with the proposed pull request.

 While logged in as a subscriber I was able to:

 * Query non publicly viewable post types, registered with the code
 {{{#!php
 <?php
 register_post_type( 'pwcc_test_type', [
         'labels' => [
                 'name'          => 'Private Post Types',
                 'singular_name' => 'Private Post Type',
         ],
         'publicly_queryable' => false,
         'show_ui' => true,
         'show_in_rest' => true,
 ] );
 }}}

 * View unregistered post meta, not visible to the API. (I used
 `_edit_lock` which not even admins have access to via the UI)
 * See the raw content form rather than the rendered content form.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64455#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list