Changeset 50132 for trunk/src/wp-includes/capabilities.php

Timestamp:

02/02/2021 12:38:40 AM (5 years ago)

Author:

peterwilsoncc

Message:

Canonical: Prevent ID enumeration of private post slugs.

Add check to redirect_canonical() to ensure private posts only redirect for logged in users.

Modifies the read_post mata capability to user get_post_status() rather than the post's post_status property to allow attachments to redirect based on the inherited post status.

Introduces wp_force_ugly_post_permalink() to unify the check to determine if an ugly link should be displayed in each of the functions used for determining permalinks: get_permalink(), get_post_permalink(), _get_page_link() and get_attachment_link().

Improves logic of get_attachment_link() to validate parent post and resolution of inherited post status. This is an incomplete fix of #52373 to prevent the function returning links resulting in a file not found error. Required to unblock this ticket.

Props peterwilsoncc, TimothyBlynJacobs.
See #52373.
Fixes #5272.

File:

• trunk/src/wp-includes/capabilities.php (modified) (1 diff)

trunk/src/wp-includes/capabilities.php

@@ -246 +246 @@
             }
 
-            $status_obj = get_post_status_object( $post->post_status );
+            $status_obj = get_post_status_object( get_post_status( $post ) );
             if ( ! $status_obj ) {
                 /* translators: 1: Post status, 2: Capability name. */
-                _doing_it_wrong( __FUNCTION__, sprintf( __( 'The post status %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post with that status.' ), $post->post_status, $cap ), '5.4.0' );
+                _doing_it_wrong( __FUNCTION__, sprintf( __( 'The post status %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post with that status.' ), get_post_status( $post ), $cap ), '5.4.0' );
                 $caps[] = 'edit_others_posts';
                 break;