Make WordPress Core

Changeset 57310


Ignore:
Timestamp:
01/19/2024 12:42:48 AM (3 months ago)
Author:
peterwilsoncc
Message:

Media: Redirect inactive attachement pages for logged-out users.

Ensure logged out users are redirected to the media file when attachment pages are inactive. This removes the read_post capability check from the canonical redirects as anonymous users lack the permission.

Follow-up to [56657], [56658], [56711].

Props afercia, aristath, chesio, joppuyo, jorbin, lakshmananphp, poena, sergeybiryukov.
Fixes #59866.
See #57913.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/canonical.php

    r57232 r57310  
    551551
    552552    if ( is_attachment() && ! get_option( 'wp_attachment_pages_enabled' ) ) {
    553         $attachment_id = get_query_var( 'attachment_id' );
    554 
    555         if ( current_user_can( 'read_post', $attachment_id ) ) {
    556             $redirect_url = wp_get_attachment_url( $attachment_id );
    557 
    558             $is_attachment_redirect = true;
    559         }
     553        $attachment_id        = get_query_var( 'attachment_id' );
     554        $attachment_post      = get_post( $attachment_id );
     555        $attachment_parent_id = $attachment_post ? $attachment_post->post_parent : 0;
     556
     557        /*
     558         * If an attachment is attached to a post, it inherits the parent post's status. Fetch the
     559         * parent post to check its status later.
     560         */
     561        if ( $attachment_parent_id ) {
     562            $redirect_obj = get_post( $attachment_parent_id );
     563        }
     564        $redirect_url = wp_get_attachment_url( $attachment_id );
     565
     566        $is_attachment_redirect = true;
    560567    }
    561568
  • trunk/tests/phpunit/tests/canonical.php

    r57232 r57310  
    408408
    409409    /**
     410     * Test canonical redirects for attachment pages when the option is disabled.
     411     *
    410412     * @ticket 57913
    411      */
    412     public function test_canonical_attachment_page_redirect_with_option_disabled() {
     413     * @ticket 59866
     414     *
     415     * @dataProvider data_canonical_attachment_page_redirect_with_option_disabled
     416     */
     417    public function test_canonical_attachment_page_redirect_with_option_disabled( $expected, $user = null, $parent_post_status = '' ) {
    413418        add_filter( 'pre_option_wp_attachment_pages_enabled', '__return_false' );
     419
     420        if ( '' !== $parent_post_status ) {
     421            $parent_post_id = self::factory()->post->create(
     422                array(
     423                    'post_status' => $parent_post_status,
     424                )
     425            );
     426        } else {
     427            $parent_post_id = 0;
     428        }
    414429
    415430        $filename = DIR_TESTDATA . '/images/test-image.jpg';
     
    417432        $upload   = wp_upload_bits( wp_basename( $filename ), null, $contents );
    418433
    419         $attachment_id   = $this->_make_attachment( $upload );
     434        $attachment_id   = $this->_make_attachment( $upload, $parent_post_id );
     435        $attachment_url  = wp_get_attachment_url( $attachment_id );
    420436        $attachment_page = get_permalink( $attachment_id );
    421437
     438        // Set as anonymous/logged out user.
     439        if ( null !== $user ) {
     440            wp_set_current_user( $user );
     441        }
     442
    422443        $this->go_to( $attachment_page );
    423444
    424         $url      = redirect_canonical( $attachment_page, false );
    425         $expected = wp_get_attachment_url( $attachment_id );
     445        $url = redirect_canonical( $attachment_page, false );
     446        if ( is_string( $expected ) ) {
     447            $expected = str_replace( '%%attachment_url%%', $attachment_url, $expected );
     448        }
    426449
    427450        $this->assertSame( $expected, $url );
    428451    }
     452
     453    /**
     454     * Data provider for test_canonical_attachment_page_redirect_with_option_disabled().
     455     *
     456     * @return array[]
     457     */
     458    public function data_canonical_attachment_page_redirect_with_option_disabled() {
     459        return array(
     460            'logged out user, no parent'      => array(
     461                '%%attachment_url%%',
     462                0,
     463            ),
     464            'logged in user, no parent'       => array(
     465                '%%attachment_url%%',
     466            ),
     467            'logged out user, private parent' => array(
     468                null,
     469                0,
     470                'private',
     471            ),
     472            'logged in user, private parent'  => array(
     473                '%%attachment_url%%',
     474                null,
     475                'private',
     476            ),
     477            'logged out user, public parent'  => array(
     478                '%%attachment_url%%',
     479                0,
     480                'publish',
     481            ),
     482            'logged in user, public parent'   => array(
     483                '%%attachment_url%%',
     484                null,
     485                'publish',
     486            ),
     487        );
     488    }
    429489}
Note: See TracChangeset for help on using the changeset viewer.