vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2025-10-16 12:05:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Canonical: Prevent ID enumeration of private post slugs.

Browse Source 
Add check to `redirect_canonical()` to ensure private posts only redirect for logged in users.

Modifies the `read_post` mata capability to user `get_post_status()` rather than the post's `post_status` property to allow attachments to redirect based on the inherited post status.

Introduces `wp_force_ugly_post_permalink()` to unify the check to determine if an ugly link should be displayed in each of the functions used for determining permalinks: `get_permalink()`, `get_post_permalink()`, `_get_page_link()` and `get_attachment_link()`.

Improves logic of `get_attachment_link()` to validate parent post and resolution of inherited post status. This is an incomplete fix of #52373 to prevent the function returning links resulting in a file not found error. Required to unblock this ticket.

Props peterwilsoncc, TimothyBlynJacobs.
See #52373.
Fixes #5272.


git-svn-id: https://develop.svn.wordpress.org/trunk@50132 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Peter Wilson 2021-02-02 00:38:40 +00:00
parent 051aa92e3d
commit 553d618e4a
6 changed files with 1102 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
src/wp-includes/canonical.php
View File

@ -77,6 +77,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
$redirect = $original;
$redirect_url = false;
$redirect_obj = false;
// Notice fixing.
if ( ! isset( $redirect['path'] ) ) {
@ -102,6 +103,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
if ( is_feed() && $post_id ) {
$redirect_url = get_post_comments_feed_link( $post_id, get_query_var( 'feed' ) );
$redirect_obj = get_post( $post_id );
if ( $redirect_url ) {
$redirect['query'] = _remove_qs_args_if_not_in_url(
@ -126,6 +128,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
}
$redirect_url = get_permalink( $post_id );
$redirect_obj = get_post( $post_id );
if ( $redirect_url ) {
$redirect['query'] = _remove_qs_args_if_not_in_url(
@ -150,6 +153,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
if ( $post_type_obj && $post_type_obj->public && 'auto-draft' !== $redirect_post->post_status ) {
$redirect_url = get_permalink( $redirect_post );
$redirect_obj = get_post( $redirect_post );
$redirect['query'] = _remove_qs_args_if_not_in_url(
$redirect['query'],
@ -197,6 +201,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
if ( $post_id ) {
$redirect_url = get_permalink( $post_id );
$redirect_obj = get_post( $post_id );
$redirect['path'] = rtrim( $redirect['path'], (int) get_query_var( 'page' ) . '/' );
$redirect['query'] = remove_query_arg( 'page', $redirect['query'] );
@ -223,27 +228,32 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
) {
if ( ! empty( $_GET['attachment_id'] ) ) {
$redirect_url = get_attachment_link( get_query_var( 'attachment_id' ) );
$redirect_obj = get_post( get_query_var( 'attachment_id' ) );
if ( $redirect_url ) {
$redirect['query'] = remove_query_arg( 'attachment_id', $redirect['query'] );
}
} else {
$redirect_url = get_attachment_link();
$redirect_obj = get_post();
}
} elseif ( is_single() && ! empty( $_GET['p'] ) && ! $redirect_url ) {
$redirect_url = get_permalink( get_query_var( 'p' ) );
$redirect_obj = get_post( get_query_var( 'p' ) );
if ( $redirect_url ) {
$redirect['query'] = remove_query_arg( array( 'p', 'post_type' ), $redirect['query'] );
}
} elseif ( is_single() && ! empty( $_GET['name'] ) && ! $redirect_url ) {
$redirect_url = get_permalink( $wp_query->get_queried_object_id() );
$redirect_obj = get_post( $wp_query->get_queried_object_id() );
if ( $redirect_url ) {
$redirect['query'] = remove_query_arg( 'name', $redirect['query'] );
}
} elseif ( is_page() && ! empty( $_GET['page_id'] ) && ! $redirect_url ) {
$redirect_url = get_permalink( get_query_var( 'page_id' ) );
$redirect_obj = get_post( get_query_var( 'page_id' ) );
if ( $redirect_url ) {
$redirect['query'] = remove_query_arg( 'page_id', $redirect['query'] );
@ -256,6 +266,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
&& 'page' === get_option( 'show_on_front' ) && get_query_var( 'page_id' ) === (int) get_option( 'page_for_posts' )
) {
$redirect_url = get_permalink( get_option( 'page_for_posts' ) );
$redirect_obj = get_post( get_option( 'page_for_posts' ) );
if ( $redirect_url ) {
$redirect['query'] = remove_query_arg( 'page_id', $redirect['query'] );
@ -310,6 +321,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
&& $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE $wpdb->posts.post_author = %d AND $wpdb->posts.post_status = 'publish' LIMIT 1", $author->ID ) )
) {
$redirect_url = get_author_posts_url( $author->ID, $author->user_nicename );
$redirect_obj = $author;
if ( $redirect_url ) {
$redirect['query'] = remove_query_arg( 'author', $redirect['query'] );
@ -385,6 +397,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
|| ! has_term( $category->term_id, 'category', $wp_query->get_queried_object_id() )
) {
$redirect_url = get_permalink( $wp_query->get_queried_object_id() );
$redirect_obj = get_post( $wp_query->get_queried_object_id() );
}
}
}
@ -395,6 +408,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
if ( ! $redirect_url ) {
$redirect_url = get_permalink( get_queried_object_id() );
$redirect_obj = get_post( get_queried_object_id() );
}
if ( $page > 1 ) {
@ -740,6 +754,28 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
$requested_url = preg_replace_callback( '|%[a-fA-F0-9][a-fA-F0-9]|', 'lowercase_octets', $requested_url );
}
if ( $redirect_obj instanceof WP_Post ) {
$post_status_obj = get_post_status_object( get_post_status( $redirect_obj ) );
/*
* Unset the redirect object and URL if they are not readable by the user.
* This condition is a little confusing as the condition needs to pass if
* the post is not readable by the user. That's why there are ! (not) conditions
* throughout.
*/
if (
// Private post statuses only redirect if the user can read them.
! (
$post_status_obj->private &&
current_user_can( 'read_post', $redirect_obj->ID )
) &&
// For other posts, only redirect if publicly viewable.
! is_post_publicly_viewable( $redirect_obj )
) {
$redirect_obj = false;
$redirect_url = false;
}
}
/**
* Filters the canonical redirect URL.
*

