<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[50132] trunk: Canonical: Prevent ID enumeration of private post slugs.</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { white-space: pre-line; overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/50132">50132</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/50132","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>peterwilsoncc</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2021-02-02 00:38:40 +0000 (Tue, 02 Feb 2021)</dd>
</dl>
<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>Canonical: Prevent ID enumeration of private post slugs.
Add check to `redirect_canonical()` to ensure private posts only redirect for logged in users.
Modifies the `read_post` mata capability to user `get_post_status()` rather than the post's `post_status` property to allow attachments to redirect based on the inherited post status.
Introduces `wp_force_ugly_post_permalink()` to unify the check to determine if an ugly link should be displayed in each of the functions used for determining permalinks: `get_permalink()`, `get_post_permalink()`, `_get_page_link()` and `get_attachment_link()`.
Improves logic of `get_attachment_link()` to validate parent post and resolution of inherited post status. This is an incomplete fix of <a href="https://core.trac.wordpress.org/ticket/52373">#52373</a> to prevent the function returning links resulting in a file not found error. Required to unblock this ticket.
Props peterwilsoncc, TimothyBlynJacobs.
See <a href="https://core.trac.wordpress.org/ticket/52373">#52373</a>.
Fixes <a href="https://core.trac.wordpress.org/ticket/5272">#5272</a>.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunksrcwpincludescanonicalphp">trunk/src/wp-includes/canonical.php</a></li>
<li><a href="#trunksrcwpincludescapabilitiesphp">trunk/src/wp-includes/capabilities.php</a></li>
<li><a href="#trunksrcwpincludeslinktemplatephp">trunk/src/wp-includes/link-template.php</a></li>
<li><a href="#trunktestsphpunittestslinkphp">trunk/tests/phpunit/tests/link.php</a></li>
<li><a href="#trunktestsphpunittestsmediaphp">trunk/tests/phpunit/tests/media.php</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunktestsphpunittestscanonicalpostStatusphp">trunk/tests/phpunit/tests/canonical/postStatus.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunksrcwpincludescanonicalphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/canonical.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/canonical.php 2021-02-02 00:08:01 UTC (rev 50131)
+++ trunk/src/wp-includes/canonical.php 2021-02-02 00:38:40 UTC (rev 50132)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -77,6 +77,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect = $original;
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect_url = false;
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $redirect_obj = false;
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> // Notice fixing.
</span><span class="cx" style="display: block; padding: 0 10px"> if ( ! isset( $redirect['path'] ) ) {
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -102,6 +103,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( is_feed() && $post_id ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect_url = get_post_comments_feed_link( $post_id, get_query_var( 'feed' ) );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $redirect_obj = get_post( $post_id );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $redirect_url ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect['query'] = _remove_qs_args_if_not_in_url(
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -126,6 +128,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect_url = get_permalink( $post_id );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $redirect_obj = get_post( $post_id );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $redirect_url ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect['query'] = _remove_qs_args_if_not_in_url(
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -150,6 +153,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $post_type_obj && $post_type_obj->public && 'auto-draft' !== $redirect_post->post_status ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect_url = get_permalink( $redirect_post );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $redirect_obj = get_post( $redirect_post );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect['query'] = _remove_qs_args_if_not_in_url(
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect['query'],
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -197,6 +201,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $post_id ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect_url = get_permalink( $post_id );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $redirect_obj = get_post( $post_id );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect['path'] = rtrim( $redirect['path'], (int) get_query_var( 'page' ) . '/' );
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect['query'] = remove_query_arg( 'page', $redirect['query'] );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -223,6 +228,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> ) {
</span><span class="cx" style="display: block; padding: 0 10px"> if ( ! empty( $_GET['attachment_id'] ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect_url = get_attachment_link( get_query_var( 'attachment_id' ) );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $redirect_obj = get_post( get_query_var( 'attachment_id' ) );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $redirect_url ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect['query'] = remove_query_arg( 'attachment_id', $redirect['query'] );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -229,9 +235,11 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> } else {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect_url = get_attachment_link();
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $redirect_obj = get_post();
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> } elseif ( is_single() && ! empty( $_GET['p'] ) && ! $redirect_url ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect_url = get_permalink( get_query_var( 'p' ) );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $redirect_obj = get_post( get_query_var( 'p' ) );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $redirect_url ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect['query'] = remove_query_arg( array( 'p', 'post_type' ), $redirect['query'] );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -238,6 +246,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> } elseif ( is_single() && ! empty( $_GET['name'] ) && ! $redirect_url ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect_url = get_permalink( $wp_query->get_queried_object_id() );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $redirect_obj = get_post( $wp_query->get_queried_object_id() );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $redirect_url ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect['query'] = remove_query_arg( 'name', $redirect['query'] );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -244,6 +253,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> } elseif ( is_page() && ! empty( $_GET['page_id'] ) && ! $redirect_url ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect_url = get_permalink( get_query_var( 'page_id' ) );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $redirect_obj = get_post( get_query_var( 'page_id' ) );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $redirect_url ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect['query'] = remove_query_arg( 'page_id', $redirect['query'] );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -256,6 +266,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> && 'page' === get_option( 'show_on_front' ) && get_query_var( 'page_id' ) === (int) get_option( 'page_for_posts' )
</span><span class="cx" style="display: block; padding: 0 10px"> ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect_url = get_permalink( get_option( 'page_for_posts' ) );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $redirect_obj = get_post( get_option( 'page_for_posts' ) );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $redirect_url ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect['query'] = remove_query_arg( 'page_id', $redirect['query'] );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -310,6 +321,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> && $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE $wpdb->posts.post_author = %d AND $wpdb->posts.post_status = 'publish' LIMIT 1", $author->ID ) )
</span><span class="cx" style="display: block; padding: 0 10px"> ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect_url = get_author_posts_url( $author->ID, $author->user_nicename );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $redirect_obj = $author;
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $redirect_url ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect['query'] = remove_query_arg( 'author', $redirect['query'] );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -385,6 +397,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> || ! has_term( $category->term_id, 'category', $wp_query->get_queried_object_id() )
</span><span class="cx" style="display: block; padding: 0 10px"> ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect_url = get_permalink( $wp_query->get_queried_object_id() );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $redirect_obj = get_post( $wp_query->get_queried_object_id() );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -395,6 +408,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( ! $redirect_url ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $redirect_url = get_permalink( get_queried_object_id() );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $redirect_obj = get_post( get_queried_object_id() );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $page > 1 ) {
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -740,6 +754,28 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $requested_url = preg_replace_callback( '|%[a-fA-F0-9][a-fA-F0-9]|', 'lowercase_octets', $requested_url );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( $redirect_obj instanceof WP_Post ) {
+ $post_status_obj = get_post_status_object( get_post_status( $redirect_obj ) );
+ /*
+ * Unset the redirect object and URL if they are not readable by the user.
