WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 7 months ago

#24131 new defect (bug)

Fix post previews for multisite with domain mapping

Reported by: azaozz Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Posts, Post Types Keywords:
Focuses: multisite, administration Cc:

Description

Currently when previewing latest changes we create a nonce in the admin, then redirect to the front-end and check that nonce on 'init' before showing the preview. This fails sometimes on multisite with domain mapping as they may use JS redirects to log the user in on the front-end.

Attachments (3)

24131.patch (3.8 KB) - added by azaozz 2 years ago.
24131-post-preview.patch (7.3 KB) - added by johnjamesjacoby 2 years ago.
Introduce wp_get_preview_post_url() to funnel post-preview URL handling through, and replace in all instances. Also patches _set_preview() and moves _show_post_preview() to 'set_current_user' priority 20 instead. (Updated patch from #23665)
24131-2.patch (6.2 KB) - added by azaozz 2 years ago.

Download all attachments as: .zip

Change History (20)

@azaozz2 years ago

comment:1 @azaozz2 years ago

In 24131.patch:

  • Don't use a nonce for previews, instead check the revision author before substituting the content. This keeps previews behaviour the same in most cases.
  • Allow preview links to be shared for published posts. Currently it's not possible to share a preview link as the nonce in unique for each user. This makes sense while an author is writing a new post but prevents editors/other users of easily previewing changes to published posts. All users still need the 'edit_post_id' cap to preview changes.
Version 0, edited 2 years ago by azaozz (next)

comment:2 @batmoo2 years ago

  • Cc batmoo@… added

comment:3 follow-ups: @westi2 years ago

I'm pretty anti this change:

  • We had a nonce in 3.5.1 and this used to work fine
  • The nonce is there to stop the drafts being disclosed to a third party - without the nonce a third party can load all of your drafts when you visit a random site and siphon them off elsewhere.

comment:4 in reply to: ↑ 3 @nacin2 years ago

Replying to westi:

I'm pretty anti this change:

  • We had a nonce in 3.5.1 and this used to work fine
  • The nonce is there to stop the drafts being disclosed to a third party - without the nonce a third party can load all of your drafts when you visit a random site and siphon them off elsewhere.

Strong +1 to all counts.

comment:5 @kovshenin2 years ago

  • Cc kovshenin added

comment:6 in reply to: ↑ 3 @azaozz2 years ago

Replying to westi:

We had a nonce in 3.5.1 and this used to work fine

The nonce was there to ensure only the author can preview posts from autosave. It has no effect when previewing drafts (we didn't include a nonce in this case). This has the disadvantage that admins and editors cannot preview changes to published posts unless they first load the Edit Post screen to get their nonce.

The nonce is there to stop the drafts being disclosed to a third party - without the nonce a third party can load all of your drafts when you visit a random site and siphon them off elsewhere.

No, the user needs to be logged in and have 'edit_post_' . ID capability to preview anything: http://core.trac.wordpress.org/browser/trunk/wp-includes/query.php#L2718 and http://core.trac.wordpress.org/browser/trunk/wp-includes/query.php#L2735. This hasn't changed. With or without the patch all admins and editors can preview all drafts. Non logged-in users get a 404 when trying to preview.

The only change is that instead of generating and then checking a nonce we match get_current_user_id() to the autosave author.

@johnjamesjacoby2 years ago

Introduce wp_get_preview_post_url() to funnel post-preview URL handling through, and replace in all instances. Also patches _set_preview() and moves _show_post_preview() to 'set_current_user' priority 20 instead. (Updated patch from #23665)

comment:7 @johnjamesjacoby2 years ago

  • Cc johnjamesjacoby added

comment:8 @ethitter2 years ago

  • Cc erick@… added

comment:9 @vickybiswas2 years ago

  • Cc vickybiswas@… added

@azaozz2 years ago

comment:10 @azaozz2 years ago

In 24131-2.patch:

  • Add nonces to all preview links. Nonces are added with the 'preview_post_link' filter for back-compat.
  • Add the ability to deny showing a preview to 'the_preview' filter.

Todo: consider merging @johnjamesjacoby's patch that introduces wp_get_preview_post_url();

comment:11 @markjaquith2 years ago

  • Milestone changed from 3.6 to Future Release

comment:12 @markjaquith2 years ago

Move back to 3.6 if this can be confirmed as a regression. More info required about the problem and how the proposed solutions will work.

comment:13 @azaozz2 years ago

Don't think this is a regression from 3.5.1. This was made more obvious after the change in 3.6.

It has to do with the way remote login works. Checking a nonce on init is too early on the front end. If the user hasn't visited the front end before, the nonce check fails on the first attempt.

24131-2.patch is an alternative solution (bearing in mind westi's comment) that fixes this by moving the nonce check to _set_preview() which runs later.

comment:14 @jeremyfelt16 months ago

  • Focuses multisite added

comment:15 @nacin16 months ago

  • Component changed from Administration to Posts, Post Types
  • Focuses administration added

comment:17 @ircbot7 months ago

This ticket was mentioned in IRC in #wordpress-dev by johnbillion. View the logs.

Note: See TracTickets for help on using tickets.