Not seeing Private posts with Pods find() or shortcodes (breaking from default WP behavior with WP_Query)

[enquirer32]

Task list

• [ ] Private posts showing properly in Pods find()
• [ ] Private posts showing properly in Relationship lists
• [ ] Private posts showing properly in Shortcodes
• [ ] Add option to include private posts in Pod editor under Advanced, next to default post status

  ORIGINAL ISSUE DESCRIPTION by @enquirer32:

I’ve created two pods. The entries associated with these are saved as ‘private’. One cant view the content on the front end of the website.

As admin on this WP installation. I created new a CPT. Created one field. I added new 'testpod' from admin - 'Add New'. Filled in my one field. I created a new post and inserted the following shortcode: [pods name="testpod"]<br />{@test_field}<br />[/pods] I made sure the pod was 'private' If one views the post on front end one can see the title but no output (it is 'Private') Reset the pod item to 'public' - the content shows up on the front end.

For me this is a serious issue and it isn't how core WP works. When something is 'Private' the author can always see their own posts.

My set-up: My intention was to restrict the content others could see but always intending that the creator of the content (adding content through a Pod form) could see their own. For example, I have a logged in user who creates content in both pods. He has all the permissions required to edit ‘private’ content and it his content. So long as the data in the pods he created is private he can't access this data.

In my real install I also have a couple of single relationship dropdowns. However, he can’t access these unless the pods are ‘published’ – they don’t work as private either. This is also an unforseen problem which means I can't use Pods the way I had intended.

Is there a temporary fix for this - some hack I can add to the files? Was this always your intention?

You don't need files or images to replicate this yourself - it is very straight forward.

[enquirer32]

OK, so I've revisisted this. After a follow-up from Jim I installed a clean WP and installed only your plugin and worked up my example above creating public and private posts with public and private pods.... I'm attaching the json file for this. When the pod is marked as private it does not show in the front end as it should - following WP rules. I set up two pods one public and one private. The private pod did not show (I verified this by making it public when it did).

{"meta":{"version":"2.6.1","build":1458724466},"pods":{"4":{"id":4,"name":"devtest","label":"DevTest","description":"","type":"post_type","storage":"meta","object":"","alias":"","fields":{"test_field":{"id":5,"name":"test_field","label":"Test field","description":"","help":"","class":"","type":"text","weight":0,"pick_object":"","pick_val":"","sister_id":"","required":"0","text_allow_shortcode":"0","text_allow_html":"0","text_allowed_html_tags":"strong em a ul ol li b i","text_max_length":"255","admin_only":"0","restrict_role":"0","restrict_capability":"0","hidden":"0","read_only":"0","roles_allowed":["administrator"],"text_repeatable":0}},"show_in_menu":"1","label_singular":"DevTest","public":"1","show_ui":"1","supports_title":"1","supports_editor":"1","publicly_queryable":"1","exclude_from_search":"0","capability_type":"post","capability_type_custom":"devtest","capability_type_extra":"1","has_archive":"0","hierarchical":"0","rewrite":"1","rewrite_with_front":"1","rewrite_feeds":"0","rewrite_pages":"1","query_var":"1","can_export":"1","default_status":"draft","supports_author":"0","supports_thumbnail":"0","supports_excerpt":"0","supports_trackbacks":"0","supports_custom_fields":"0","supports_comments":"0","supports_revisions":"0","supports_page_attributes":"0","supports_post_formats":"0","built_in_taxonomies_category":"0","built_in_taxonomies_link_category":"0","built_in_taxonomies_post_tag":"0","menu_position":"0","show_in_nav_menus":"1","show_in_admin_bar":"1"},"24":{"id":24,"name":"privatepod","label":"Private pod","description":"","type":"post_type","storage":"meta","object":"","alias":"","fields":{"private_field":{"id":25,"name":"private_field","label":"Private field","description":"","help":"","class":"","type":"text","weight":0,"pick_object":"","pick_val":"","sister_id":"","required":"0","text_allow_shortcode":"0","text_allow_html":"0","text_allowed_html_tags":"strong em a ul ol li b i","text_max_length":"255","admin_only":"0","restrict_role":"0","restrict_capability":"0","hidden":"0","read_only":"0","roles_allowed":["administrator"],"text_repeatable":0}},"show_in_menu":"1","label_singular":"Private pod","public":"1","show_ui":"1","supports_title":"1","supports_editor":"1","publicly_queryable":"1","exclude_from_search":"0","capability_type":"post","capability_type_custom":"privatepod","capability_type_extra":"1","has_archive":"0","hierarchical":"0","rewrite":"1","rewrite_with_front":"1","rewrite_feeds":"0","rewrite_pages":"1","query_var":"1","can_export":"1","default_status":"draft","supports_author":"0","supports_thumbnail":"0","supports_excerpt":"0","supports_trackbacks":"0","supports_custom_fields":"0","supports_comments":"0","supports_revisions":"0","supports_page_attributes":"0","supports_post_formats":"0","built_in_taxonomies_category":"0","built_in_taxonomies_link_category":"0","built_in_taxonomies_post_tag":"0","menu_position":"0","show_in_nav_menus":"1","show_in_admin_bar":"1"}}}

[jimtrue]

I'm still a little confused on some of your issues (I also would've preferred you provide us a Package Migration that included any Templates or Drop-downs as you had configured them so we could see the same issues you're seeing).

This statement:

So long as the data in the pods he created is private he can't access this data.