4
src/wp-includes/capabilities.php
View File

@ -245,10 +245,10 @@ function map_meta_cap( $cap, $user_id, ...$args ) {
break;
}
$status_obj = get_post_status_object( $post->post_status );
$status_obj = get_post_status_object( get_post_status( $post ) );
if ( ! $status_obj ) {
/* translators: 1: Post status, 2: Capability name. */
_doing_it_wrong( __FUNCTION__, sprintf( __( 'The post status %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post with that status.' ), $post->post_status, $cap ), '5.4.0' );
_doing_it_wrong( __FUNCTION__, sprintf( __( 'The post status %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post with that status.' ), get_post_status( $post ), $cap ), '5.4.0' );
$caps[] = 'edit_others_posts';
break;
}

87
src/wp-includes/link-template.php
View File

@ -89,6 +89,58 @@ function permalink_anchor( $mode = 'id' ) {
}
}
/**
* Determine whether post should always use an ugly permalink structure.
*
* @since 5.7.0
*
* @param WP_Post|int|null $post Optional. Post ID or post object. Defaults to global $post.
* @param bool|null $sample Optional. Whether to force consideration based on sample links.
* If omitted, a sample link is generated if a post object is passed
* with the filter property set to 'sample'.
* @return bool Whether to use an ugly permalink structure.
*/
function wp_force_ugly_post_permalink( $post = null, $sample = null ) {
if (
null === $sample &&
is_object( $post ) &&
isset( $post->filter ) &&
'sample' === $post->filter
) {
$sample = true;
} else {
$post = get_post( $post );
$sample = null !== $sample ? $sample : false;
}
if ( ! $post ) {
return true;
}
$post_status_obj = get_post_status_object( get_post_status( $post ) );
$post_type_obj = get_post_type_object( get_post_type( $post ) );
if ( ! $post_status_obj || ! $post_type_obj ) {
return true;
}
if (
// Publicly viewable links never have ugly permalinks.
is_post_status_viewable( $post_status_obj ) ||
(
// Private posts don't have ugly links if the user can read them.
$post_status_obj->private &&
current_user_can( 'read_post', $post->ID )
) ||
// Protected posts don't have ugly links if getting a sample URL.
( $post_status_obj->protected && $sample )
) {
return false;
}
return true;
}
/**
* Retrieves the full permalink for the current post or post ID.
*
@ -166,7 +218,7 @@ function get_permalink( $post = 0, $leavename = false ) {
if (
$permalink &&
! in_array( $post->post_status, array( 'draft', 'pending', 'auto-draft', 'future', 'trash' ), true )
! wp_force_ugly_post_permalink( $post )
) {
$category = '';
@ -277,7 +329,7 @@ function get_post_permalink( $id = 0, $leavename = false, $sample = false ) {
$slug = $post->post_name;
$draft_or_pending = get_post_status( $post ) && in_array( get_post_status( $post ), array( 'draft', 'pending', 'auto-draft', 'future' ), true );
$force_ugly_link = wp_force_ugly_post_permalink( $post );
$post_type = get_post_type_object( $post->post_type );
@ -285,13 +337,13 @@ function get_post_permalink( $id = 0, $leavename = false, $sample = false ) {
$slug = get_page_uri( $post );
}
if ( ! empty( $post_link ) && ( ! $draft_or_pending || $sample ) ) {
if ( ! empty( $post_link ) && ( ! $force_ugly_link || $sample ) ) {
if ( ! $leavename ) {
$post_link = str_replace( "%$post->post_type%", $slug, $post_link );
}
$post_link = home_url( user_trailingslashit( $post_link ) );
} else {
if ( $post_type->query_var && ( isset( $post->post_status ) && ! $draft_or_pending ) ) {
if ( $post_type->query_var && ( isset( $post->post_status ) && ! $force_ugly_link ) ) {
$post_link = add_query_arg( $post_type->query_var, $slug, '' );
} else {
$post_link = add_query_arg(
@ -373,11 +425,11 @@ function _get_page_link( $post = false, $leavename = false, $sample = false ) {
$post = get_post( $post );
$draft_or_pending = in_array( $post->post_status, array( 'draft', 'pending', 'auto-draft' ), true );
$force_ugly_link = wp_force_ugly_post_permalink( $post );
$link = $wp_rewrite->get_page_permastruct();
if ( ! empty( $link ) && ( ( isset( $post->post_status ) && ! $draft_or_pending ) || $sample ) ) {
if ( ! empty( $link ) && ( ( isset( $post->post_status ) && ! $force_ugly_link ) || $sample ) ) {
if ( ! $leavename ) {
$link = str_replace( '%pagename%', get_page_uri( $post ), $link );
}
@ -417,13 +469,26 @@ function get_attachment_link( $post = null, $leavename = false ) {
$link = false;
$post = get_post( $post );
$parent = ( $post->post_parent > 0 && $post->post_parent != $post->ID ) ? get_post( $post->post_parent ) : false;
if ( $parent && ! in_array( $parent->post_type, get_post_types(), true ) ) {
$parent = false;
$post = get_post( $post );
$force_ugly_link = wp_force_ugly_post_permalink( $post );
$parent_id = $post->post_parent;
$parent = $parent_id ? get_post( $parent_id ) : false;
$parent_valid = true; // Default for no parent.
if (
$parent_id &&
(
$post->post_parent === $post->ID ||
! $parent ||
! is_post_type_viewable( get_post_type( $parent ) )
)
) {
// Post is either its own parent or parent post unavailable.
$parent_valid = false;
}
if ( $wp_rewrite->using_permalinks() && $parent ) {
if ( $force_ugly_link || ! $parent_valid ) {
$link = false;
} elseif ( $wp_rewrite->using_permalinks() && $parent ) {
if ( 'page' === $parent->post_type ) {
$parentlink = _get_page_link( $post->post_parent ); // Ignores page_on_front.
} else {

