wp-graphql doesn't respect user capabilities for viewing private posts

[brnteka]

Description

Hello, wp-graphql seems to not respect user capabilities for viewing private posts. We have a user with capabilities: "read_private_posts" and "read_private_pages", which are added to the user at the time of its creation, if it passes some conditions

    $user = new WP_User($user_id);
    $user->add_cap( 'read_private_posts' );
    $user->add_cap( 'read_private_pages' );

and when i try to make an authorized request as this user with a query like this

query GetPostsEdges {
  posts(where: { stati: [PUBLISH, PRIVATE]}) {
    edges {
      node {
        id
        title
        date
      }
    }
  }
}

it returns published posts but no private posts, and WPs own front-end shows them in the main loop query, without any additional modifications to the query, which indicates that the capabilities work as expected. Is this a bug, or i missing something?

Steps to reproduce

This is how we add the capabilities

add_action('profile_update', 'set_capabilities', 10, 3);

function set_capabilities($user_id, $oldUserData, $newUserData)
{
    $categories = get_field('cats', 'user_' . $user_id);

    if ($categories) {
        $user = new WP_User($user_id);

        $user->add_cap( 'read_private_posts' );
        $user->add_cap( 'read_private_pages' );

        foreach ($categories as $category) {

            $user->add_cap('read_private_custom_' . $category->slug);
        }
    }
}

Additional context

No response

WPGraphQL Version

1.14.7

WordPress Version

6.2.2

PHP Version

7.4.26

Additional enviornment details

WPGraphQL JWT Authentication 0.7.0 - plugin is active

Please confirm that you have searched existing issues in the repo.

• Yes

Please confirm that you have disabled ALL plugins except for WPGraphQL.

• Yes
• My issue is with compatibility with a specific WordPress plugin, and I have listed all my installed plugins (and version info) above.

[jasonbahl]

possibly related: #2819

[jasonbahl]

ok, so fwiw, I was able to create a "private" post .

When I query for a list of posts as an authenticated user, I can see it:

When I query as a non-authenticated user, I cannot see it.

On initial exploration, this seems to be working as expected.

I'll keep looking into it to see if I can reproduce with some other conditions.

[brnteka]

I test my queries with curl (since the user from whom I make requests does not have access to the admin dashboard tools) and when i query private post directly it actually returns it.

This works:

curl -g -X POST -H "Content-Type: application/json" -H "Authorization: Bearer <TOKEN>" -d '{"query":"query GetPostsEdges { post( id: 5, idType: DATABASE_ID ) { id databaseId title } }"}' http://<WEBSITE>/graphql

And this doesn't return the private post, when i try to fetch all posts at once:

curl -g -X POST -H "Content-Type: application/json" -H "Authorization: Bearer <TOKEN>" -d '{"query":"query GetPostsEdges { posts(where: { stati: [PUBLISH, PRIVATE]}) { edges { node { id title date } } } }"}' http://<WEBSITE>/graphql

[jasonbahl]

Ok, so it looks like the issue might be the path at which the posts are being resolved.

When querying a post directly it is able to be resolved. But when filtering a connection of posts we're not able to see the expected node in the results.

I believe the information in #2819 is relevant to this issue as I believe the stati/status filters are most likely the culprit of the bug here.

I'm not ready to close this as a duplicate of #2819 yet, but they should probably be investigated further at the same time.