Doesn't make any sense to me. The owner of the data can always see their posts. Always, as long as they're logged in; if they're not logged-in, they're a guest and can't see anything. That's WP Core functionality.

From using your test configuration above, if I'm not logged in, I can't see a private post, I can't even see that it exists, which is also intended. I also checked this against WP standard "Posts" and I see the exact same behavior. I can't see private posts unless I'm the owner of the post. I have no awareness whatsoever of private posts, they're not in my back-end admin view nor in the front-end. No title, no anything and they aren't listed in recent posts or archive views. This is as intended. As an Admin, I can see all private posts. This is also as intended by WP Core, unless you change capabilities of your Admin user.

As to relationships to private posts (ie showing up in the lists of related items), you aren't going to see private items in the drop down, because they aren't 'published'. That may not be as intended. In such a situation, I'd honestly get away from the concept of "private posts" which aren't actually published, so they're not going to be visible to anything other than the person who created them and they can't probably be linked together for that same reason through a relationship field.

Maybe look at instead changing roles & capabilities to create a role that can only post, publish and read their own posts and use that very helpful addition by Members Plugin that allows you to restrict visibility on the front-end at the post level, instead of publishing as Private, just change the visibility of the Content on each page to 'Author' (or one of your own defined roles).

That way, you'd still get to see them in related content, though you might need to change your Relationship rules to ONLY show related posts in the relationship where Author was the logged in user.

If I'm totally off on what you're describing the issue is, please be specific, show examples, etc. to help us get to the root of the issue you're experiencing.

[sc0ttkclark]

Unfortunately when using the Pods shortcodes, templating, and Pods PHP API, the private posts are probably not taken into account, only published / visible posts show up. We may want to follow up with this.

[jimtrue]

Yep, they're definitely excluded in the relationship selection.

[enquirer32]

Thanks. I think sc0ttkclark understands... the purpose is that an 'author' or whatever role one defines cannot see the element of private pods which are created by them.

_What can/cannot be done currently: _

Have public post with public pod fields -- everyone can view

Have a public post but any pod fields saved as 'private' can't be viewed by anyone even the author and the relationships in the private pod won't work.

I can have a private post, with public pod fields and only the author can see this, but any private pod fields can't be viewed even by the author and the relationships in the private pod won't work.

If I create a new role as you suggest (and I am assuming it will work as described) it doesn't entirely help because I only want some parts of the pod to be restricted to the author - not all of the fields.

The purpose of what I am trying to do (and use pods to do it and nothing else!) is:

Create a pod which an author can complete through form fields. Have certain data which is restricted to their eyes and which they can later edit etc.

I am trying this on a new install with TwentySixteen theme and all of the posts etc are attached.

applicationdevelopment.wordpress.2016-05-08.xml.zip

[jimtrue]

For clarification, when you're saying 'private pods fields', are you referring to Fields, Advanced Settings, Visibility, Restrict Access by Roles/Capability?

[enquirer32]

Yes, I can see this is not clear. So, it is a normal CPT pod in all respects - no special assignments, visibility or capabilities or permissions added to the pod. However, when a pod item is created it is saved as 'private'. When I load this pod into a post - public or private - it won't show up. Try for yourself? That is surely outside normal WP usage?

[sc0ttkclark]

The default status used for your pod configuration appears to be 'Draft'. Can you check your Pod settings to confirm the Default Post Status is set to 'Draft'? When you create your pod items, are you setting the status to 'Private' or is it getting forced to that on saving the draft or publishing the content?

[sc0ttkclark]

@enquirer32 do you have some time today or this week to chat with me directly on this issue to help figure out a solution?

[enquirer32]

Thanks Scott. Yes, the default status is 'draft' but they are definitely not draft because I set them as private. Status is 'privately published'. Happy to give you my admin access to the site I set them up on. Yes, we can talk on Slack - @enquirer

[sc0ttkclark]

Just a quick update, we need to think about a better long-term solution for setting the where_default option for a Pod dynamically instead of caching it, for support for things like private posts.

Here's a quick hack for shortcodes to support private posts in the list, when listing items from a post type pod:

add_filter( 'pods_shortcode_findrecords_params', '_private_pods_shortcode_support', 10, 3 );
function _private_pods_shortcode_support( $params, $pod, $tags ) {

    if ( 'post_type' == $pod->pod_data['type'] && is_user_logged_in() ) {
        $where = sprintf( 't.post_status = "publish" OR ( t.post_status = "private" AND t.post_author = %d )', get_current_user_id() );

        if ( ! empty( $params['where'] ) ) {
            $params['where'] = '( ' . $params['where'] . ' ) AND ( ' . $where . ' )';
        } else {
            $params['where'] = $where;
        }
    }

    return $params;

}

[sc0ttkclark]

Renamed the title of this issue to better reflect the actual issue as it stands

[sc0ttkclark]

Updated issue description with some tasks

[enquirer32]

Just to clarify, although I think this is coverd in Tasks above, apart from being unable to view the private pod in a private post, it is not currently possible to view a private pod as a relationship to another pod.

[enquirer32]

Have just noticed that with the hack one can see anyone's private pods. And, as we saw other day relationships between private pods don't work...

[sc0ttkclark]

Only the author of the private posts can see them with the shortcode hack, unless you're caching the pages for logged in users somehow?

[Brian-Milnes]

Guys, did this ever get addressed, please? I'm wanting to build a variable access model (Admins see all, Authors only see their own, Technicians only see the cases assigned to them) This issues looks as though it might break the plan :-(