+ * This condition is a little confusing as the condition needs to pass if
+ * the post is not readable by the user. That's why there are ! (not) conditions
+ * throughout.
+ */
+ if (
+ // Private post statuses only redirect if the user can read them.
+ ! (
+ $post_status_obj->private &&
+ current_user_can( 'read_post', $redirect_obj->ID )
+ ) &&
+ // For other posts, only redirect if publicly viewable.
+ ! is_post_publicly_viewable( $redirect_obj )
+ ) {
+ $redirect_obj = false;
+ $redirect_url = false;
+ }
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> /**
</span><span class="cx" style="display: block; padding: 0 10px"> * Filters the canonical redirect URL.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span></span></pre></div>
<a id="trunksrcwpincludescapabilitiesphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/capabilities.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/capabilities.php 2021-02-02 00:08:01 UTC (rev 50131)
+++ trunk/src/wp-includes/capabilities.php 2021-02-02 00:38:40 UTC (rev 50132)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -245,10 +245,10 @@
</span><span class="cx" style="display: block; padding: 0 10px"> break;
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $status_obj = get_post_status_object( $post->post_status );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $status_obj = get_post_status_object( get_post_status( $post ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( ! $status_obj ) {
</span><span class="cx" style="display: block; padding: 0 10px"> /* translators: 1: Post status, 2: Capability name. */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- _doing_it_wrong( __FUNCTION__, sprintf( __( 'The post status %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post with that status.' ), $post->post_status, $cap ), '5.4.0' );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ _doing_it_wrong( __FUNCTION__, sprintf( __( 'The post status %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post with that status.' ), get_post_status( $post ), $cap ), '5.4.0' );
</ins><span class="cx" style="display: block; padding: 0 10px"> $caps[] = 'edit_others_posts';
</span><span class="cx" style="display: block; padding: 0 10px"> break;
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span></span></pre></div>
<a id="trunksrcwpincludeslinktemplatephp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/link-template.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/link-template.php 2021-02-02 00:08:01 UTC (rev 50131)
+++ trunk/src/wp-includes/link-template.php 2021-02-02 00:38:40 UTC (rev 50132)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -90,6 +90,58 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * Determine whether post should always use an ugly permalink structure.
+ *
+ * @since 5.7.0
+ *
+ * @param WP_Post|int|null $post Optional. Post ID or post object. Defaults to global $post.
+ * @param bool|null $sample Optional. Whether to force consideration based on sample links.
+ * If omitted, a sample link is generated if a post object is passed
+ * with the filter property set to 'sample'.
+ * @return bool Whether to use an ugly permalink structure.
+ */
+function wp_force_ugly_post_permalink( $post = null, $sample = null ) {
+ if (
+ null === $sample &&
+ is_object( $post ) &&
+ isset( $post->filter ) &&
+ 'sample' === $post->filter
+ ) {
+ $sample = true;
+ } else {
+ $post = get_post( $post );
+ $sample = null !== $sample ? $sample : false;
+ }
+
+ if ( ! $post ) {
+ return true;
+ }
+
+ $post_status_obj = get_post_status_object( get_post_status( $post ) );
+ $post_type_obj = get_post_type_object( get_post_type( $post ) );
+
+ if ( ! $post_status_obj || ! $post_type_obj ) {
+ return true;
+ }
+
+ if (
+ // Publicly viewable links never have ugly permalinks.
+ is_post_status_viewable( $post_status_obj ) ||
+ (
+ // Private posts don't have ugly links if the user can read them.
+ $post_status_obj->private &&
+ current_user_can( 'read_post', $post->ID )
+ ) ||
+ // Protected posts don't have ugly links if getting a sample URL.
