WordPress gives each user specific constraints depending on their user role.
For example, posts can only be edited by their own author who also have the Contributor user role or higher. Administrators and higher level user roles have access to edit posts from many authors.
Contents
The five states of posts in WordPress
There are many different post statuses that are used in WordPress and other plugins/themes. Custom post statuses may be registered by plugins/themes and can have custom handling of their own.
Let’s only focus on the five major kinds of states a post can be in to simplify how they work.
Published posts
Posts with the Published status are publicly viewable and can be seen by anyone, depending on how your site displays it.
Future/scheduled posts are not yet publicly viewable and will technically count as an unpublished status in most usage.
Private posts
Posts with the Private status are not publicly viewable and they can only be seen by people who have a read_private_{post_type} kind of capability on their current user role.
Anyone with access to edit that post can still edit the content normally as the restrictions on private posts only apply to viewing the content.
Password-protected posts
Regardless of the role of the user viewing them, posts with the Published status that are Password-protected are restricted to only be shown to those who enter the corresponding password.
Anyone with access to edit that post can still edit the content normally as this restriction only applies to viewing the content. The password is stored by WordPress in plain text in the database and any other person who has access to edit the post can see what that password is.
Unpublished posts
All other post statuses are treated as Unpublished. There are a few statuses like Draft, Future/Scheduled, and Pending Review statuses which are all only available for preview and will not show on a typical site unless otherwise customized.
Trashed posts
One very special kind of post status in WordPress is the Trashed post. The trashed posts are emptied usually on an ongoing basis for a site.
Dynamic Features in WordPress core
There are currently just a few dynamic features in WordPress core. Those include:
A new dynamic feature was introduced with WordPress 6.5 was the Block Bindings API which brings the ability to connect a block to the dynamic value of post meta and more.
WordPress follows very specific guidance for embedding content dynamically through the editor. Because the editor can be used by a variety of people, the content embedded will be checked for who should have access based on their user role.
Access rights checks for Dynamic Features in WordPress
Posts are a very special kind of content in WordPress that have visibility and capability checks before the content can be displayed on a site in most themes.
- Is the post type public and publicly queryable?
- If not, the post type will not be allowed to be dynamically embedded
- Is the user logged in and do they have access through capabilities to private posts?
- If not, the post statuses available will be limited to published only
- If yes, the post statuses available will be set to published and private
- Is the post password-protected?
- If yes, have they entered the correct password yet?
- If no, then the content will not be shown. Archive templates will show protected text instead of the excerpt / content. Singular templates will show the password form.
- If yes, have they entered the correct password yet?
