Make WordPress Core

Ticket #50781: 50781.2.diff

File 50781.2.diff, 1.7 KB (added by audrasjb, 4 years ago)

Customizer: Redirects URLs to 404 if changeset UUID does not exists for unauthenticated users

  • src/wp-includes/class-wp-customize-manager.php

    diff --git a/src/wp-includes/class-wp-customize-manager.php b/src/wp-includes/class-wp-customize-manager.php
    index 79f2b3eab3..252365c763 100644
    a b final class WP_Customize_Manager { 
    493493                return '_default_wp_die_handler';
    494494        }
    495495
     496        /**
     497         * Redirects to 404 when changeset UUID does not exists for unauthenticated users.
     498         *
     499         * @since 5.6.0
     500         *
     501         * @param bool     $bypass Pass-through of the pre_handle_404 filter value.
     502         * @param WP_Query $query  The WP_Query object.
     503         * @return bool Bypass value.
     504         */
     505        public function customize_changeset_preview_redirect( $bypass, $query ) {
     506                $query->set_404();
     507                status_header( 404 );
     508                return $bypass;
     509        }
     510
    496511        /**
    497512         * Start preview and customize theme.
    498513         *
    499514         * Check if customize query variable exist. Init filters to filter the current theme.
    500515         *
    501516         * @since 3.4.0
     517         * @since 5.6.0 Redirects to 404 when changeset UUID does not exists for unauthenticated users.
    502518         *
    503519         * @global string $pagenow
    504520         */
    final class WP_Customize_Manager { 
    548564                 * then send unauthenticated code to prompt re-auth.
    549565                 */
    550566                if ( ! current_user_can( 'customize' ) && ! $this->changeset_post_id() ) {
    551                         $this->wp_die( $this->messenger_channel ? 0 : -1, __( 'Non-existent changeset UUID.' ) );
     567                        // As this is a preview page sending noindex in headers.
     568                        if ( ! headers_sent() ) {
     569                                nocache_headers();
     570                                header( 'X-Robots: noindex, nofollow, noarchive' );
     571                        }
     572                        add_action( 'wp_head', 'wp_no_robots' );
     573                        add_filter( 'pre_handle_404', array( $this, 'customize_changeset_preview_redirect' ), 1, 2 );
    552574                }
    553575
    554576                if ( ! headers_sent() ) {