+ ( $post_status_obj->protected && $sample )
+ ) {
+ return false;
+ }
+
+ return true;
+}
+
+/**
</ins><span class="cx" style="display: block; padding: 0 10px"> * Retrieves the full permalink for the current post or post ID.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * This function is an alias for get_permalink().
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -166,7 +218,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if (
</span><span class="cx" style="display: block; padding: 0 10px"> $permalink &&
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- ! in_array( $post->post_status, array( 'draft', 'pending', 'auto-draft', 'future', 'trash' ), true )
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ ! wp_force_ugly_post_permalink( $post )
</ins><span class="cx" style="display: block; padding: 0 10px"> ) {
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $category = '';
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -277,7 +329,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $slug = $post->post_name;
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $draft_or_pending = get_post_status( $post ) && in_array( get_post_status( $post ), array( 'draft', 'pending', 'auto-draft', 'future' ), true );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $force_ugly_link = wp_force_ugly_post_permalink( $post );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $post_type = get_post_type_object( $post->post_type );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -285,13 +337,13 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $slug = get_page_uri( $post );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( ! empty( $post_link ) && ( ! $draft_or_pending || $sample ) ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( ! empty( $post_link ) && ( ! $force_ugly_link || $sample ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( ! $leavename ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $post_link = str_replace( "%$post->post_type%", $slug, $post_link );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> $post_link = home_url( user_trailingslashit( $post_link ) );
</span><span class="cx" style="display: block; padding: 0 10px"> } else {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( $post_type->query_var && ( isset( $post->post_status ) && ! $draft_or_pending ) ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( $post_type->query_var && ( isset( $post->post_status ) && ! $force_ugly_link ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> $post_link = add_query_arg( $post_type->query_var, $slug, '' );
</span><span class="cx" style="display: block; padding: 0 10px"> } else {
</span><span class="cx" style="display: block; padding: 0 10px"> $post_link = add_query_arg(
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -373,11 +425,11 @@
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $post = get_post( $post );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $draft_or_pending = in_array( $post->post_status, array( 'draft', 'pending', 'auto-draft' ), true );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $force_ugly_link = wp_force_ugly_post_permalink( $post );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $link = $wp_rewrite->get_page_permastruct();
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( ! empty( $link ) && ( ( isset( $post->post_status ) && ! $draft_or_pending ) || $sample ) ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( ! empty( $link ) && ( ( isset( $post->post_status ) && ! $force_ugly_link ) || $sample ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( ! $leavename ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $link = str_replace( '%pagename%', get_page_uri( $post ), $link );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -417,13 +469,26 @@
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $link = false;
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $post = get_post( $post );
- $parent = ( $post->post_parent > 0 && $post->post_parent != $post->ID ) ? get_post( $post->post_parent ) : false;
- if ( $parent && ! in_array( $parent->post_type, get_post_types(), true ) ) {
- $parent = false;
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $post = get_post( $post );
+ $force_ugly_link = wp_force_ugly_post_permalink( $post );
+ $parent_id = $post->post_parent;
+ $parent = $parent_id ? get_post( $parent_id ) : false;
+ $parent_valid = true; // Default for no parent.
+ if (
+ $parent_id &&
+ (
+ $post->post_parent === $post->ID ||
+ ! $parent ||
+ ! is_post_type_viewable( get_post_type( $parent ) )
+ )
+ ) {
+ // Post is either its own parent or parent post unavailable.
+ $parent_valid = false;
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( $wp_rewrite->using_permalinks() && $parent ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( $force_ugly_link || ! $parent_valid ) {
+ $link = false;
+ } elseif ( $wp_rewrite->using_permalinks() && $parent ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( 'page' === $parent->post_type ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $parentlink = _get_page_link( $post->post_parent ); // Ignores page_on_front.
</span><span class="cx" style="display: block; padding: 0 10px"> } else {
</span></span></pre></div>
<a id="trunktestsphpunittestscanonicalpostStatusphp"></a>
<div class="addfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Added: trunk/tests/phpunit/tests/canonical/postStatus.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/canonical/postStatus.php (rev 0)
+++ trunk/tests/phpunit/tests/canonical/postStatus.php 2021-02-02 00:38:40 UTC (rev 50132)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -0,0 +1,973 @@
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+<?php
+
+/**
+ * @group canonical
+ * @group rewrite
+ * @group query
+ */
+class Tests_Canonical_PostStatus extends WP_Canonical_UnitTestCase {
+
+ /**
+ * User IDs.
+ *
+ * @var array
+ */
+ public static $users;
+
+ /**
+ * Post Objects.
+ *
+ * @var array
+ */
+ public static $posts;
+
+ public static function wpSetUpBeforeClass( WP_UnitTest_Factory $factory ) {
+ self::setup_custom_types();
+ self::$users = array(
+ 'anon' => 0,
+ 'subscriber' => $factory->user->create( array( 'role' => 'subscriber' ) ),
+ 'content_author' => $factory->user->create( array( 'role' => 'author' ) ),
+ 'editor' => $factory->user->create( array( 'role' => 'editor' ) ),
+ );
+
+ $post_statuses = array( 'publish', 'future', 'draft', 'pending', 'private', 'auto-draft', 'a-private-status' );
+ foreach ( $post_statuses as $post_status ) {
+ $post_date = '';
+ if ( 'future' === $post_status ) {
+ $post_date = strftime( '%Y-%m-%d %H:%M:%S', strtotime( '+1 year' ) );
+ }
+
+ self::$posts[ $post_status ] = $factory->post->create_and_get(
+ array(
+ 'post_type' => 'post',
+ 'post_title' => "$post_status post",
+ 'post_name' => "$post_status-post",
+ 'post_status' => $post_status,
+ 'post_content' => "Prevent canonical redirect exposing post slugs.\n\n<!--nextpage-->Page 2",
+ 'post_author' => self::$users['content_author'],
+ 'post_date' => $post_date,
+ )
+ );
+
+ // Add fake attachment to the post (file upload not needed).
