Changeset 61996

Timestamp:

03/12/2026 08:47:58 PM (2 weeks ago)

Author:

johnjamesjacoby

Message:

REST API: Prevent inaccessible attachments from being embedded in posts.

When an attachment is used by multiple posts, it could be included in _embed for a published post even if its post_parent is a draft.

This commit avoids embedding attachments that are not viewable in this context.

Props bor0.

Fixes #64183.

Location:

trunk

Files:

• src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php (modified) (1 diff)
• tests/phpunit/tests/rest-api/rest-posts-controller.php (modified) (1 diff)

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

@@ -2295 +2295 @@
         // If we have a featured media, add that.
         $featured_media = get_post_thumbnail_id( $post->ID );
-        if ( $featured_media ) {
+        if ( $featured_media && ( 'publish' === get_post_status( $featured_media ) || current_user_can( 'read_post', $featured_media ) ) ) {
             $image_url = rest_url( rest_get_route_for_post( $featured_media ) );
 

trunk/tests/phpunit/tests/rest-api/rest-posts-controller.php

@@ -3329 +3329 @@
         $this->assertSame( 0, $data['featured_media'] );
         $this->assertSame( 0, (int) get_post_thumbnail_id( $new_post->ID ) );
+    }
+
+    /**
+     * Data provider for featured media link permission tests.
+     *
+     * @return array
+     */
+    public function data_featured_media_link_permissions() {
+        return array(
+            'unauthenticated user with draft parent attachment' => array(
+                'attachment_parent_status' => 'draft',
+                'attachment_status'        => 'inherit',
+                'user_id'                  => 0,
+                'expect_link'              => false,
+            ),
+            'authenticated editor with draft parent attachment' => array(
+                'attachment_parent_status' => 'draft',
+                'attachment_status'        => 'inherit',
+                'user_id'                  => 'editor',
+                'expect_link'              => true,
+            ),
+            'unauthenticated user with published attachment' => array(
+                'attachment_parent_status' => null,
+                'attachment_status'        => 'publish',
+                'user_id'                  => 0,
+                'expect_link'              => true,
+            ),
+        );
+    }
+
+    /**
+     * Tests that featured media links respect attachment permissions.
+     *
+     * @ticket 64183
+     * @dataProvider data_featured_media_link_permissions
+     *
+     * @param string|null $attachment_parent_status Status of the attachment's parent post, or null for no parent.
+     * @param string      $attachment_status Status to set on the attachment.
+     * @param int|string  $user_id User ID (0 for unauthenticated) or 'editor' for editor role.
+     * @param bool        $expect_link Whether the featured media link should be included.
+     */
+    public function test_get_item_featured_media_link_permissions( $attachment_parent_status, $attachment_status, $user_id, $expect_link ) {
+        $file = DIR_TESTDATA . '/images/canola.jpg';
+
+        // Create attachment parent if needed.
+        $parent_post_id = 0;
+        if ( null !== $attachment_parent_status ) {
+            $parent_post_id = self::factory()->post->create(
+                array(
+                    'post_title'  => 'Parent Post',
+                    'post_status' => $attachment_parent_status,
+                )
+            );
+        }
+
+        // Create attachment.
+        $attachment_id = self::factory()->attachment->create_object(
+            $file,
+            $parent_post_id,
+            array(
+                'post_mime_type' => 'image/jpeg',
+            )
+        );
+
+        // Set attachment status if different from default.
+        if ( 'publish' === $attachment_status ) {
+            wp_update_post(
+                array(
+                    'ID'          => $attachment_id,
+                    'post_status' => 'publish',
+                )
+            );
+        }
+
+        // Create published post with featured media.
+        $published_post_id = self::factory()->post->create(
+            array(
+                'post_title'  => 'Published Post',
+                'post_status' => 'publish',
+            )
+        );
+        set_post_thumbnail( $published_post_id, $attachment_id );
+
+        // Set current user.
+        if ( 'editor' === $user_id ) {
+            wp_set_current_user( self::$editor_id );
+        } else {
+            wp_set_current_user( $user_id );
+        }
+
+        // Make request.
+        $request  = new WP_REST_Request( 'GET', sprintf( '/wp/v2/posts/%d', $published_post_id ) );
+        $response = rest_get_server()->dispatch( $request );
+        $links    = $response->get_links();
+
+        // Assert link presence based on expectation.
+        if ( $expect_link ) {
+            $this->assertArrayHasKey( 'https://api.w.org/featuredmedia', $links );
+            $this->assertSame(
+                rest_url( '/wp/v2/media/' . $attachment_id ),
+                $links['https://api.w.org/featuredmedia'][0]['href']
+            );
+        } else {
+            $this->assertArrayNotHasKey( 'https://api.w.org/featuredmedia', $links );
+        }
     }