Changeset 59728

Timestamp:

01/29/2025 06:10:47 PM (7 weeks ago)

Author:

johnbillion

Message:

Posts, Post Types: Add no-cache headers to password protected posts.

This instructs an intermediate cache, for example a proxy server, to not cache a password protected post both before and after a visitor has entered a password.

Props brevilo, haozi, ironprogrammer, narenin

Fixes #61711

Location:

trunk

Files:

• src/wp-includes/class-wp.php (modified) (1 diff)
• tests/phpunit/tests/wp/sendHeaders.php (modified) (2 diffs)

trunk/src/wp-includes/class-wp.php

@@ -546 +546 @@
                 $headers['X-Pingback'] = get_bloginfo( 'pingback_url', 'display' );
             }
+
+            // Send nocache headers for password protected posts to avoid unwanted caching.
+            if ( ! empty( $post->post_password ) ) {
+                $headers = array_merge( $headers, wp_get_nocache_headers() );
+            }
         }
 

trunk/tests/phpunit/tests/wp/sendHeaders.php

@@ -7 +7 @@
  */
 class Tests_WP_SendHeaders extends WP_UnitTestCase {
+    protected $headers_sent = array();
 
     /**
@@ -36 +37 @@
         $this->go_to( get_permalink( $post_id ) );
     }
+
+    /**
+     * @ticket 61711
+     */
+    public function test_send_headers_sets_cache_control_header_for_password_protected_posts() {
+        $password = 'password';
+
+        add_filter(
+            'wp_headers',
+            function ( $headers ) {
+                $this->headers_sent = $headers;
+                return $headers;
+            }
+        );
+
+        $post_id = self::factory()->post->create(
+            array(
+                'post_password' => $password,
+            )
+        );
+        $this->go_to( get_permalink( $post_id ) );
+
+        $headers_without_password         = $this->headers_sent;
+        $password_status_without_password = post_password_required( $post_id );
+
+        require_once ABSPATH . WPINC . '/class-phpass.php';
+
+        $hash = ( new PasswordHash( 8, true ) )->HashPassword( $password );
+
+        $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] = $hash;
+
+        $this->go_to( get_permalink( $post_id ) );
+
+        $headers_with_password         = $this->headers_sent;
+        $password_status_with_password = post_password_required( $post_id );
+
+        $this->assertTrue( $password_status_without_password );
+        $this->assertArrayHasKey( 'Cache-Control', $headers_without_password );
+
+        $this->assertFalse( $password_status_with_password );
+        $this->assertArrayHasKey( 'Cache-Control', $headers_with_password );
+    }
 }