973
tests/phpunit/tests/canonical/postStatus.php Normal file
View File

@ -0,0 +1,973 @@
<?php
/**
* @group canonical
* @group rewrite
* @group query
*/
class Tests_Canonical_PostStatus extends WP_Canonical_UnitTestCase {
/**
* User IDs.
*
* @var array
*/
public static $users;
/**
* Post Objects.
*
* @var array
*/
public static $posts;
public static function wpSetUpBeforeClass( WP_UnitTest_Factory $factory ) {
self::setup_custom_types();
self::$users = array(
'anon' => 0,
'subscriber' => $factory->user->create( array( 'role' => 'subscriber' ) ),
'content_author' => $factory->user->create( array( 'role' => 'author' ) ),
'editor' => $factory->user->create( array( 'role' => 'editor' ) ),
);
$post_statuses = array( 'publish', 'future', 'draft', 'pending', 'private', 'auto-draft', 'a-private-status' );
foreach ( $post_statuses as $post_status ) {
$post_date = '';
if ( 'future' === $post_status ) {
$post_date = strftime( '%Y-%m-%d %H:%M:%S', strtotime( '+1 year' ) );
}
self::$posts[ $post_status ] = $factory->post->create_and_get(
array(
'post_type' => 'post',
'post_title' => "$post_status post",
'post_name' => "$post_status-post",
'post_status' => $post_status,
'post_content' => "Prevent canonical redirect exposing post slugs.\n\n<!--nextpage-->Page 2",
'post_author' => self::$users['content_author'],
'post_date' => $post_date,
)
);
// Add fake attachment to the post (file upload not needed).
self::$posts[ "$post_status-attachment" ] = $factory->post->create_and_get(
array(
'post_type' => 'attachment',
'post_title' => "$post_status inherited attachment",
'post_name' => "$post_status-inherited-attachment",
'post_status' => 'inherit',
'post_content' => "Prevent canonical redirect exposing post via attachments.\n\n<!--nextpage-->Page 2",
'post_author' => self::$users['content_author'],
'post_parent' => self::$posts[ $post_status ]->ID,
'post_date' => $post_date,
)
);
// Set up a page with same.
self::$posts[ "$post_status-page" ] = $factory->post->create_and_get(
array(
'post_type' => 'page',
'post_title' => "$post_status page",
'post_name' => "$post_status-page",
'post_status' => $post_status,
'post_content' => "Prevent canonical redirect exposing page slugs.\n\n<!--nextpage-->Page 2",
'post_author' => self::$users['content_author'],
'post_date' => $post_date,
)
);
}
// Create a public CPT using a private status.
self::$posts['a-public-cpt'] = $factory->post->create_and_get(
array(
'post_type' => 'a-public-cpt',
'post_title' => 'a-public-cpt',
'post_name' => 'a-public-cpt',
'post_status' => 'private',
'post_content' => 'Prevent canonical redirect exposing a-public-cpt titles.',
'post_author' => self::$users['content_author'],
)
);
// Add fake attachment to the public cpt (file upload not needed).
self::$posts['a-public-cpt-attachment'] = $factory->post->create_and_get(
array(
'post_type' => 'attachment',
'post_title' => 'a-public-cpt post inherited attachment',
'post_name' => 'a-public-cpt-inherited-attachment',
'post_status' => 'inherit',
'post_content' => "Prevent canonical redirect exposing post via attachments.\n\n<!--nextpage-->Page 2",
'post_author' => self::$users['content_author'],
'post_parent' => self::$posts['a-public-cpt']->ID,
)
);
// Create a private CPT with a public status.
self::$posts['a-private-cpt'] = $factory->post->create_and_get(
array(
'post_type' => 'a-private-cpt',
'post_title' => 'a-private-cpt',
'post_name' => 'a-private-cpt',
'post_status' => 'publish',
'post_content' => 'Prevent canonical redirect exposing a-private-cpt titles.',
'post_author' => self::$users['content_author'],
)
);
// Add fake attachment to the private cpt (file upload not needed).
self::$posts['a-private-cpt-attachment'] = $factory->post->create_and_get(
array(
'post_type' => 'attachment',
'post_title' => 'a-private-cpt post inherited attachment',
'post_name' => 'a-private-cpt-inherited-attachment',
'post_status' => 'inherit',
'post_content' => "Prevent canonical redirect exposing post via attachments.\n\n<!--nextpage-->Page 2",
