Opened 12 years ago
Last modified 6 years ago
#24131 new defect (bug)
Fix post previews for multisite with domain mapping
Reported by: | azaozz | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Posts, Post Types | Keywords: | has-patch needs-refresh |
Focuses: | multisite, administration | Cc: |
Description
Currently when previewing latest changes we create a nonce in the admin, then redirect to the front-end and check that nonce on 'init' before showing the preview. This fails sometimes on multisite with domain mapping as they may use JS redirects to log the user in on the front-end.
Attachments (3)
Change History (21)
#3
follow-ups:
↓ 4
↓ 6
@
12 years ago
I'm pretty anti this change:
- We had a nonce in 3.5.1 and this used to work fine
- The nonce is there to stop the drafts being disclosed to a third party - without the nonce a third party can load all of your drafts when you visit a random site and siphon them off elsewhere.
#4
in reply to:
↑ 3
@
12 years ago
Replying to westi:
I'm pretty anti this change:
- We had a nonce in 3.5.1 and this used to work fine
- The nonce is there to stop the drafts being disclosed to a third party - without the nonce a third party can load all of your drafts when you visit a random site and siphon them off elsewhere.
Strong +1 to all counts.
#6
in reply to:
↑ 3
@
12 years ago
Replying to westi:
We had a nonce in 3.5.1 and this used to work fine
The nonce was there to ensure only the author can preview posts from autosave. It has no effect when previewing drafts (we didn't include a nonce in this case). This has the disadvantage that admins and editors cannot preview changes to published posts unless they first load the Edit Post screen to get their nonce.
The nonce is there to stop the drafts being disclosed to a third party - without the nonce a third party can load all of your drafts when you visit a random site and siphon them off elsewhere.
No, the user needs to be logged in and have 'edit_post_' . ID
capability to preview anything: http://core.trac.wordpress.org/browser/trunk/wp-includes/query.php#L2718 and http://core.trac.wordpress.org/browser/trunk/wp-includes/query.php#L2735. This hasn't changed. With or without the patch all admins and editors can preview all drafts. Non logged-in users get a 404 when trying to preview.
The only change is that instead of generating and then checking a nonce we match get_current_user_id() to the autosave author.
@
12 years ago
Introduce wp_get_preview_post_url() to funnel post-preview URL handling through, and replace in all instances. Also patches _set_preview() and moves _show_post_preview() to 'set_current_user' priority 20 instead. (Updated patch from #23665)
#10
@
12 years ago
In 24131-2.patch:
- Add nonces to all preview links. Nonces are added with the
'preview_post_link'
filter for back-compat. - Add the ability to deny showing a preview to
'the_preview'
filter.
Todo: consider merging @johnjamesjacoby's patch that introduces wp_get_preview_post_url()
;
#12
@
11 years ago
Move back to 3.6 if this can be confirmed as a regression. More info required about the problem and how the proposed solutions will work.
#13
@
11 years ago
Don't think this is a regression from 3.5.1. This was made more obvious after the change in 3.6.
It has to do with the way remote login works. Checking a nonce on init
is too early on the front end. If the user hasn't visited the front end before, the nonce check fails on the first attempt.
24131-2.patch is an alternative solution (bearing in mind westi's comment) that fixes this by moving the nonce check to _set_preview()
which runs later.
#15
@
11 years ago
- Component changed from Administration to Posts, Post Types
- Focuses administration added
In 24131.patch: