Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#36370 closed defect (bug) (duplicate)

Attachments and Attachment pages from a password protected parent page can be see publicly

Reported by: ticktockphoto Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.4.2
Component: Media Keywords:
Focuses: Cc:


I have a gallery setup behind a password for clients, but have noticed that images from this wordpress gallery(created using wordpress, not a plugin) can be seen publicly if you know the URL to an images attachment page, which does not require a password to view the posts images.

Example: Password protected page is hxxps://www.ticktock.photo/aiden-joseph-leto-1-month-pictures/ which asks for the password to view its contents, while hxxps://www.ticktock.photo/aiden-joseph-leto-1-month-pictures/dsc_3831032316/ is a child attachment page of the password protected parent, and can be seen without a password.

Not sure if this is how wordpress is supposed to work, or a possible bug, but in my thinking, any content from the post, including attachments should fall under the parent pages settings and not be viewable if the parent page is password protected.

Change History (1)

#1 @SergeyBiryukov
6 years ago

  • Component changed from General to Media
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi @ticktockphoto, welcome to Trac!

Thanks for the report, we're already tracking this issue in #17255 and #33230.

Note: See TracTickets for help on using tickets.