'post_author' => self::$users['content_author'],
'post_parent' => self::$posts['a-private-cpt']->ID,
)
);
// Post for trashing.
self::$posts['trash'] = $factory->post->create_and_get(
array(
'post_type' => 'post',
'post_title' => 'trash post',
'post_name' => 'trash-post',
'post_status' => 'publish',
'post_content' => "Prevent canonical redirect exposing post slugs.\n\n<!--nextpage-->Page 2",
'post_author' => self::$users['content_author'],
)
);
self::$posts['trash-attachment'] = $factory->post->create_and_get(
array(
'post_type' => 'attachment',
'post_title' => 'trash post inherited attachment',
'post_name' => 'trash-post-inherited-attachment',
'post_status' => 'inherit',
'post_content' => "Prevent canonical redirect exposing post via attachments.\n\n<!--nextpage-->Page 2",
'post_author' => self::$users['content_author'],
'post_parent' => self::$posts['trash']->ID,
)
);
// Page for trashing.
self::$posts['trash-page'] = $factory->post->create_and_get(
array(
'post_type' => 'page',
'post_title' => 'trash page',
'post_name' => 'trash-page',
'post_status' => 'publish',
'post_content' => "Prevent canonical redirect exposing page slugs.\n\n<!--nextpage-->Page 2",
'post_author' => self::$users['content_author'],
)
);
wp_trash_post( self::$posts['trash']->ID );
wp_trash_post( self::$posts['trash-page']->ID );
}
function setUp() {
parent::setUp();
self::setup_custom_types();
}
/**
* Set up a custom post type and private status.
*
* This needs to be called both in the class setup and
* test setup.
*/
public static function setup_custom_types() {
// Register public custom post type.
register_post_type(
'a-public-cpt',
array(
'public' => true,
'rewrite' => array(
'slug' => 'a-public-cpt',
),
)
);
// Register private custom post type.
register_post_type(
'a-private-cpt',
array(
'public' => false,
'publicly_queryable' => false,
'rewrite' => array(
'slug' => 'a-private-cpt',
),
'map_meta_cap' => true,
)
);
// Register custom private post status.
register_post_status(
'a-private-status',
array(
'private' => true,
)
);
}
/**
* Test canonical redirect does not reveal private posts presence.
*
* @ticket 5272
* @dataProvider data_canonical_redirects_to_ugly_permalinks
*
* @param string $post_key Post key used for creating fixtures.
* @param string $user_role User role.
* @param string $requested Requested URL.
* @param string $expected Expected URL.
*/
public function test_canonical_redirects_to_ugly_permalinks( $post_key, $user_role, $requested, $expected ) {
wp_set_current_user( self::$users[ $user_role ] );
$this->set_permalink_structure( '' );
$post = self::$posts[ $post_key ];
clean_post_cache( $post->ID );
/*
* The dataProvider runs before the fixures are set up, therefore the
* post object IDs are placeholders that needs to be replaced.
*/
$requested = str_replace( '%ID%', $post->ID, $requested );
$expected = str_replace( '%ID%', $post->ID, $expected );
$this->assertCanonical( $requested, $expected );
}
/**
* Data provider for test_canonical_redirects_to_ugly_permalinks.
*
* @return array[] Array of arguments for tests {
* @type string $post_key Post key used for creating fixtures.
* @type string $user_role User role.
* @type string $requested Requested URL.
* @type string $expected Expected URL.
* }
*/
function data_canonical_redirects_to_ugly_permalinks() {
$data = array();
$all_user_list = array( 'anon', 'subscriber', 'content_author', 'editor' );
$select_allow_list = array( 'content_author', 'editor' );
$select_block_list = array( 'anon', 'subscriber' );
// All post/page keys
$all_user_post_status_keys = array( 'publish' );
$select_user_post_status_keys = array( 'private', 'a-private-status' );
$no_user_post_status_keys = array( 'future', 'draft', 'pending', 'auto-draft' ); // Excludes trash for attachment rules.
$select_user_post_type_keys = array( 'a-public-cpt' );
$no_user_post_type_keys = array( 'a-private-cpt' );
foreach ( $all_user_post_status_keys as $post_key ) {
foreach ( $all_user_list as $user ) {
/*
