Changeset 50132 for trunk/tests/phpunit/tests/media.php

Timestamp:

02/02/2021 12:38:40 AM (5 years ago)

Author:

peterwilsoncc

Message:

Canonical: Prevent ID enumeration of private post slugs.

Add check to redirect_canonical() to ensure private posts only redirect for logged in users.

Modifies the read_post mata capability to user get_post_status() rather than the post's post_status property to allow attachments to redirect based on the inherited post status.

Introduces wp_force_ugly_post_permalink() to unify the check to determine if an ugly link should be displayed in each of the functions used for determining permalinks: get_permalink(), get_post_permalink(), _get_page_link() and get_attachment_link().

Improves logic of get_attachment_link() to validate parent post and resolution of inherited post status. This is an incomplete fix of #52373 to prevent the function returning links resulting in a file not found error. Required to unblock this ticket.

Props peterwilsoncc, TimothyBlynJacobs.
See #52373.
Fixes #5272.

File:

• trunk/tests/phpunit/tests/media.php (modified) (3 diffs)

trunk/tests/phpunit/tests/media.php

@@ -3123 +3123 @@
      *
      * @param string $post_key     Post as keyed in the shared fixture array.
-     * @param string $expected     Expected result.
+     * @param string $expected_url Expected permalink.
      * @param bool   $expected_404 Whether the page is expected to return a 404 result.
      *
      */
-    function test_attachment_permalinks_based_on_parent_status( $post_key, $expected, $expected_404 ) {
+    function test_attachment_permalinks_based_on_parent_status( $post_key, $expected_url, $expected_404 ) {
         $this->set_permalink_structure( '/%postname%' );
         $post = get_post( self::$post_ids[ $post_key ] );
@@ -3135 +3135 @@
          * post object IDs are placeholders that needs to be replaced.
          */
-        $expected = home_url( str_replace( '%ID%', $post->ID, $expected ) );
-
-        $this->assertSame( $expected, get_permalink( $post ) );
+        $expected_url = home_url( str_replace( '%ID%', $post->ID, $expected_url ) );
+
         $this->go_to( get_permalink( $post ) );
-        $this->assertSame( $expected_404, is_404() );
+        $this->assertSame( $expected_url, get_permalink( $post ) );
+        if ( $expected_404 ) {
+            $this->assertQueryTrue( 'is_404' );
+        } else {
+            $this->assertQueryTrue( 'is_attachment', 'is_single', 'is_singular' );
+        }
+        $this->assertSame( 'attachment', $post->post_type );
     }
 
@@ -3147 +3152 @@
      * @return array[] {
      *     @type string $post_key     Post as keyed in the shared fixture array.
-     *     @type string $expected     Expected result.
+     *     @type string $expected_url Expected permalink.
      *     $type bool   $expected_404 Whether the page is expected to return a 404 result.
      * }