WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
01/25/2024 07:41:24 PM (16 months ago)
Author:
jorbin
Message:

Media: Redirect inactive attachment pages for logged-out users.

Ensure logged out users are redirected to the media file when attachment pages are inactive. This removes the read_post capability check from the canonical redirects as anonymous users lack the permission.

This was previously committed in [57310] before being reverted in [57318]. This update includes a fix to cover instances where revealing a URL could be considered a data leak and greatly expands the unit tests to ensure that this is covered along with many other instances.

Follow-up to [56657], [56658], [56711], [57310], [57318].

Reviewed by joemcgill.
Merges [57357] to 6.4 branch.

Props peterwilsoncc, jorbin, afercia, aristath, chesio, joppuyo, jorbin, lakshmananphp, poena, sergeybiryukov, swissspidy, johnbillion, mukesh27.
Fixes #59866.
See #57913.

Location:
branches/6.4
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • branches/6.4

  • branches/6.4/tests/phpunit/tests/canonical.php

    r56657 r57358  
    1515        wp_set_current_user( self::$author_id );
    1616
    17         add_filter( 'pre_option_wp_attachment_pages_enabled', '__return_true' );
     17        update_option( 'wp_attachment_pages_enabled', 1 );
    1818    }
    1919
     
    407407
    408408    /**
     409     * Test canonical redirects for attachment pages when the option is disabled.
     410     *
    409411     * @ticket 57913
    410      */
    411     public function test_canonical_attachment_page_redirect_with_option_disabled() {
    412         add_filter( 'pre_option_wp_attachment_pages_enabled', '__return_false' );
     412     * @ticket 59866
     413     *
     414     * @dataProvider data_canonical_attachment_page_redirect_with_option_disabled
     415     */
     416    public function test_canonical_attachment_page_redirect_with_option_disabled( $expected, $user = null, $parent_post_status = '' ) {
     417        update_option( 'wp_attachment_pages_enabled', 0 );
     418
     419        if ( '' !== $parent_post_status ) {
     420            $parent_post_id = self::factory()->post->create(
     421                array(
     422                    'post_status' => $parent_post_status,
     423                )
     424            );
     425        } else {
     426            $parent_post_id = 0;
     427        }
    413428
    414429        $filename = DIR_TESTDATA . '/images/test-image.jpg';
     
    416431        $upload   = wp_upload_bits( wp_basename( $filename ), null, $contents );
    417432
    418         $attachment_id   = $this->_make_attachment( $upload );
     433        $attachment_id   = $this->_make_attachment( $upload, $parent_post_id );
     434        $attachment_url  = wp_get_attachment_url( $attachment_id );
    419435        $attachment_page = get_permalink( $attachment_id );
    420436
     437        // Set as anonymous/logged out user.
     438        if ( null !== $user ) {
     439            wp_set_current_user( $user );
     440        }
     441
    421442        $this->go_to( $attachment_page );
    422443
    423         $url      = redirect_canonical( $attachment_page, false );
    424         $expected = wp_get_attachment_url( $attachment_id );
     444        $url = redirect_canonical( $attachment_page, false );
     445        if ( is_string( $expected ) ) {
     446            $expected = str_replace( '%%attachment_url%%', $attachment_url, $expected );
     447        }
    425448
    426449        $this->assertSame( $expected, $url );
    427450    }
     451
     452    /**
     453     * Data provider for test_canonical_attachment_page_redirect_with_option_disabled().
     454     *
     455     * @return array[]
     456     */
     457    public function data_canonical_attachment_page_redirect_with_option_disabled() {
     458        return array(
     459            'logged out user, no parent'      => array(
     460                '%%attachment_url%%',
     461                0,
     462            ),
     463            'logged in user, no parent'       => array(
     464                '%%attachment_url%%',
     465            ),
     466            'logged out user, private parent' => array(
     467                null,
     468                0,
     469                'private',
     470            ),
     471            'logged in user, private parent'  => array(
     472                '%%attachment_url%%',
     473                null,
     474                'private',
     475            ),
     476            'logged out user, public parent'  => array(
     477                '%%attachment_url%%',
     478                0,
     479                'publish',
     480            ),
     481            'logged in user, public parent'   => array(
     482                '%%attachment_url%%',
     483                null,
     484                'publish',
     485            ),
     486        );
     487    }
    428488}
Note: See TracChangeset for help on using the changeset viewer.