#22902 closed defect (bug) (fixed)
Duplicate post slug causes unpublished posts to display in single post template, based on permalinks
Reported by: | luke at sametz | Owned by: | markjaquith |
---|---|---|---|
Milestone: | 3.6 | Priority: | high |
Severity: | major | Version: | 3.2 |
Component: | Quick/Bulk Edit | Keywords: | has-patch |
Focuses: | Cc: |
Description
It's possible to force unpublished post content to appear on an existing, published post's permalink if an editor or administrator assigns an existing slug to one or more unpublished posts via the Quick Edit link on All Posts (or the equivalent, for custom post types).
Steps to reproduce
- Start with a default installation of 3.5
- Set permalink structure to the 'Post name' Common setting
- Save it as a Draft
- Give it a title of of 'Unpublished Post' and add body text
- Save it as a Draft
- View All Posts
- Use the Quick Edit link for the Unpublished Post
- Assign a slug of 'hello-world' and Update
- View the default 'Hello World!' post at /hello-world/
Results:
The loop runs and returns both posts in the single.php template.
You'll get...
- the full title and text of the unpublished post,
- a previous link to the default Hello World post,
- the comments for the Unpublished post, and finally
- the expected result of the default Hello World post.
Real world use case:
A periodical publication with a monthly "From the editor" post. A non-technical Editor could (assuming default permissions) potentially notice the slug in quick edit and try to "correct" the url, duplicating the first post with that title.
Attachments (3)
Change History (9)
#2
@
12 years ago
Was originally spotted on a 3.4.2 site, but tried a clean install of current version to test the steps to reproduce. Not sure how far back it goes, but guessing at least to 3.0.
It seems that the permalink structure makes a query based upon the slug - the only information available to determine the post to be presented - and the loop does its thing and displays all results matching the query, as expected. While it's arguably expected behavior, it's certainly unexpected results. The real question at the time was whether to report it as a permalink issue or a query issue.
After sleeping on it, I think it might be best if addressed as an administrative UI issue. Just ensure that draft posts get unique slugs in Quick Edit, just like published ones do. That wouldn't actually resolve the root of the issue, just makes sure it can't happen through the administrative interface.
#3
@
12 years ago
- Component changed from Query to Quick/Bulk Edit
- Milestone changed from Awaiting Review to 3.6
- Priority changed from normal to high
- Severity changed from normal to major
This is bad.
#4
@
12 years ago
- Keywords has-patch added
wp_unique_post_slug()
bails early when dealing with a draft:
http://core.trac.wordpress.org/browser/tags/3.5/wp-includes/post.php#L3073
get_sample_permalink()
contains a hack to prevent that by faking a 'publish'
status:
http://core.trac.wordpress.org/browser/tags/3.5/wp-admin/includes/post.php#L994
22902.patch is an attempt to fix the issue by implementing a similar hack in wp_ajax_inline_save()
.
Confirmed. Reproduced on 3.2, could well affect earlier.