* In the event `redirect_canonical()` is updated to redirect ugly permalinks
* to a canonical ugly version, these expected values can be changed.
*/
$data[] = array(
"$post_key-page",
$user,
'/?post_type=page&p=%ID%',
'/?post_type=page&p=%ID%',
);
$data[] = array(
$post_key,
$user,
"/?name=$post_key-post",
"/?name=$post_key-post",
);
// Ensure rss redirects to rss2.
$data[] = array(
$post_key,
$user,
'/?feed=rss&p=%ID%',
'/?feed=rss2&p=%ID%',
);
// Ensure rss redirects to rss2.
$data[] = array(
"$post_key-page",
$user,
'/?feed=rss&page_id=%ID%',
'/?feed=rss2&page_id=%ID%',
);
}
}
foreach ( $select_user_post_status_keys as $post_key ) {
foreach ( $select_allow_list as $user ) {
/*
* In the event `redirect_canonical()` is updated to redirect ugly permalinks
* to a canonical ugly version, these expected values can be changed.
*/
$data[] = array(
"$post_key-page",
$user,
'/?post_type=page&p=%ID%',
'/?post_type=page&p=%ID%',
);
$data[] = array(
$post_key,
$user,
"/?name=$post_key-post",
"/?name=$post_key-post",
);
// Ensure rss redirects to rss2.
$data[] = array(
$post_key,
$user,
'/?feed=rss&p=%ID%',
'/?feed=rss2&p=%ID%',
);
// Ensure rss redirects to rss2.
$data[] = array(
"$post_key-page",
$user,
'/?feed=rss&page_id=%ID%',
'/?feed=rss2&page_id=%ID%',
);
}
foreach ( $select_block_list as $user ) {
/*
* In the event `redirect_canonical()` is updated to redirect ugly permalinks
* to a canonical ugly version, these expected values MUST NOT be changed.
*/
$data[] = array(
"$post_key-page",
$user,
'/?post_type=page&p=%ID%',
'/?post_type=page&p=%ID%',
);
$data[] = array(
$post_key,
$user,
"/?name=$post_key-post",
"/?name=$post_key-post",
);
// Ensure post's existence is not demonstrated by changing rss to rss2.
$data[] = array(
$post_key,
$user,
'/?feed=rss&p=%ID%',
'/?feed=rss&p=%ID%',
);
// Ensure post's existence is not demonstrated by changing rss to rss2.
$data[] = array(
"$post_key-page",
$user,
'/?feed=rss&page_id=%ID%',
'/?feed=rss&page_id=%ID%',
);
}
}
foreach ( $no_user_post_status_keys as $post_key ) {
foreach ( $all_user_list as $user ) {
/*
* In the event `redirect_canonical()` is updated to redirect ugly permalinks
* to a canonical ugly version, these expected values MUST NOT be changed.
*/
$data[] = array(
"$post_key-page",
$user,
'/?post_type=page&p=%ID%',
'/?post_type=page&p=%ID%',
);
$data[] = array(
$post_key,
$user,
"/?name=$post_key-post",
"/?name=$post_key-post",
);
// Ensure post's existence is not demonstrated by changing rss to rss2.
$data[] = array(
$post_key,
$user,
'/?feed=rss&p=%ID%',
'/?feed=rss&p=%ID%',
);
// Ensure post's existence is not demonstrated by changing rss to rss2.
$data[] = array(
"$post_key-page",
$user,
'/?feed=rss&page_id=%ID%',
'/?feed=rss&page_id=%ID%',
);
}
}
foreach ( array( 'trash' ) as $post_key ) {
foreach ( $all_user_list as $user ) {
/*
* In the event `redirect_canonical()` is updated to redirect ugly permalinks
* to a canonical ugly version, these expected values MUST NOT be changed.
*/
$data[] = array(
"$post_key-page",
$user,
'/?post_type=page&p=%ID%',
'/?post_type=page&p=%ID%',
);
$data[] = array(
$post_key,
$user,
"/?name=$post_key-post",
"/?name=$post_key-post",
);
// Ensure post's existence is not demonstrated by changing rss to rss2.
$data[] = array(
$post_key,
$user,
'/?feed=rss&p=%ID%',
'/?feed=rss&p=%ID%',
);
// Ensure post's existence is not demonstrated by changing rss to rss2.
$data[] = array(
"$post_key-page",
$user,
'/?feed=rss&page_id=%ID%',
'/?feed=rss&page_id=%ID%',
);
}
}
foreach ( $select_user_post_type_keys as $post_key ) {
foreach ( $select_allow_list as $user ) {
$data[] = array(
$post_key,
$user,
'/?p=%ID%',
'/?a-public-cpt=a-public-cpt',
);
$data[] = array(
"$post_key-attachment",
$user,
'/?attachment_id=%ID%',
'/?attachment_id=%ID%',
);
$data[] = array(
$post_key,
$user,
"/?name=$post_key&post_type=$post_key",
"/?name=$post_key&post_type=$post_key",
);
// Ensure rss is replaced by rss2.
$data[] = array(
$post_key,
$user,
'/?feed=rss&p=%ID%',
'/?a-public-cpt=a-public-cpt&feed=rss2',
