Post type should be public on Recent Post #1364

rizaardiyanto1412 · 2024-01-30T10:31:54Z

The code in advanced-gutenberg-pro/lib/vendor/publishpress/publishpress-blocks/assets/blocks/recent-posts/block.php needs to be adjusted due to a broken access control issue.

You allow any post type to be provided to the Recent Posts block, however it does not check whether that post type is meant to be public or not. As a Contirbutor user, someone could choose to embed the recent published posts of any post type that they'd like regardless if they actually have access to read posts.

You could add code like:

if ( ! is_post_type_viewable( $post_type ) ) { /* maybe return an empty string or an error message */ }

This would check whether the post type specified is viewable or not. If it isn't, then you could return a blank string or an error message perhaps.

https://secure.helpscout.net/conversation/2495159321

The text was updated successfully, but these errors were encountered:

rizaardiyanto1412 added the unconfirmed bug This needs more testing. Can often be used when a member of the public posts. label Jan 30, 2024

stevejburge added this to the 3.2.2: Bug-fixes and improvements milestone Feb 5, 2024

htmgarcia modified the milestones: 3.2.2: Bug-fixes and improvements, 3.2.3: Bug-fixes and improvements May 13, 2024

htmgarcia modified the milestones: 3.2.3: Bug-fixes and improvements, 3.2.4: Bug-fixes and improvements Jul 15, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Post type should be public on Recent Post #1364

Post type should be public on Recent Post #1364

rizaardiyanto1412 commented Jan 30, 2024

Post type should be public on Recent Post #1364

Post type should be public on Recent Post #1364

Comments

rizaardiyanto1412 commented Jan 30, 2024