Changeset 57310

Timestamp:

01/19/2024 12:42:48 AM (7 months ago)

Author:

peterwilsoncc

Message:

Media: Redirect inactive attachement pages for logged-out users.

Ensure logged out users are redirected to the media file when attachment pages are inactive. This removes the read_post capability check from the canonical redirects as anonymous users lack the permission.

Follow-up to [56657], [56658], [56711].

Props afercia, aristath, chesio, joppuyo, jorbin, lakshmananphp, poena, sergeybiryukov.
Fixes #59866.
See #57913.

Location:

trunk

Files:

• src/wp-includes/canonical.php (modified) (1 diff)
• tests/phpunit/tests/canonical.php (modified) (2 diffs)

trunk/src/wp-includes/canonical.php

@@ -551 +551 @@
 
     if ( is_attachment() && ! get_option( 'wp_attachment_pages_enabled' ) ) {
-        $attachment_id = get_query_var( 'attachment_id' );
-
-        if ( current_user_can( 'read_post', $attachment_id ) ) {
-            $redirect_url = wp_get_attachment_url( $attachment_id );
-
-            $is_attachment_redirect = true;
-        }
+        $attachment_id        = get_query_var( 'attachment_id' );
+        $attachment_post      = get_post( $attachment_id );
+        $attachment_parent_id = $attachment_post ? $attachment_post->post_parent : 0;
+
+        /*
+         * If an attachment is attached to a post, it inherits the parent post's status. Fetch the
+         * parent post to check its status later.
+         */
+        if ( $attachment_parent_id ) {
+            $redirect_obj = get_post( $attachment_parent_id );
+        }
+        $redirect_url = wp_get_attachment_url( $attachment_id );
+
+        $is_attachment_redirect = true;
     }
 

trunk/tests/phpunit/tests/canonical.php

@@ -408 +408 @@
 
     /**
+
+
      * @ticket 57913
-     */
-    public function test_canonical_attachment_page_redirect_with_option_disabled() {
+     * @ticket 59866
+     *
+     * @dataProvider data_canonical_attachment_page_redirect_with_option_disabled
+     */
+    public function test_canonical_attachment_page_redirect_with_option_disabled( $expected, $user = null, $parent_post_status = '' ) {
         add_filter( 'pre_option_wp_attachment_pages_enabled', '__return_false' );
+
+
+
+
+
+
+
+
+
+
 
         $filename = DIR_TESTDATA . '/images/test-image.jpg';
@@ -417 +432 @@
         $upload   = wp_upload_bits( wp_basename( $filename ), null, $contents );
 
-        $attachment_id   = $this->_make_attachment( $upload );
+        $attachment_id   = $this->_make_attachment( $upload, $parent_post_id );
+        $attachment_url  = wp_get_attachment_url( $attachment_id );
         $attachment_page = get_permalink( $attachment_id );
 
+
+
+
+
+
         $this->go_to( $attachment_page );
 
-        $url      = redirect_canonical( $attachment_page, false );
-        $expected = wp_get_attachment_url( $attachment_id );
+        $url = redirect_canonical( $attachment_page, false );
+        if ( is_string( $expected ) ) {
+            $expected = str_replace( '%%attachment_url%%', $attachment_url, $expected );
+        }
 
         $this->assertSame( $expected, $url );
     }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 }