Respect publicly_queryable setting for post types #2134
Description
Currently, if a post type in WordPress has publicly_queryable set to false, its posts are still accessible to unauthenticated users. WPGraphQL should respect the publicly_queryable setting.
It's easy to conflate publicly_queryable with public and/or show_in_graphql settings. Here is the breakdown that @jasonbahl and I came up with for remembering what effect each setting has:
show_in_graphql—> add to GraphQL schemapublic—> Give this a URIpublicly_queryable—> accessible to all unauthenticated users
I'll submit a PR so that a post is considered private if publicly_queryable is set to true (whether explicitly, or implicitly by inheriting the public => true value for the post type).
End Result
So the end result of this change should be this behavior:
- If
publicly_queryableistruefor a post type, its posts should be accessible to unauthenticated users. - If
publicly_queryableisfalsefor a post type, its posts should be accessible only to authenticated users who have the required capability.