Opened 15 years ago
Closed 2 weeks ago
#13425 closed defect (bug) (worksforme)
Image Gallery of Private Post is publicly displayed
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.0 |
Component: | Gallery | Keywords: | has-patch dev-feedback close |
Focuses: | Cc: |
Description
Might have been forgotten only, I just ran over this inconsistency while beta-testing:
Description:
The Image Gallery of a Private Post is displayed (in another post via the Shorttag with id parameter) whereas, when clicking on the images to go to the attachment page, you get a 404 not found.
Example:
Post with Gallery
Attachment of that Gallery
Steps to reproduce
Create a new Post, set a title and the Status to private.
Save as Draft.
Preview it, to get the ID easily from URL.
Upload a Bunch of Images.
Insert the Gallery Shorttag inside that Post Body.
Publish the Post.
Create a second new Post
Give it a Title and Insert the Gallery Shortcode with the ID from the last Post.
Publish.
View.
Copy the URL.
Open another Browser so to have a new User-Session.
Visit that URL.
Expected Behaviour
You should not see a gallery.
Behaviour
You see a gallery.
When clicking on a gallery link you get a 404 page.
Feedback
I see an inconsitency here but have no Idea how to deal with it.
So either the gallery should not be found as well (not found as in 404 but in this case: not output) or the attachment pages should be able to call as well.
Related: #11697
Attachments (1)
Change History (9)
#1
@
15 years ago
- Component changed from General to Media
- Milestone changed from Unassigned to Future Release
#2
@
11 years ago
- Milestone Future Release deleted
- Resolution set to invalid
- Status changed from new to closed
#3
@
11 years ago
- Component changed from Media to Gallery
- Milestone set to Awaiting Review
- Resolution invalid deleted
- Status changed from closed to reopened
Reproduced in trunk.
Displaying a gallery where each image link leads to a 404 page doesn't make sense to me.
#4
@
11 years ago
- Keywords has-patch added
- Milestone changed from Awaiting Review to 3.9
If an id
attribute is passed to [gallery]
, I guess we should check if the current user can read that post.
#5
@
11 years ago
- Milestone changed from 3.9 to Future Release
This goes all the way back to wp_edit_attachments_query(). Images attached to private posts are not explicitly private. A side effect of opening up galleries in 3.5 meant these could also be used in galleries. But it's been around like this for a long time.
It probably makes sense to block "id" but that really doesn't help much. The disclosure of info here is well-established.
#7
@
9 years ago
I just ran into this issue. It seems like the main problem is that even though the images themselves are not private, WordPress still treats the attachment page as a private post if the post it is attached to is set as private—resulting in users seeing a 404 error when they visit the attachment page. Detaching the image from the private post resolves the 404 issue.
I'm not sure if there is a good reason for attachment pages to inherit the privacy of the page it is attached to or not, since viewing the image itself is not subject to any capabilities check, but if not, we should attempt resolving the 404 issue.
#8
@
2 weeks ago
- Keywords close added
- Resolution set to worksforme
- Status changed from reopened to closed
Hi All,
I have taken a quick look at this and I don't believe it is possible to replicate this issue exactly as documented now we have moved to gutenberg. However I have taken the following steps which are very close to the original:
- Create a new Post, set a title.
- Upload images to the gallery block.
- Publish the post as private
- Get the ID for the new post (52).
- Create a second new Post.
- Give it a Title and Insert the Gallery Shortcode with the ID from the last Post.
[gallery id=52]
- Publish and view the second post on a clean browser / incognito so viewing the page logged out.
We now don't see a gallery on the second post unless logged in which is exactly as per the originally expected behaviour. As of such I believe this issue is now resolved within the current state of WordPress, and can be closed.
Just because the images are attached to the post, doesn't mean they can't be shown.
get_children()
retrieves the attachments for the[gallery]
, and has never checked thepost_status
of the parent post.