WordPress.org

Make WordPress Core

Opened 4 years ago

Last modified 3 weeks ago

#13425 reopened defect (bug)

Image Gallery of Private Post is publicly displayed

Reported by: hakre Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 3.0
Component: Gallery Keywords: has-patch
Focuses: Cc:

Description

Might have been forgotten only, I just ran over this inconsistency while beta-testing:

Description:

The Image Gallery of a Private Post is displayed (in another post via the Shorttag with id parameter) whereas, when clicking on the images to go to the attachment page, you get a 404 not found.

Example:

Post with Gallery
Attachment of that Gallery

Steps to reproduce

Create a new Post, set a title and the Status to private.

Save as Draft.

Preview it, to get the ID easily from URL.

Upload a Bunch of Images.

Insert the Gallery Shorttag inside that Post Body.

Publish the Post.

Create a second new Post

Give it a Title and Insert the Gallery Shortcode with the ID from the last Post.

Publish.

View.

Copy the URL.

Open another Browser so to have a new User-Session.

Visit that URL.

Expected Behaviour

You should not see a gallery.

Behaviour

You see a gallery.

When clicking on a gallery link you get a 404 page.

Feedback

I see an inconsitency here but have no Idea how to deal with it.

So either the gallery should not be found as well (not found as in 404 but in this case: not output) or the attachment pages should be able to call as well.

Related: #11697

Attachments (1)

13425.patch (441 bytes) - added by SergeyBiryukov 2 months ago.

Download all attachments as: .zip

Change History (6)

comment:1 dd324 years ago

  • Component changed from General to Media
  • Milestone changed from Unassigned to Future Release

comment:2 wonderboymusic2 months ago

  • Milestone Future Release deleted
  • Resolution set to invalid
  • Status changed from new to closed

Just because the images are attached to the post, doesn't mean they can't be shown. get_children() retrieves the attachments for the [gallery], and has never checked the post_status of the parent post.

comment:3 SergeyBiryukov2 months ago

  • Component changed from Media to Gallery
  • Milestone set to Awaiting Review
  • Resolution invalid deleted
  • Status changed from closed to reopened

Reproduced in trunk.

Displaying a gallery where each image link leads to a 404 page doesn't make sense to me.

SergeyBiryukov2 months ago

comment:4 SergeyBiryukov2 months ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 3.9

If an id attribute is passed to [gallery], I guess we should check if the current user can read that post.

comment:5 nacin3 weeks ago

  • Milestone changed from 3.9 to Future Release

This goes all the way back to wp_edit_attachments_query(). Images attached to private posts are not explicitly private. A side effect of opening up galleries in 3.5 meant these could also be used in galleries. But it's been around like this for a long time.

It probably makes sense to block "id" but that really doesn't help much. The disclosure of info here is well-established.

Note: See TracTickets for help on using tickets.