Opened 9 years ago
Closed 9 years ago
#36370 closed defect (bug) (duplicate)
Attachments and Attachment pages from a password protected parent page can be see publicly
Reported by: | ticktockphoto | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.4.2 |
Component: | Media | Keywords: | |
Focuses: | Cc: |
Description
I have a gallery setup behind a password for clients, but have noticed that images from this wordpress gallery(created using wordpress, not a plugin) can be seen publicly if you know the URL to an images attachment page, which does not require a password to view the posts images.
Example: Password protected page is hxxps://www.ticktock.photo/aiden-joseph-leto-1-month-pictures/ which asks for the password to view its contents, while hxxps://www.ticktock.photo/aiden-joseph-leto-1-month-pictures/dsc_3831032316/ is a child attachment page of the password protected parent, and can be seen without a password.
Not sure if this is how wordpress is supposed to work, or a possible bug, but in my thinking, any content from the post, including attachments should fall under the parent pages settings and not be viewable if the parent page is password protected.
Hi @ticktockphoto, welcome to Trac!
Thanks for the report, we're already tracking this issue in #17255 and #33230.