+ self::$posts[ "$post_status-attachment" ] = $factory->post->create_and_get(
+ array(
+ 'post_type' => 'attachment',
+ 'post_title' => "$post_status inherited attachment",
+ 'post_name' => "$post_status-inherited-attachment",
+ 'post_status' => 'inherit',
+ 'post_content' => "Prevent canonical redirect exposing post via attachments.\n\n<!--nextpage-->Page 2",
+ 'post_author' => self::$users['content_author'],
+ 'post_parent' => self::$posts[ $post_status ]->ID,
+ 'post_date' => $post_date,
+ )
+ );
+
+ // Set up a page with same.
+ self::$posts[ "$post_status-page" ] = $factory->post->create_and_get(
+ array(
+ 'post_type' => 'page',
+ 'post_title' => "$post_status page",
+ 'post_name' => "$post_status-page",
+ 'post_status' => $post_status,
+ 'post_content' => "Prevent canonical redirect exposing page slugs.\n\n<!--nextpage-->Page 2",
+ 'post_author' => self::$users['content_author'],
+ 'post_date' => $post_date,
+ )
+ );
+ }
+
+ // Create a public CPT using a private status.
+ self::$posts['a-public-cpt'] = $factory->post->create_and_get(
+ array(
+ 'post_type' => 'a-public-cpt',
+ 'post_title' => 'a-public-cpt',
+ 'post_name' => 'a-public-cpt',
+ 'post_status' => 'private',
+ 'post_content' => 'Prevent canonical redirect exposing a-public-cpt titles.',
+ 'post_author' => self::$users['content_author'],
+ )
+ );
+
+ // Add fake attachment to the public cpt (file upload not needed).
+ self::$posts['a-public-cpt-attachment'] = $factory->post->create_and_get(
+ array(
+ 'post_type' => 'attachment',
+ 'post_title' => 'a-public-cpt post inherited attachment',
+ 'post_name' => 'a-public-cpt-inherited-attachment',
+ 'post_status' => 'inherit',
+ 'post_content' => "Prevent canonical redirect exposing post via attachments.\n\n<!--nextpage-->Page 2",
+ 'post_author' => self::$users['content_author'],
+ 'post_parent' => self::$posts['a-public-cpt']->ID,
+ )
+ );
+
+ // Create a private CPT with a public status.
+ self::$posts['a-private-cpt'] = $factory->post->create_and_get(
+ array(
+ 'post_type' => 'a-private-cpt',
+ 'post_title' => 'a-private-cpt',
+ 'post_name' => 'a-private-cpt',
+ 'post_status' => 'publish',
+ 'post_content' => 'Prevent canonical redirect exposing a-private-cpt titles.',
+ 'post_author' => self::$users['content_author'],
+ )
+ );
+
+ // Add fake attachment to the private cpt (file upload not needed).
+ self::$posts['a-private-cpt-attachment'] = $factory->post->create_and_get(
+ array(
+ 'post_type' => 'attachment',
+ 'post_title' => 'a-private-cpt post inherited attachment',
+ 'post_name' => 'a-private-cpt-inherited-attachment',
+ 'post_status' => 'inherit',
+ 'post_content' => "Prevent canonical redirect exposing post via attachments.\n\n<!--nextpage-->Page 2",
+ 'post_author' => self::$users['content_author'],
+ 'post_parent' => self::$posts['a-private-cpt']->ID,
+ )
+ );
+
+ // Post for trashing.
+ self::$posts['trash'] = $factory->post->create_and_get(
+ array(
+ 'post_type' => 'post',
+ 'post_title' => 'trash post',
+ 'post_name' => 'trash-post',
+ 'post_status' => 'publish',
+ 'post_content' => "Prevent canonical redirect exposing post slugs.\n\n<!--nextpage-->Page 2",
+ 'post_author' => self::$users['content_author'],
+ )
+ );
+
+ self::$posts['trash-attachment'] = $factory->post->create_and_get(
+ array(
+ 'post_type' => 'attachment',
+ 'post_title' => 'trash post inherited attachment',
+ 'post_name' => 'trash-post-inherited-attachment',
+ 'post_status' => 'inherit',
+ 'post_content' => "Prevent canonical redirect exposing post via attachments.\n\n<!--nextpage-->Page 2",
+ 'post_author' => self::$users['content_author'],
+ 'post_parent' => self::$posts['trash']->ID,
+ )
+ );
+
+ // Page for trashing.
+ self::$posts['trash-page'] = $factory->post->create_and_get(
+ array(
+ 'post_type' => 'page',
+ 'post_title' => 'trash page',
+ 'post_name' => 'trash-page',
+ 'post_status' => 'publish',
+ 'post_content' => "Prevent canonical redirect exposing page slugs.\n\n<!--nextpage-->Page 2",
+ 'post_author' => self::$users['content_author'],
+ )
+ );
+ wp_trash_post( self::$posts['trash']->ID );
+ wp_trash_post( self::$posts['trash-page']->ID );
+ }
+
+ function setUp() {
+ parent::setUp();
+ self::setup_custom_types();
+ }
+
+ /**
+ * Set up a custom post type and private status.
