From 4c6df3a2e480783601432090005075c24bc7d43e Mon Sep 17 00:00:00 2001
From: Dion Hulse <dd32@git.wordpress.org>
Date: Sat, 24 Apr 2010 06:04:05 +0000
Subject: [PATCH] Ignore sticky posts which the current user cannot read,
 Ignore sticky posts which have been explicitly excluded with 'post__not_in'.
 Fixes #11197

git-svn-id: https://develop.svn.wordpress.org/trunk@14217 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-includes/query.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/wp-includes/query.php b/wp-includes/query.php
index 1590418c34..f2c42f6a93 100644
--- a/wp-includes/query.php
+++ b/wp-includes/query.php
@@ -2465,6 +2465,10 @@ class WP_Query {
 				}
 			}
 
+			// If any posts have been excluded specifically, Ignore those that are sticky.
+			if ( !empty($sticky_posts) && !empty($q['post__not_in']) )
+				$sticky_posts = array_diff($sticky_posts, $q['post__not_in']);
+
 			// Fetch sticky posts that weren't in the query results
 			if ( !empty($sticky_posts) ) {
 				$stickies__in = implode(',', array_map( 'absint', $sticky_posts ));
@@ -2478,10 +2482,11 @@ class WP_Query {
 					}
 					$stickies_where = "AND $wpdb->posts.post_type IN ('" . $post_types . "')";
 				}
+
 				$stickies = $wpdb->get_results( "SELECT * FROM $wpdb->posts WHERE $wpdb->posts.ID IN ($stickies__in) $stickies_where" );
-				/** @todo Make sure post is published or viewable by the current user */
 				foreach ( $stickies as $sticky_post ) {
-					if ( 'publish' != $sticky_post->post_status )
+					// Ignore sticky posts the current user cannot read or are not published.
+					if ( !current_user_can('read_post', $sticky_post->ID) || 'publish' != $sticky_post->post_status ) 
 						continue;
 					array_splice($this->posts, $sticky_offset, 0, array($sticky_post));
 					$sticky_offset++;