From 20b329ba0802183c33d013079957e6e1059ac81b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Helen=20Hou-Sand=C3=AD?= <helen.y.hou@gmail.com>
Date: Fri, 1 Jul 2016 15:07:36 +0000
Subject: [PATCH] Media: Only show parent post titles when the user can read
 said post.

fixes #37186.

Built from https://develop.svn.wordpress.org/trunk@37941


git-svn-id: http://core.svn.wordpress.org/trunk@37882 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 .../includes/class-wp-media-list-table.php    | 24 ++++++++++---------
 wp-includes/media.php                         |  5 +++-
 wp-includes/version.php                       |  2 +-
 3 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/wp-admin/includes/class-wp-media-list-table.php b/wp-admin/includes/class-wp-media-list-table.php
index d7b17c5685..d2d013d88a 100644
--- a/wp-admin/includes/class-wp-media-list-table.php
+++ b/wp-admin/includes/class-wp-media-list-table.php
@@ -476,16 +476,18 @@ class WP_Media_List_Table extends WP_List_Table {
 		if ( $parent ) {
 			$title = _draft_or_post_title( $post->post_parent );
 			$parent_type = get_post_type_object( $parent->post_type );
+			
+			if ( $parent_type && $parent_type->show_ui && current_user_can( 'edit_post', $post->post_parent ) ) {
 ?>
-			<strong>
-			<?php if ( $parent_type && $parent_type->show_ui && current_user_can( 'edit_post', $post->post_parent ) ) { ?>
-				<a href="<?php echo get_edit_post_link( $post->post_parent ); ?>">
-					<?php echo $title ?></a><?php
+				<strong><a href="<?php echo get_edit_post_link( $post->post_parent ); ?>">
+					<?php echo $title ?></a></strong><?php
+			} elseif ( current_user_can( 'read_post', $post->post_parent ) ) {
+?>
+				<strong><?php echo $title ?></strong><?php
 			} else {
-				echo $title;
-			} ?></strong>
-			<br />
-			<?php
+				_e( '(Private post)' );
+			}
+
 			if ( $user_can_edit ):
 				$detach_url = add_query_arg( array(
 					'parent_post_id' => $post->post_parent,
@@ -493,7 +495,7 @@ class WP_Media_List_Table extends WP_List_Table {
 					'_wpnonce' => wp_create_nonce( 'bulk-' . $this->_args['plural'] )
 				), 'upload.php' );
 				printf(
-					'<a href="%s" class="hide-if-no-js detach-from-parent" aria-label="%s">%s</a>',
+					'<br /><a href="%s" class="hide-if-no-js detach-from-parent" aria-label="%s">%s</a>',
 					$detach_url,
 					/* translators: %s: title of the post the attachment is attached to */
 					esc_attr( sprintf( __( 'Detach from &#8220;%s&#8221;' ), $title ) ),
@@ -501,11 +503,11 @@ class WP_Media_List_Table extends WP_List_Table {
 				);
 			endif;
 		} else {
-			_e( '(Unattached)' ); ?><br />
+			_e( '(Unattached)' ); ?>
 			<?php if ( $user_can_edit ) {
 				$title = _draft_or_post_title( $post->post_parent );
 				printf(
-					'<a href="#the-list" onclick="findPosts.open( \'media[]\', \'%s\' ); return false;" class="hide-if-no-js" aria-label="%s">%s</a>',
+					'<br /><a href="#the-list" onclick="findPosts.open( \'media[]\', \'%s\' ); return false;" class="hide-if-no-js" aria-label="%s">%s</a>',
 					$post->ID,
 					/* translators: %s: attachment title */
 					esc_attr( sprintf( __( 'Attach &#8220;%s&#8221; to existing content' ), $title ) ),
diff --git a/wp-includes/media.php b/wp-includes/media.php
index 3e860dc4bc..00cde91a57 100644
--- a/wp-includes/media.php
+++ b/wp-includes/media.php
@@ -3065,7 +3065,10 @@ function wp_prepare_attachment_for_js( $attachment ) {
 		if ( $parent_type && $parent_type->show_ui && current_user_can( 'edit_post', $attachment->post_parent ) ) {
 			$response['uploadedToLink'] = get_edit_post_link( $attachment->post_parent, 'raw' );
 		}
-		$response['uploadedToTitle'] = $post_parent->post_title ? $post_parent->post_title : __( '(no title)' );
+
+		if ( current_user_can( 'read_post', $attachment->post_parent ) ) {
+			$response['uploadedToTitle'] = $post_parent->post_title ? $post_parent->post_title : __( '(no title)' );
+		}
 	}
 
 	$attached_file = get_attached_file( $attachment->ID );
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 393db9b120..5b497ead4e 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.6-beta1-37940';
+$wp_version = '4.6-beta1-37941';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.