From a16f3f8f136970d6f2639ca05422a0905d5c3641 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov.ru@gmail.com>
Date: Wed, 5 Feb 2020 01:33:05 +0000
Subject: [PATCH] Posts, Post Types: Fail gracefully when checking whether a
 single post with an unregistered post status should be displayed in
 `WP_Query::get_posts()`.

If the post status is not registered, assume it's not public, but still allow access to users with edit permissions (same as for a protected post status, e.g. `draft`), so that they could recover orphaned content.

Add unit tests.

Follow-up to [47178].

Props roytanck, SergeyBiryukov.
Fixes #48653.
Built from https://develop.svn.wordpress.org/trunk@47181


git-svn-id: http://core.svn.wordpress.org/trunk@46981 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/class-wp-query.php | 48 ++++++++++++++++++++--------------
 wp-includes/version.php        |  2 +-
 2 files changed, 29 insertions(+), 21 deletions(-)

diff --git a/wp-includes/class-wp-query.php b/wp-includes/class-wp-query.php
index 7233e2ba87..38df928f08 100644
--- a/wp-includes/class-wp-query.php
+++ b/wp-includes/class-wp-query.php
@@ -3066,35 +3066,43 @@ class WP_Query {
 		// Check post status to determine if post should be displayed.
 		if ( ! empty( $this->posts ) && ( $this->is_single || $this->is_page ) ) {
 			$status = get_post_status( $this->posts[0] );
+
 			if ( 'attachment' === $this->posts[0]->post_type && 0 === (int) $this->posts[0]->post_parent ) {
 				$this->is_page       = false;
 				$this->is_single     = true;
 				$this->is_attachment = true;
 			}
-			$post_status_obj = get_post_status_object( $status );
 
 			// If the post_status was specifically requested, let it pass through.
-			if ( ! $post_status_obj->public && ! in_array( $status, $q_status ) ) {
+			if ( ! in_array( $status, $q_status ) ) {
+				$post_status_obj = get_post_status_object( $status );
 
-				if ( ! is_user_logged_in() ) {
-					// User must be logged in to view unpublished posts.
-					$this->posts = array();
-				} else {
-					if ( $post_status_obj->protected ) {
-						// User must have edit permissions on the draft to preview.
-						if ( ! current_user_can( $edit_cap, $this->posts[0]->ID ) ) {
-							$this->posts = array();
-						} else {
-							$this->is_preview = true;
-							if ( 'future' != $status ) {
-								$this->posts[0]->post_date = current_time( 'mysql' );
-							}
-						}
-					} elseif ( $post_status_obj->private ) {
-						if ( ! current_user_can( $read_cap, $this->posts[0]->ID ) ) {
-							$this->posts = array();
-						}
+				if ( $post_status_obj && ! $post_status_obj->public ) {
+					if ( ! is_user_logged_in() ) {
+						// User must be logged in to view unpublished posts.
+						$this->posts = array();
 					} else {
+						if ( $post_status_obj->protected ) {
+							// User must have edit permissions on the draft to preview.
+							if ( ! current_user_can( $edit_cap, $this->posts[0]->ID ) ) {
+								$this->posts = array();
+							} else {
+								$this->is_preview = true;
+								if ( 'future' != $status ) {
+									$this->posts[0]->post_date = current_time( 'mysql' );
+								}
+							}
+						} elseif ( $post_status_obj->private ) {
+							if ( ! current_user_can( $read_cap, $this->posts[0]->ID ) ) {
+								$this->posts = array();
+							}
+						} else {
+							$this->posts = array();
+						}
+					}
+				} elseif ( ! $post_status_obj ) {
+					// Post status is not registered, assume it's not public.
+					if ( ! current_user_can( $edit_cap, $this->posts[0]->ID ) ) {
 						$this->posts = array();
 					}
 				}
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 63a9df03c9..1e45c6eb3d 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -13,7 +13,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.4-alpha-47180';
+$wp_version = '5.4-alpha-47181';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.