-
Notifications
You must be signed in to change notification settings - Fork 442
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wp-graphql doesn't respect user capabilities for viewing private posts #2859
Comments
possibly related: #2819 |
ok, so fwiw, I was able to create a "private" post . When I query for a list of posts as an authenticated user, I can see it: When I query as a non-authenticated user, I cannot see it. On initial exploration, this seems to be working as expected. I'll keep looking into it to see if I can reproduce with some other conditions. |
I test my queries with curl (since the user from whom I make requests does not have access to the admin dashboard tools) and when i query private post directly it actually returns it. This works:
And this doesn't return the private post, when i try to fetch all posts at once:
|
Ok, so it looks like the issue might be the path at which the posts are being resolved. When querying a post directly it is able to be resolved. But when filtering a connection of posts we're not able to see the expected node in the results. I believe the information in #2819 is relevant to this issue as I believe the stati/status filters are most likely the culprit of the bug here. I'm not ready to close this as a duplicate of #2819 yet, but they should probably be investigated further at the same time. |
Description
Hello, wp-graphql seems to not respect user capabilities for viewing private posts. We have a user with capabilities: "read_private_posts" and "read_private_pages", which are added to the user at the time of its creation, if it passes some conditions
and when i try to make an authorized request as this user with a query like this
it returns published posts but no private posts, and WPs own front-end shows them in the main loop query, without any additional modifications to the query, which indicates that the capabilities work as expected. Is this a bug, or i missing something?
Steps to reproduce
This is how we add the capabilities
Additional context
No response
WPGraphQL Version
1.14.7
WordPress Version
6.2.2
PHP Version
7.4.26
Additional enviornment details
WPGraphQL JWT Authentication 0.7.0 - plugin is active
Please confirm that you have searched existing issues in the repo.
Please confirm that you have disabled ALL plugins except for WPGraphQL.
The text was updated successfully, but these errors were encountered: