Make WordPress Core


Ignore:
Timestamp:
01/19/2024 12:42:48 AM (6 months ago)
Author:
peterwilsoncc
Message:

Media: Redirect inactive attachement pages for logged-out users.

Ensure logged out users are redirected to the media file when attachment pages are inactive. This removes the read_post capability check from the canonical redirects as anonymous users lack the permission.

Follow-up to [56657], [56658], [56711].

Props afercia, aristath, chesio, joppuyo, jorbin, lakshmananphp, poena, sergeybiryukov.
Fixes #59866.
See #57913.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/canonical.php

    r57232 r57310  
    551551
    552552    if ( is_attachment() && ! get_option( 'wp_attachment_pages_enabled' ) ) {
    553         $attachment_id = get_query_var( 'attachment_id' );
    554 
    555         if ( current_user_can( 'read_post', $attachment_id ) ) {
    556             $redirect_url = wp_get_attachment_url( $attachment_id );
    557 
    558             $is_attachment_redirect = true;
    559         }
     553        $attachment_id        = get_query_var( 'attachment_id' );
     554        $attachment_post      = get_post( $attachment_id );
     555        $attachment_parent_id = $attachment_post ? $attachment_post->post_parent : 0;
     556
     557        /*
     558         * If an attachment is attached to a post, it inherits the parent post's status. Fetch the
     559         * parent post to check its status later.
     560         */
     561        if ( $attachment_parent_id ) {
     562            $redirect_obj = get_post( $attachment_parent_id );
     563        }
     564        $redirect_url = wp_get_attachment_url( $attachment_id );
     565
     566        $is_attachment_redirect = true;
    560567    }
    561568
Note: See TracChangeset for help on using the changeset viewer.