Make WordPress Core

Opened 11 years ago

Last modified 5 years ago

#24131 new defect (bug)

Fix post previews for multisite with domain mapping

Reported by: azaozz's profile azaozz Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Posts, Post Types Keywords: has-patch needs-refresh
Focuses: multisite, administration Cc:

Description

Currently when previewing latest changes we create a nonce in the admin, then redirect to the front-end and check that nonce on 'init' before showing the preview. This fails sometimes on multisite with domain mapping as they may use JS redirects to log the user in on the front-end.

Attachments (3)

24131.patch (3.8 KB) - added by azaozz 11 years ago.
24131-post-preview.patch (7.3 KB) - added by johnjamesjacoby 11 years ago.
Introduce wp_get_preview_post_url() to funnel post-preview URL handling through, and replace in all instances. Also patches _set_preview() and moves _show_post_preview() to 'set_current_user' priority 20 instead. (Updated patch from #23665)
24131-2.patch (6.2 KB) - added by azaozz 11 years ago.

Download all attachments as: .zip

Change History (21)

@azaozz
11 years ago

#1 @azaozz
11 years ago

In 24131.patch:

  • Don't use a nonce for previews, instead check the revision author before substituting the content. This keeps previews behaviour the same in most cases.
  • Allow preview links to be shared for published posts. Currently it's not possible to share a preview link as the nonce is unique for each user. Keeping the latest changes "private" makes sense while an author is writing a new post but prevents editors/other users of easily previewing changes to published posts. All users still need the 'edit_post_id' cap to preview changes.
Last edited 11 years ago by azaozz (previous) (diff)

#2 @batmoo
11 years ago

  • Cc batmoo@… added

#3 follow-ups: @westi
11 years ago

I'm pretty anti this change:

  • We had a nonce in 3.5.1 and this used to work fine
  • The nonce is there to stop the drafts being disclosed to a third party - without the nonce a third party can load all of your drafts when you visit a random site and siphon them off elsewhere.

#4 in reply to: ↑ 3 @nacin
11 years ago

Replying to westi:

I'm pretty anti this change:

  • We had a nonce in 3.5.1 and this used to work fine
  • The nonce is there to stop the drafts being disclosed to a third party - without the nonce a third party can load all of your drafts when you visit a random site and siphon them off elsewhere.

Strong +1 to all counts.

#5 @kovshenin
11 years ago

  • Cc kovshenin added

#6 in reply to: ↑ 3 @azaozz
11 years ago

Replying to westi:

We had a nonce in 3.5.1 and this used to work fine

The nonce was there to ensure only the author can preview posts from autosave. It has no effect when previewing drafts (we didn't include a nonce in this case). This has the disadvantage that admins and editors cannot preview changes to published posts unless they first load the Edit Post screen to get their nonce.

The nonce is there to stop the drafts being disclosed to a third party - without the nonce a third party can load all of your drafts when you visit a random site and siphon them off elsewhere.

No, the user needs to be logged in and have 'edit_post_' . ID capability to preview anything: http://core.trac.wordpress.org/browser/trunk/wp-includes/query.php#L2718 and http://core.trac.wordpress.org/browser/trunk/wp-includes/query.php#L2735. This hasn't changed. With or without the patch all admins and editors can preview all drafts. Non logged-in users get a 404 when trying to preview.

The only change is that instead of generating and then checking a nonce we match get_current_user_id() to the autosave author.

@johnjamesjacoby
11 years ago

Introduce wp_get_preview_post_url() to funnel post-preview URL handling through, and replace in all instances. Also patches _set_preview() and moves _show_post_preview() to 'set_current_user' priority 20 instead. (Updated patch from #23665)

#7 @johnjamesjacoby
11 years ago

  • Cc johnjamesjacoby added

#8 @ethitter
11 years ago

  • Cc erick@… added

#9 @vickybiswas
11 years ago

  • Cc vickybiswas@… added

@azaozz
11 years ago

#10 @azaozz
11 years ago

In 24131-2.patch:

  • Add nonces to all preview links. Nonces are added with the 'preview_post_link' filter for back-compat.
  • Add the ability to deny showing a preview to 'the_preview' filter.

Todo: consider merging @johnjamesjacoby's patch that introduces wp_get_preview_post_url();

#11 @markjaquith
11 years ago

  • Milestone changed from 3.6 to Future Release

#12 @markjaquith
11 years ago

Move back to 3.6 if this can be confirmed as a regression. More info required about the problem and how the proposed solutions will work.

#13 @azaozz
11 years ago

Don't think this is a regression from 3.5.1. This was made more obvious after the change in 3.6.

It has to do with the way remote login works. Checking a nonce on init is too early on the front end. If the user hasn't visited the front end before, the nonce check fails on the first attempt.

24131-2.patch is an alternative solution (bearing in mind westi's comment) that fixes this by moving the nonce check to _set_preview() which runs later.

#14 @jeremyfelt
10 years ago

  • Focuses multisite added

#15 @nacin
10 years ago

  • Component changed from Administration to Posts, Post Types
  • Focuses administration added

This ticket was mentioned in IRC in #wordpress-dev by johnbillion. View the logs.


9 years ago

#18 @chriscct7
8 years ago

  • Keywords has-patch needs-refresh added
Note: See TracTickets for help on using tickets.