+ *
+ * This needs to be called both in the class setup and
+ * test setup.
+ */
+ public static function setup_custom_types() {
+ // Register public custom post type.
+ register_post_type(
+ 'a-public-cpt',
+ array(
+ 'public' => true,
+ 'rewrite' => array(
+ 'slug' => 'a-public-cpt',
+ ),
+ )
+ );
+
+ // Register private custom post type.
+ register_post_type(
+ 'a-private-cpt',
+ array(
+ 'public' => false,
+ 'publicly_queryable' => false,
+ 'rewrite' => array(
+ 'slug' => 'a-private-cpt',
+ ),
+ 'map_meta_cap' => true,
+ )
+ );
+
+ // Register custom private post status.
+ register_post_status(
+ 'a-private-status',
+ array(
+ 'private' => true,
+ )
+ );
+ }
+
+ /**
+ * Test canonical redirect does not reveal private posts presence.
+ *
+ * @ticket 5272
+ * @dataProvider data_canonical_redirects_to_ugly_permalinks
+ *
+ * @param string $post_key Post key used for creating fixtures.
+ * @param string $user_role User role.
+ * @param string $requested Requested URL.
+ * @param string $expected Expected URL.
+ */
+ public function test_canonical_redirects_to_ugly_permalinks( $post_key, $user_role, $requested, $expected ) {
+ wp_set_current_user( self::$users[ $user_role ] );
+ $this->set_permalink_structure( '' );
+ $post = self::$posts[ $post_key ];
+ clean_post_cache( $post->ID );
+
+ /*
+ * The dataProvider runs before the fixures are set up, therefore the
+ * post object IDs are placeholders that needs to be replaced.
+ */
+ $requested = str_replace( '%ID%', $post->ID, $requested );
+ $expected = str_replace( '%ID%', $post->ID, $expected );
+
+ $this->assertCanonical( $requested, $expected );
+ }
+
+ /**
+ * Data provider for test_canonical_redirects_to_ugly_permalinks.
+ *
+ * @return array[] Array of arguments for tests {
+ * @type string $post_key Post key used for creating fixtures.
+ * @type string $user_role User role.
+ * @type string $requested Requested URL.
+ * @type string $expected Expected URL.
+ * }
+ */
+ function data_canonical_redirects_to_ugly_permalinks() {
+ $data = array();
+ $all_user_list = array( 'anon', 'subscriber', 'content_author', 'editor' );
+ $select_allow_list = array( 'content_author', 'editor' );
+ $select_block_list = array( 'anon', 'subscriber' );
+ // All post/page keys
+ $all_user_post_status_keys = array( 'publish' );
+ $select_user_post_status_keys = array( 'private', 'a-private-status' );
+ $no_user_post_status_keys = array( 'future', 'draft', 'pending', 'auto-draft' ); // Excludes trash for attachment rules.
+ $select_user_post_type_keys = array( 'a-public-cpt' );
+ $no_user_post_type_keys = array( 'a-private-cpt' );
+
+ foreach ( $all_user_post_status_keys as $post_key ) {
+ foreach ( $all_user_list as $user ) {
+ /*
+ * In the event `redirect_canonical()` is updated to redirect ugly permalinks
+ * to a canonical ugly version, these expected values can be changed.
+ */
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?post_type=page&p=%ID%',
+ '/?post_type=page&p=%ID%',
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ "/?name=$post_key-post",
+ "/?name=$post_key-post",
+ );
+
+ // Ensure rss redirects to rss2.
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?feed=rss&p=%ID%',
+ '/?feed=rss2&p=%ID%',
+ );
+
+ // Ensure rss redirects to rss2.
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?feed=rss&page_id=%ID%',
+ '/?feed=rss2&page_id=%ID%',
+ );
+ }
+ }
+
+ foreach ( $select_user_post_status_keys as $post_key ) {
+ foreach ( $select_allow_list as $user ) {
+ /*
+ * In the event `redirect_canonical()` is updated to redirect ugly permalinks
+ * to a canonical ugly version, these expected values can be changed.
+ */
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?post_type=page&p=%ID%',
+ '/?post_type=page&p=%ID%',
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ "/?name=$post_key-post",
+ "/?name=$post_key-post",
+ );
+
+ // Ensure rss redirects to rss2.
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?feed=rss&p=%ID%',
+ '/?feed=rss2&p=%ID%',
+ );
+
+ // Ensure rss redirects to rss2.
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?feed=rss&page_id=%ID%',
+ '/?feed=rss2&page_id=%ID%',
+ );
+ }
+
+ foreach ( $select_block_list as $user ) {
+ /*
+ * In the event `redirect_canonical()` is updated to redirect ugly permalinks
+ * to a canonical ugly version, these expected values MUST NOT be changed.
+ */
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?post_type=page&p=%ID%',
+ '/?post_type=page&p=%ID%',
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ "/?name=$post_key-post",
+ "/?name=$post_key-post",
+ );
+
+ // Ensure post's existence is not demonstrated by changing rss to rss2.
