Allow pending posts to be previewed like drafts#115
Open
dChiamp wants to merge 2 commits into
Open
Conversation
check_read_permission() and can_user_read_post() special-cased 'draft' but not 'pending', so authenticated preview of pending posts fell through to a publish-only check and was denied. Treat pending the same as draft in both places.
url_to_postid() limited the resolving WP_Query to publish+draft, so pending posts were never found by URI and /post 404'd before the read check ran. Add 'pending' to the status list and to the verbose-page-rule exemption.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Preview of pending posts was denied on the headless frontend, while drafts worked. Three places special-cased
draftbut neverpending:Utils\Post::url_to_postid()— the URI-to-post resolver limited itsWP_Querytopublish+draft, so a pending post was never found by URI (the/postendpoint 404'd before any read check). Same draft-only assumption in the verbose-page-rule branch.REST_Post_Controller::check_read_permission()— thedraft-only branch that re-derives the user (enabling cookie-based preview without a REST nonce) never ran for pending.Utils\Post::can_user_read_post()— only handleddraftandpublish.Fix
Treat
pendingthe same asdraftin all three. Authors can preview their own pending posts; editors/admins viaread_private_posts.Base bug — affects any fuxt site using a submit-for-review flow. Verified on staging: resolution and both read checks pass for a pending CPT post.