);
}
foreach ( $select_block_list as $user ) {
$data[] = array(
$post_key,
$user,
'/?p=%ID%',
'/?p=%ID%',
);
$data[] = array(
"$post_key-attachment",
$user,
'/?attachment_id=%ID%',
'/?attachment_id=%ID%',
);
$data[] = array(
$post_key,
$user,
"/?name=$post_key&post_type=$post_key",
"/?name=$post_key&post_type=$post_key",
);
// Ensure rss is not replaced with rss2.
$data[] = array(
$post_key,
$user,
'/?feed=rss&p=%ID%',
'/?feed=rss&p=%ID%',
);
}
}
foreach ( $no_user_post_type_keys as $post_key ) {
foreach ( $all_user_list as $user ) {
$data[] = array(
$post_key,
$user,
'/?p=%ID%',
'/?p=%ID%',
);
$data[] = array(
"$post_key-attachment",
$user,
'/?attachment_id=%ID%',
'/?attachment_id=%ID%',
);
$data[] = array(
$post_key,
$user,
"/?name=$post_key&post_type=$post_key",
"/?name=$post_key&post_type=$post_key",
);
$data[] = array(
$post_key,
$user,
'/?feed=rss&p=%ID%',
'/?feed=rss&p=%ID%',
);
}
}
return $data;
}
/**
* Test canonical redirect does not reveal private slugs.
*
* @ticket 5272
* @dataProvider data_canonical_redirects_to_pretty_permalinks
*
* @param string $post_key Post key used for creating fixtures.
* @param string $user_role User role.
* @param string $requested Requested URL.
* @param string $expected Expected URL.
*/
public function test_canonical_redirects_to_pretty_permalinks( $post_key, $user_role, $requested, $expected ) {
wp_set_current_user( self::$users[ $user_role ] );
$this->set_permalink_structure( '/%postname%/' );
$post = self::$posts[ $post_key ];
clean_post_cache( $post->ID );
/*
* The dataProvider runs before the fixures are set up, therefore the
* post object IDs are placeholders that needs to be replaced.
*/
$requested = str_replace( '%ID%', $post->ID, $requested );
$expected = str_replace( '%ID%', $post->ID, $expected );
$this->assertCanonical( $requested, $expected );
}
/**
* Data provider for test_canonical_redirects_to_pretty_permalinks.
*
* @return array[] Array of arguments for tests {
* @type string $post_key Post key used for creating fixtures.
* @type string $user_role User role.
* @type string $requested Requested URL.
* @type string $expected Expected URL.
* }
*/
function data_canonical_redirects_to_pretty_permalinks() {
$data = array();
$all_user_list = array( 'anon', 'subscriber', 'content_author', 'editor' );
$select_allow_list = array( 'content_author', 'editor' );
$select_block_list = array( 'anon', 'subscriber' );
// All post/page keys
$all_user_post_status_keys = array( 'publish' );
$select_user_post_status_keys = array( 'private', 'a-private-status' );
$no_user_post_status_keys = array( 'future', 'draft', 'pending', 'auto-draft' ); // Excludes trash for attachment rules.
$select_user_post_type_keys = array( 'a-public-cpt' );
$no_user_post_type_keys = array( 'a-private-cpt' );
foreach ( $all_user_post_status_keys as $post_key ) {
foreach ( $all_user_list as $user ) {
$data[] = array(
$post_key,
$user,
'/?p=%ID%',
"/$post_key-post/",
);
$data[] = array(
"$post_key-attachment",
$user,
'/?attachment_id=%ID%',
"/$post_key-post/$post_key-inherited-attachment/",
);
$data[] = array(
"$post_key-page",
$user,
'/?post_type=page&p=%ID%',
"/$post_key-page/",
);
$data[] = array(
"$post_key-page",
$user,
'/?page_id=%ID%',
"/$post_key-page/",
);
$data[] = array(
$post_key,
$user,
"/?name=$post_key-post",
"/$post_key-post/",
);
$data[] = array(
$post_key,
$user,
'/?feed=rss&p=%ID%',
"/$post_key-post/feed/",
);
$data[] = array(
"$post_key-page",
$user,
'/?feed=rss&page_id=%ID%',
"/$post_key-page/feed/",
);
}
}
foreach ( $select_user_post_status_keys as $post_key ) {
foreach ( $select_allow_list as $user ) {
$data[] = array(
$post_key,
$user,
'/?p=%ID%',
"/$post_key-post/",
);
$data[] = array(
"$post_key-attachment",
$user,
'/?attachment_id=%ID%',
"/$post_key-post/$post_key-inherited-attachment/",
);
$data[] = array(
"$post_key-page",
$user,
'/?post_type=page&p=%ID%',
"/$post_key-page/",
);
$data[] = array(
"$post_key-page",
$user,
'/?page_id=%ID%',
"/$post_key-page/",
);
$data[] = array(