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?feed=rss&p=%ID%',
+ '/?feed=rss&p=%ID%',
+ );
+
+ // Ensure post's existence is not demonstrated by changing rss to rss2.
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?feed=rss&page_id=%ID%',
+ '/?feed=rss&page_id=%ID%',
+ );
+ }
+ }
+
+ foreach ( $no_user_post_status_keys as $post_key ) {
+ foreach ( $all_user_list as $user ) {
+ /*
+ * In the event `redirect_canonical()` is updated to redirect ugly permalinks
+ * to a canonical ugly version, these expected values MUST NOT be changed.
+ */
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?post_type=page&p=%ID%',
+ '/?post_type=page&p=%ID%',
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ "/?name=$post_key-post",
+ "/?name=$post_key-post",
+ );
+
+ // Ensure post's existence is not demonstrated by changing rss to rss2.
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?feed=rss&p=%ID%',
+ '/?feed=rss&p=%ID%',
+ );
+
+ // Ensure post's existence is not demonstrated by changing rss to rss2.
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?feed=rss&page_id=%ID%',
+ '/?feed=rss&page_id=%ID%',
+ );
+ }
+ }
+
+ foreach ( array( 'trash' ) as $post_key ) {
+ foreach ( $all_user_list as $user ) {
+ /*
+ * In the event `redirect_canonical()` is updated to redirect ugly permalinks
+ * to a canonical ugly version, these expected values MUST NOT be changed.
+ */
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?post_type=page&p=%ID%',
+ '/?post_type=page&p=%ID%',
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ "/?name=$post_key-post",
+ "/?name=$post_key-post",
+ );
+
+ // Ensure post's existence is not demonstrated by changing rss to rss2.
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?feed=rss&p=%ID%',
+ '/?feed=rss&p=%ID%',
+ );
+
+ // Ensure post's existence is not demonstrated by changing rss to rss2.
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?feed=rss&page_id=%ID%',
+ '/?feed=rss&page_id=%ID%',
+ );
+ }
+ }
+
+ foreach ( $select_user_post_type_keys as $post_key ) {
+ foreach ( $select_allow_list as $user ) {
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?p=%ID%',
+ '/?a-public-cpt=a-public-cpt',
+ );
+
+ $data[] = array(
+ "$post_key-attachment",
+ $user,
+ '/?attachment_id=%ID%',
+ '/?attachment_id=%ID%',
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ "/?name=$post_key&post_type=$post_key",
+ "/?name=$post_key&post_type=$post_key",
+ );
+
+ // Ensure rss is replaced by rss2.
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?feed=rss&p=%ID%',
+ '/?a-public-cpt=a-public-cpt&feed=rss2',
+ );
+ }
+
+ foreach ( $select_block_list as $user ) {
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?p=%ID%',
+ '/?p=%ID%',
+ );
+
+ $data[] = array(
+ "$post_key-attachment",
+ $user,
+ '/?attachment_id=%ID%',
+ '/?attachment_id=%ID%',
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ "/?name=$post_key&post_type=$post_key",
+ "/?name=$post_key&post_type=$post_key",
+ );
+
+ // Ensure rss is not replaced with rss2.
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?feed=rss&p=%ID%',
+ '/?feed=rss&p=%ID%',
+ );
+ }
+ }
+
+ foreach ( $no_user_post_type_keys as $post_key ) {
+ foreach ( $all_user_list as $user ) {
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?p=%ID%',
+ '/?p=%ID%',
+ );
+
+ $data[] = array(
+ "$post_key-attachment",
+ $user,
+ '/?attachment_id=%ID%',
+ '/?attachment_id=%ID%',
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ "/?name=$post_key&post_type=$post_key",
+ "/?name=$post_key&post_type=$post_key",
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?feed=rss&p=%ID%',
+ '/?feed=rss&p=%ID%',
+ );
+ }
+ }
+
+ return $data;
+ }
+
+ /**
+ * Test canonical redirect does not reveal private slugs.
+ *
+ * @ticket 5272
+ * @dataProvider data_canonical_redirects_to_pretty_permalinks
+ *
+ * @param string $post_key Post key used for creating fixtures.
+ * @param string $user_role User role.
+ * @param string $requested Requested URL.
+ * @param string $expected Expected URL.
+ */
+ public function test_canonical_redirects_to_pretty_permalinks( $post_key, $user_role, $requested, $expected ) {
+ wp_set_current_user( self::$users[ $user_role ] );
+ $this->set_permalink_structure( '/%postname%/' );
+ $post = self::$posts[ $post_key ];
+ clean_post_cache( $post->ID );
+
+ /*
+ * The dataProvider runs before the fixures are set up, therefore the
+ * post object IDs are placeholders that needs to be replaced.
+ */
+ $requested = str_replace( '%ID%', $post->ID, $requested );
+ $expected = str_replace( '%ID%', $post->ID, $expected );
+
+ $this->assertCanonical( $requested, $expected );
+ }
+
+ /**
+ * Data provider for test_canonical_redirects_to_pretty_permalinks.
+ *
+ * @return array[] Array of arguments for tests {
+ * @type string $post_key Post key used for creating fixtures.
+ * @type string $user_role User role.
+ * @type string $requested Requested URL.
+ * @type string $expected Expected URL.
