Posts, Post Types: Add no-cache headers to password protected posts.

johnbillion · johnbillion · commit 4863a926efbf · 2025-01-29T18:10:47.000Z
This instructs an intermediate cache, for example a proxy server, to not cache a password protected post both before and after a visitor has entered a password. Props brevilo, haozi, ironprogrammer, narenin Fixes #61711 git-svn-id: https://develop.svn.wordpress.org/trunk@59728 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/class-wp.php b/src/wp-includes/class-wp.php
@@ -545,6 +545,11 @@ public function send_headers() {
 			if ( $post && pings_open( $post ) ) {
 				$headers['X-Pingback'] = get_bloginfo( 'pingback_url', 'display' );
 			}
+
+			// Send nocache headers for password protected posts to avoid unwanted caching.
+			if ( ! empty( $post->post_password ) ) {
+				$headers = array_merge( $headers, wp_get_nocache_headers() );
+			}
 		}
 
 		/**
diff --git a/tests/phpunit/tests/wp/sendHeaders.php b/tests/phpunit/tests/wp/sendHeaders.php
@@ -6,6 +6,7 @@
  * @covers WP::send_headers
  */
 class Tests_WP_SendHeaders extends WP_UnitTestCase {
+	protected $headers_sent = array();
 
 	/**
 	 * @ticket 56068
@@ -35,4 +36,46 @@ function ( $headers ) {
 		$post_id = self::factory()->post->create();
 		$this->go_to( get_permalink( $post_id ) );
 	}
+
+	/**
+	 * @ticket 61711
+	 */
+	public function test_send_headers_sets_cache_control_header_for_password_protected_posts() {
+		$password = 'password';
+
+		add_filter(
+			'wp_headers',
+			function ( $headers ) {
+				$this->headers_sent = $headers;
+				return $headers;
+			}
+		);
+
+		$post_id = self::factory()->post->create(
+			array(
+				'post_password' => $password,
+			)
+		);
+		$this->go_to( get_permalink( $post_id ) );
+
+		$headers_without_password         = $this->headers_sent;
+		$password_status_without_password = post_password_required( $post_id );
+
+		require_once ABSPATH . WPINC . '/class-phpass.php';
+
+		$hash = ( new PasswordHash( 8, true ) )->HashPassword( $password );
+
+		$_COOKIE[ 'wp-postpass_' . COOKIEHASH ] = $hash;
+
+		$this->go_to( get_permalink( $post_id ) );
+
+		$headers_with_password         = $this->headers_sent;
+		$password_status_with_password = post_password_required( $post_id );
+
+		$this->assertTrue( $password_status_without_password );
+		$this->assertArrayHasKey( 'Cache-Control', $headers_without_password );
+
+		$this->assertFalse( $password_status_with_password );
+		$this->assertArrayHasKey( 'Cache-Control', $headers_with_password );
+	}
 }

Original file line number	Diff line number	Diff line change
`@@ -545,6 +545,11 @@ public function send_headers() {`
`545`	`545`	`if ( $post && pings_open( $post ) ) {`
`546`	`546`	`$headers['X-Pingback'] = get_bloginfo( 'pingback_url', 'display' );`
`547`	`547`	`}`
	`548`	`+`
	`549`	`+ // Send nocache headers for password protected posts to avoid unwanted caching.`
	`550`	`+ if ( ! empty( $post->post_password ) ) {`
	`551`	`+ $headers = array_merge( $headers, wp_get_nocache_headers() );`
	`552`	`+ }`
`548`	`553`	`}`
`549`	`554`
`550`	`555`	`/**`