$post_key,
$user,
"/?name=$post_key-post",
"/$post_key-post/",
);
$data[] = array(
$post_key,
$user,
'/?feed=rss&p=%ID%',
"/$post_key-post/feed/",
);
$data[] = array(
"$post_key-page",
$user,
'/?feed=rss&page_id=%ID%',
"/$post_key-page/feed/",
);
}
foreach ( $select_block_list as $user ) {
$data[] = array(
$post_key,
$user,
'/?p=%ID%',
'/?p=%ID%',
);
$data[] = array(
"$post_key-attachment",
$user,
'/?attachment_id=%ID%',
'/?attachment_id=%ID%',
);
$data[] = array(
"$post_key-page",
$user,
'/?post_type=page&p=%ID%',
'/?post_type=page&p=%ID%',
);
$data[] = array(
"$post_key-page",
$user,
'/?page_id=%ID%',
'/?page_id=%ID%',
);
$data[] = array(
$post_key,
$user,
"/?name=$post_key-post",
"/?name=$post_key-post",
);
$data[] = array(
$post_key,
$user,
'/?feed=rss&p=%ID%',
'/?feed=rss&p=%ID%',
);
$data[] = array(
"$post_key-page",
$user,
'/?feed=rss&page_id=%ID%',
'/?feed=rss&page_id=%ID%',
);
}
}
foreach ( $select_user_post_type_keys as $post_key ) {
foreach ( $select_allow_list as $user ) {
$data[] = array(
$post_key,
$user,
'/?p=%ID%',
"/$post_key/$post_key/",
);
$data[] = array(
"$post_key-attachment",
$user,
'/?attachment_id=%ID%',
"/$post_key/$post_key/$post_key-inherited-attachment/",
);
$data[] = array(
$post_key,
$user,
"/?name=$post_key&post_type=$post_key",
"/$post_key/$post_key/?post_type=$post_key",
);
$data[] = array(
$post_key,
$user,
'/?feed=rss&p=%ID%',
"/$post_key/$post_key/feed/",
);
}
foreach ( $select_block_list as $user ) {
$data[] = array(
$post_key,
$user,
'/?p=%ID%',
'/?p=%ID%',
);
$data[] = array(
"$post_key-attachment",
$user,
'/?attachment_id=%ID%',
'/?attachment_id=%ID%',
);
$data[] = array(
$post_key,
$user,
"/?name=$post_key&post_type=$post_key",
"/?name=$post_key&post_type=$post_key",
);
$data[] = array(
$post_key,
$user,
'/?feed=rss&p=%ID%',
'/?feed=rss&p=%ID%',
);
}
}
foreach ( $no_user_post_type_keys as $post_key ) {
foreach ( $all_user_list as $user ) {
$data[] = array(
$post_key,
$user,
'/?p=%ID%',
'/?p=%ID%',
);
$data[] = array(
"$post_key-attachment",
$user,
'/?attachment_id=%ID%',
'/?attachment_id=%ID%',
// "/$post_key-inherited-attachment/",
);
$data[] = array(
$post_key,
$user,
"/?name=$post_key&post_type=$post_key",
"/?name=$post_key&post_type=$post_key",
);
$data[] = array(
$post_key,
$user,
'/?feed=rss&p=%ID%',
'/?feed=rss&p=%ID%',
);
}
}
foreach ( $no_user_post_status_keys as $post_key ) {
foreach ( $all_user_list as $user ) {
$data[] = array(
$post_key,
$user,
'/?p=%ID%',
'/?p=%ID%',
);
$data[] = array(
"$post_key-attachment",
$user,
'/?attachment_id=%ID%',
'/?attachment_id=%ID%',
);
$data[] = array(
"$post_key-page",
$user,
'/?post_type=page&p=%ID%',
'/?post_type=page&p=%ID%',
);
$data[] = array(
"$post_key-page",
$user,
'/?page_id=%ID%',
'/?page_id=%ID%',
);
$data[] = array(
$post_key,
$user,
"/?name=$post_key-post",
"/?name=$post_key-post",
);
$data[] = array(
$post_key,
$user,
'/?feed=rss&p=%ID%',
'/?feed=rss&p=%ID%',
);
$data[] = array(
"$post_key-page",
$user,
'/?feed=rss&page_id=%ID%',
'/?feed=rss&page_id=%ID%',
);
}
}
foreach ( array( 'trash' ) as $post_key ) {
foreach ( $all_user_list as $user ) {
$data[] = array(
$post_key,
$user,
'/?p=%ID%',
'/?p=%ID%',
);
$data[] = array(
"$post_key-attachment",
$user,
'/?attachment_id=%ID%',
'/?attachment_id=%ID%',
);
$data[] = array(
"$post_key-attachment",
$user,
'/trash-post/trash-post-inherited-attachment/',
'/?attachment_id=%ID%',
);
$data[] = array(
"$post_key-attachment",
$user,
'/trash-post__trashed/trash-post-inherited-attachment/',
'/?attachment_id=%ID%',
);
$data[] = array(
"$post_key-page",
$user,
'/?post_type=page&p=%ID%',
'/?post_type=page&p=%ID%',
);
$data[] = array(
"$post_key-page",
$user,
'/?page_id=%ID%',
'/?page_id=%ID%',
);
$data[] = array(
$post_key,
$user,
"/?name=$post_key-post",
"/?name=$post_key-post",
);
$data[] = array(
$post_key,
$user,
'/?feed=rss&p=%ID%',
'/?feed=rss&p=%ID%',
);
$data[] = array(
"$post_key-page",
$user,
'/?feed=rss&page_id=%ID%',
'/?feed=rss&page_id=%ID%',
);
}
}
return $data;
}
}