+ * }
+ */
+ function data_canonical_redirects_to_pretty_permalinks() {
+ $data = array();
+ $all_user_list = array( 'anon', 'subscriber', 'content_author', 'editor' );
+ $select_allow_list = array( 'content_author', 'editor' );
+ $select_block_list = array( 'anon', 'subscriber' );
+ // All post/page keys
+ $all_user_post_status_keys = array( 'publish' );
+ $select_user_post_status_keys = array( 'private', 'a-private-status' );
+ $no_user_post_status_keys = array( 'future', 'draft', 'pending', 'auto-draft' ); // Excludes trash for attachment rules.
+ $select_user_post_type_keys = array( 'a-public-cpt' );
+ $no_user_post_type_keys = array( 'a-private-cpt' );
+
+ foreach ( $all_user_post_status_keys as $post_key ) {
+ foreach ( $all_user_list as $user ) {
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?p=%ID%',
+ "/$post_key-post/",
+ );
+
+ $data[] = array(
+ "$post_key-attachment",
+ $user,
+ '/?attachment_id=%ID%',
+ "/$post_key-post/$post_key-inherited-attachment/",
+ );
+
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?post_type=page&p=%ID%',
+ "/$post_key-page/",
+ );
+
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?page_id=%ID%',
+ "/$post_key-page/",
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ "/?name=$post_key-post",
+ "/$post_key-post/",
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?feed=rss&p=%ID%',
+ "/$post_key-post/feed/",
+ );
+
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?feed=rss&page_id=%ID%',
+ "/$post_key-page/feed/",
+ );
+ }
+ }
+
+ foreach ( $select_user_post_status_keys as $post_key ) {
+ foreach ( $select_allow_list as $user ) {
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?p=%ID%',
+ "/$post_key-post/",
+ );
+
+ $data[] = array(
+ "$post_key-attachment",
+ $user,
+ '/?attachment_id=%ID%',
+ "/$post_key-post/$post_key-inherited-attachment/",
+ );
+
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?post_type=page&p=%ID%',
+ "/$post_key-page/",
+ );
+
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?page_id=%ID%',
+ "/$post_key-page/",
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ "/?name=$post_key-post",
+ "/$post_key-post/",
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?feed=rss&p=%ID%',
+ "/$post_key-post/feed/",
+ );
+
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?feed=rss&page_id=%ID%',
+ "/$post_key-page/feed/",
+ );
+ }
+
+ foreach ( $select_block_list as $user ) {
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?p=%ID%',
+ '/?p=%ID%',
+ );
+
+ $data[] = array(
+ "$post_key-attachment",
+ $user,
+ '/?attachment_id=%ID%',
+ '/?attachment_id=%ID%',
+ );
+
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?post_type=page&p=%ID%',
+ '/?post_type=page&p=%ID%',
+ );
+
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?page_id=%ID%',
+ '/?page_id=%ID%',
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ "/?name=$post_key-post",
+ "/?name=$post_key-post",
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?feed=rss&p=%ID%',
+ '/?feed=rss&p=%ID%',
+ );
+
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?feed=rss&page_id=%ID%',
+ '/?feed=rss&page_id=%ID%',
+ );
+ }
+ }
+
+ foreach ( $select_user_post_type_keys as $post_key ) {
+ foreach ( $select_allow_list as $user ) {
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?p=%ID%',
+ "/$post_key/$post_key/",
+ );
+
+ $data[] = array(
+ "$post_key-attachment",
+ $user,
+ '/?attachment_id=%ID%',
+ "/$post_key/$post_key/$post_key-inherited-attachment/",
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ "/?name=$post_key&post_type=$post_key",
+ "/$post_key/$post_key/?post_type=$post_key",
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?feed=rss&p=%ID%',
+ "/$post_key/$post_key/feed/",
+ );
+ }
+
+ foreach ( $select_block_list as $user ) {
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?p=%ID%',
+ '/?p=%ID%',
+ );
+
+ $data[] = array(
+ "$post_key-attachment",
+ $user,
+ '/?attachment_id=%ID%',
+ '/?attachment_id=%ID%',
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ "/?name=$post_key&post_type=$post_key",
+ "/?name=$post_key&post_type=$post_key",
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?feed=rss&p=%ID%',
+ '/?feed=rss&p=%ID%',
+ );
+ }
+ }
+
+ foreach ( $no_user_post_type_keys as $post_key ) {
+ foreach ( $all_user_list as $user ) {
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?p=%ID%',
+ '/?p=%ID%',
+ );
+
+ $data[] = array(
+ "$post_key-attachment",
+ $user,
+ '/?attachment_id=%ID%',
+ '/?attachment_id=%ID%',
+ // "/$post_key-inherited-attachment/",
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ "/?name=$post_key&post_type=$post_key",
+ "/?name=$post_key&post_type=$post_key",
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?feed=rss&p=%ID%',
+ '/?feed=rss&p=%ID%',
+ );
+ }
+ }
+
+ foreach ( $no_user_post_status_keys as $post_key ) {
+ foreach ( $all_user_list as $user ) {
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?p=%ID%',
+ '/?p=%ID%',
+ );
+
+ $data[] = array(
+ "$post_key-attachment",
+ $user,
+ '/?attachment_id=%ID%',
+ '/?attachment_id=%ID%',
+ );
+
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?post_type=page&p=%ID%',
+ '/?post_type=page&p=%ID%',
+ );
+
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?page_id=%ID%',
+ '/?page_id=%ID%',
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ "/?name=$post_key-post",
+ "/?name=$post_key-post",
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?feed=rss&p=%ID%',
+ '/?feed=rss&p=%ID%',
+ );
+
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?feed=rss&page_id=%ID%',
+ '/?feed=rss&page_id=%ID%',
+ );
+ }
+ }
+
+ foreach ( array( 'trash' ) as $post_key ) {
+ foreach ( $all_user_list as $user ) {
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?p=%ID%',
+ '/?p=%ID%',
+ );
+
+ $data[] = array(
