WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
01/25/2024 07:41:24 PM (16 months ago)
Author:
jorbin
Message:

Media: Redirect inactive attachment pages for logged-out users.

Ensure logged out users are redirected to the media file when attachment pages are inactive. This removes the read_post capability check from the canonical redirects as anonymous users lack the permission.

This was previously committed in [57310] before being reverted in [57318]. This update includes a fix to cover instances where revealing a URL could be considered a data leak and greatly expands the unit tests to ensure that this is covered along with many other instances.

Follow-up to [56657], [56658], [56711], [57310], [57318].

Reviewed by joemcgill.
Merges [57357] to 6.4 branch.

Props peterwilsoncc, jorbin, afercia, aristath, chesio, joppuyo, jorbin, lakshmananphp, poena, sergeybiryukov, swissspidy, johnbillion, mukesh27.
Fixes #59866.
See #57913.

Location:
branches/6.4
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • branches/6.4

  • branches/6.4/src/wp-includes/canonical.php

    r56738 r57358  
    549549
    550550    if ( is_attachment() && ! get_option( 'wp_attachment_pages_enabled' ) ) {
    551         $attachment_id = get_query_var( 'attachment_id' );
    552 
    553         if ( current_user_can( 'read_post', $attachment_id ) ) {
    554             $redirect_url = wp_get_attachment_url( $attachment_id );
    555 
    556             $is_attachment_redirect = true;
    557         }
     551        $attachment_id        = get_query_var( 'attachment_id' );
     552        $attachment_post      = get_post( $attachment_id );
     553        $attachment_parent_id = $attachment_post ? $attachment_post->post_parent : 0;
     554
     555        $attachment_url = wp_get_attachment_url( $attachment_id );
     556        if ( $attachment_url !== $redirect_url ) {
     557            /*
     558            * If an attachment is attached to a post, it inherits the parent post's status. Fetch the
     559            * parent post to check its status later.
     560            */
     561            if ( $attachment_parent_id ) {
     562                $redirect_obj = get_post( $attachment_parent_id );
     563            }
     564            $redirect_url = $attachment_url;
     565        }
     566
     567        $is_attachment_redirect = true;
    558568    }
    559569
Note: See TracChangeset for help on using the changeset viewer.