5
tests/phpunit/tests/link.php
View File

@ -204,6 +204,9 @@ class Tests_Link extends WP_UnitTestCase {
}
}
$this->assertSame( home_url( user_trailingslashit( $attachment->post_name ) ), get_permalink( $attachment_id ) );
$this->assertSame( home_url( "/?attachment_id={$attachment->ID}" ), get_permalink( $attachment_id ) );
// Visit permalink.
$this->go_to( get_permalink( $attachment_id ) );
$this->assertQueryTrue( 'is_attachment', 'is_single', 'is_singular' );
}
}

17
tests/phpunit/tests/media.php
View File

@ -3122,11 +3122,11 @@ EOF;
* @ticket 51776
*
* @param string $post_key Post as keyed in the shared fixture array.
* @param string $expected Expected result.
* @param string $expected_url Expected permalink.
* @param bool $expected_404 Whether the page is expected to return a 404 result.
*
*/
function test_attachment_permalinks_based_on_parent_status( $post_key, $expected, $expected_404 ) {
function test_attachment_permalinks_based_on_parent_status( $post_key, $expected_url, $expected_404 ) {
$this->set_permalink_structure( '/%postname%' );
$post = get_post( self::$post_ids[ $post_key ] );
@ -3134,11 +3134,16 @@ EOF;
* The dataProvider runs before the fixures are set up, therefore the
* post object IDs are placeholders that needs to be replaced.
*/
$expected = home_url( str_replace( '%ID%', $post->ID, $expected ) );
$expected_url = home_url( str_replace( '%ID%', $post->ID, $expected_url ) );
$this->assertSame( $expected, get_permalink( $post ) );
$this->go_to( get_permalink( $post ) );
$this->assertSame( $expected_404, is_404() );
$this->assertSame( $expected_url, get_permalink( $post ) );
if ( $expected_404 ) {
$this->assertQueryTrue( 'is_404' );
} else {
$this->assertQueryTrue( 'is_attachment', 'is_single', 'is_singular' );
}
$this->assertSame( 'attachment', $post->post_type );
}
/**
@ -3146,7 +3151,7 @@ EOF;
*
* @return array[] {
* @type string $post_key Post as keyed in the shared fixture array.
* @type string $expected Expected result.
* @type string $expected_url Expected permalink.
* $type bool $expected_404 Whether the page is expected to return a 404 result.
* }
*/