+ "$post_key-attachment",
+ $user,
+ '/?attachment_id=%ID%',
+ '/?attachment_id=%ID%',
+ );
+
+ $data[] = array(
+ "$post_key-attachment",
+ $user,
+ '/trash-post/trash-post-inherited-attachment/',
+ '/?attachment_id=%ID%',
+ );
+
+ $data[] = array(
+ "$post_key-attachment",
+ $user,
+ '/trash-post__trashed/trash-post-inherited-attachment/',
+ '/?attachment_id=%ID%',
+ );
+
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?post_type=page&p=%ID%',
+ '/?post_type=page&p=%ID%',
+ );
+
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?page_id=%ID%',
+ '/?page_id=%ID%',
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ "/?name=$post_key-post",
+ "/?name=$post_key-post",
+ );
+
+ $data[] = array(
+ $post_key,
+ $user,
+ '/?feed=rss&p=%ID%',
+ '/?feed=rss&p=%ID%',
+ );
+
+ $data[] = array(
+ "$post_key-page",
+ $user,
+ '/?feed=rss&page_id=%ID%',
+ '/?feed=rss&page_id=%ID%',
+ );
+ }
+ }
+
+ return $data;
+ }
+}
</ins><span class="cx" style="display: block; padding: 0 10px">Property changes on: trunk/tests/phpunit/tests/canonical/postStatus.php
</span><span class="cx" style="display: block; padding: 0 10px">___________________________________________________________________
</span></span></pre></div>
<a id="svneolstyle"></a>
<div class="addfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Added: svn:eol-style</h4></div>
<ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+native
</ins><span class="cx" style="display: block; padding: 0 10px">\ No newline at end of property
</span><a id="trunktestsphpunittestslinkphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/phpunit/tests/link.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/link.php 2021-02-02 00:08:01 UTC (rev 50131)
+++ trunk/tests/phpunit/tests/link.php 2021-02-02 00:38:40 UTC (rev 50132)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -204,6 +204,9 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $this->assertSame( home_url( user_trailingslashit( $attachment->post_name ) ), get_permalink( $attachment_id ) );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $this->assertSame( home_url( "/?attachment_id={$attachment->ID}" ), get_permalink( $attachment_id ) );
+ // Visit permalink.
+ $this->go_to( get_permalink( $attachment_id ) );
+ $this->assertQueryTrue( 'is_attachment', 'is_single', 'is_singular' );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span></span></pre></div>
<a id="trunktestsphpunittestsmediaphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/phpunit/tests/media.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/media.php 2021-02-02 00:08:01 UTC (rev 50131)
+++ trunk/tests/phpunit/tests/media.php 2021-02-02 00:38:40 UTC (rev 50132)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -3122,11 +3122,11 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * @ticket 51776
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @param string $post_key Post as keyed in the shared fixture array.
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * @param string $expected Expected result.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @param string $expected_url Expected permalink.
</ins><span class="cx" style="display: block; padding: 0 10px"> * @param bool $expected_404 Whether the page is expected to return a 404 result.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- function test_attachment_permalinks_based_on_parent_status( $post_key, $expected, $expected_404 ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ function test_attachment_permalinks_based_on_parent_status( $post_key, $expected_url, $expected_404 ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> $this->set_permalink_structure( '/%postname%' );
</span><span class="cx" style="display: block; padding: 0 10px"> $post = get_post( self::$post_ids[ $post_key ] );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -3134,11 +3134,16 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * The dataProvider runs before the fixures are set up, therefore the
</span><span class="cx" style="display: block; padding: 0 10px"> * post object IDs are placeholders that needs to be replaced.
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $expected = home_url( str_replace( '%ID%', $post->ID, $expected ) );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $expected_url = home_url( str_replace( '%ID%', $post->ID, $expected_url ) );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $this->assertSame( $expected, get_permalink( $post ) );
</del><span class="cx" style="display: block; padding: 0 10px"> $this->go_to( get_permalink( $post ) );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $this->assertSame( $expected_404, is_404() );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $this->assertSame( $expected_url, get_permalink( $post ) );
+ if ( $expected_404 ) {
+ $this->assertQueryTrue( 'is_404' );
+ } else {
+ $this->assertQueryTrue( 'is_attachment', 'is_single', 'is_singular' );
+ }
+ $this->assertSame( 'attachment', $post->post_type );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -3146,7 +3151,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @return array[] {
</span><span class="cx" style="display: block; padding: 0 10px"> * @type string $post_key Post as keyed in the shared fixture array.
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * @type string $expected Expected result.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @type string $expected_url Expected permalink.
</ins><span class="cx" style="display: block; padding: 0 10px"> * $type bool $expected_404 Whether the page is expected to return a 404 result.
</span><span class="cx" style="display: block; padding: 0 10px"> * }
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span></span></pre>
</div>
</div>
</body>
</html>