WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#11236 closed defect (bug) (fixed)

Trashed pages can still be opened when logged in

Reported by: caesarsgrunt Owned by:
Milestone: 3.0 Priority: lowest
Severity: trivial Version: 2.9
Component: Trash Keywords:
Focuses: Cc:

Description

Pages in the trash can still be visited, assuming that you know the URL (eg you bookmarked it before the page was trashed). This should not be possible; a 404 error should be returned.

Change History (13)

comment:1 caesarsgrunt4 years ago

Ah. This is only so if the user is logged in, as with Pending/Draft posts. It still shouldn't be visible really, though.

comment:2 azaozz4 years ago

  • Milestone changed from 2.9 to Future Release
  • Priority changed from normal to low
  • Severity changed from normal to trivial

comment:3 caesarsgrunt4 years ago

  • Summary changed from Trashed pages can still be opened to Trashed pages can still be opened when logged in

comment:4 follow-up: hakre4 years ago

  • Milestone changed from Future Release to 3.0
  • Priority changed from low to normal

401 Error might be valid as well (gone). Since trash is a 2.9 feature and it looks like that someone just had forgotten to complete it, it should be fixd in 2.9 as well.

Is there a concept on how to deal with trashed items? I mean this can be the same for trashed pages and/or trashed links, categories etc. pp.. Which items are trashable anyway?

comment:5 hakre4 years ago

Even better: A message could be displayed: This item was trashed. Do you want to undo this / delete forever this ?

comment:6 in reply to: ↑ 4 ; follow-up: caesarsgrunt4 years ago

Replying to hakre:
I think you mean 410 Gone. 401 is Unauthorized.
Yes, 410 is a valid response too, and might be better than 404. However, only if the post was previously published.

I don't think the message is a good idea in the frontend.

comment:7 in reply to: ↑ 6 hakre4 years ago

  • Milestone 3.0 deleted
  • Priority changed from normal to lowest

Replying to caesarsgrunt:

I don't think the message is a good idea in the frontend.

I misread the ticket, I thought this was about the post editor (backend).


Was able to reproduce. Trashed post is accessible as long as still logged in. Not-logged-in users will get a "Sorry, no posts matched your criteria." message (default theme).

The related function have_posts() is returning true even for a trashed page. That function relies on wp_query->get_posts() (query.php line 1564-2387). You must have passed at least the mid-term exam of the WP-Query Sience before you're allowed to write a patch for that 823-lined-function. Because of that I assume this will never get fixed. So I suggest wontfix right away.

comment:8 dd324 years ago

  • Keywords dev-feedback added; needs-patch removed
  • Milestone set to Future Release

See also #11546

For front end queries, IMO ideally WP_Query wouldnt return trash posts for privledged accounts. Except looking at this again, Its not included in the results.. Just when queried direectly?

However, There is the possibility that users may want that, for example, take a wiki plugin, trashed posts would want to be available for moderators on the front end.

The question boils down to: Since privledged accounts can see it in the back end, does that mean they should be able to access it on the front end as well? If so, Adding a Trashed: prefix to the title (Like Private and Protected) would be a mid-ground to mention to the users the reasoning.

Milestone: All open tickets need a milestone.

dev-feedback pending on the user experience of trashed posts on the front end?

comment:9 hakre4 years ago

dd32 wrote: Since privledged accounts can see it in the back end,

Inface priviledged accounts can see it in the frontend if they know the URL. just for correctness so that this does not get mixxed.

comment:10 dd324 years ago

Inface priviledged accounts can see it in the frontend if they know the URL.

Mate.... I think most are quite aware of that given thats what this damn ticket is about? Please read the tickets before commenting, and while i'm at it please dont link every damn ticket to another that mentions a similar word its getting old

comment:11 hakre4 years ago

Looks like that this has been fixed with a patch / changeset. [13117]? Can the original fix-commiting developer please reference it? Must be pre the 2.9.2 [13165] / [13164]. Maybe ryan?

Reference: #11401

comment:12 sivel4 years ago

  • Keywords dev-feedback removed
  • Resolution set to fixed
  • Status changed from new to closed

[13117] and [13118] Add trash to edit cap check fixes #11236

comment:13 sivel4 years ago

  • Milestone changed from Future Release to 3.0
Note: See TracTickets for help on using tickets.