RootQuery to ContentNode connection returns posts it shouldn't

[jasonbahl]

The RootQueryToContentNode connection is returning posts of post_types that are not public.

For example, with the WPGatsby plugin active, the following query from a public user:

{
  contentNodes {
    nodes {
      __typename
    }
  }
}

Is returning nodes of the ActionMonitor Type, a non-public post_type.

The Model Layer for SURE needs to be fixed to ensure non-public posts are not being returned, even if an underlying query asks for them.

We should also optimize the connection queries to only ask for things we know the user can ask for.

Some context that might be helpful to resolving this:

• The post types that are queried for are centrally checked in the Connection Resolver here: https://github.com/wp-graphql/wp-graphql/blob/develop/src/Data/Connection/PostObjectConnectionResolver.php#L56-L57. Limiting this centrally to public post types could help.

• Here (https://github.com/wp-graphql/wp-graphql/blob/develop/src/Model/Post.php#L329-L331) the Post model is allowing posts of any post type to be public, as long as they're published

[justlevine]

The temporary workaround is to graphql_post_object_connection_query_args to unset unwanted post types. E.g for action_monitor

/**
 * Remove unwanted posts types from `contentNodes`.
 **/
add_filter(
  'graphql_post_object_connection_query_args', 
    function( array $query_args, $source, array $args, $context, $info) {
      if( 'contentNodes' === $info->fieldName ) ) {
        // You can make this more generic by using the WP_Post_Type's params to decide whether to unset()
        unset( $query_args['post_type']['action_monitor'] );
      }
      return $query_args;
  }, 
  10,
  5
);

The Model Layer for SURE needs to be fixed to ensure non-public posts are not being returned, even if an underlying query asks for them.

For an actual fix in core, I think we need to decide what exactly determines if a post is non_public ( e.g. exclude_from_search ), which is likely depends on the context connection. Eg. action_monitors still needs to be available on query { actionMonitors { ... } }

[jasonbahl]

@justlevine ya, I think my original intent of the ContentNode Interface was to have it apply to any public post type.

Other post types are often "utility" post types (for lack of better term).

For example:

• custom_css
• customize_changeset
• oembed_cache
• user_request

etc.

Action Monitor falls into this category. These post types are used to store data, but not "public" content.

Public post types are used for "content"

So, I think the best plan would be to update resolvers and Types that implement the ContentNode interface to only do so if they're actually public post types.

This would be a breaking change, so we'll have to move forward carefully.

I think we should be able to provide filters for users to implement in their codebase to keep backward compatibility should they be querying ContentNodes and expecting non-public post_types.

---

Related issue: wp-graphql/wp-graphql-woocommerce#362 (comment)