WordPress.org

Make WordPress Core

Opened 12 months ago

Last modified 3 months ago

#24131 new defect (bug)

Fix post previews for multisite with domain mapping

Reported by: azaozz Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Posts, Post Types Keywords:
Focuses: multisite, administration Cc:

Description

Currently when previewing latest changes we create a nonce in the admin, then redirect to the front-end and check that nonce on 'init' before showing the preview. This fails sometimes on multisite with domain mapping as they may use JS redirects to log the user in on the front-end.

Attachments (3)

24131.patch (3.8 KB) - added by azaozz 12 months ago.
24131-post-preview.patch (7.3 KB) - added by johnjamesjacoby 12 months ago.
Introduce wp_get_preview_post_url() to funnel post-preview URL handling through, and replace in all instances. Also patches _set_preview() and moves _show_post_preview() to 'set_current_user' priority 20 instead. (Updated patch from #23665)
24131-2.patch (6.2 KB) - added by azaozz 12 months ago.

Download all attachments as: .zip

Change History (18)

azaozz12 months ago

comment:1 azaozz12 months ago

In 24131.patch:

  • Don't use a nonce for previews, instead check the revision author before substituting the content. This keeps previews behaviour the same in most cases.
  • Allow preview links to be shared for published posts. Currently it's not possible to share a preview link as the nonce in unique for each user. This makes sense while an author is writing a new post but prevents editors/other users of easily previewing changes to published posts. All users still need the 'edit_post_id' cap to preview changes.
Version 0, edited 12 months ago by azaozz (next)

comment:2 batmoo12 months ago

  • Cc batmoo@… added

comment:3 follow-ups: westi12 months ago

I'm pretty anti this change:

  • We had a nonce in 3.5.1 and this used to work fine
  • The nonce is there to stop the drafts being disclosed to a third party - without the nonce a third party can load all of your drafts when you visit a random site and siphon them off elsewhere.

comment:4 in reply to: ↑ 3 nacin12 months ago

Replying to westi:

I'm pretty anti this change:

  • We had a nonce in 3.5.1 and this used to work fine
  • The nonce is there to stop the drafts being disclosed to a third party - without the nonce a third party can load all of your drafts when you visit a random site and siphon them off elsewhere.

Strong +1 to all counts.

comment:5 kovshenin12 months ago

  • Cc kovshenin added

comment:6 in reply to: ↑ 3 azaozz12 months ago

Replying to westi:

We had a nonce in 3.5.1 and this used to work fine

The nonce was there to ensure only the author can preview posts from autosave. It has no effect when previewing drafts (we didn't include a nonce in this case). This has the disadvantage that admins and editors cannot preview changes to published posts unless they first load the Edit Post screen to get their nonce.

The nonce is there to stop the drafts being disclosed to a third party - without the nonce a third party can load all of your drafts when you visit a random site and siphon them off elsewhere.

No, the user needs to be logged in and have 'edit_post_' . ID capability to preview anything: http://core.trac.wordpress.org/browser/trunk/wp-includes/query.php#L2718 and http://core.trac.wordpress.org/browser/trunk/wp-includes/query.php#L2735. This hasn't changed. With or without the patch all admins and editors can preview all drafts. Non logged-in users get a 404 when trying to preview.

The only change is that instead of generating and then checking a nonce we match get_current_user_id() to the autosave author.

johnjamesjacoby12 months ago

Introduce wp_get_preview_post_url() to funnel post-preview URL handling through, and replace in all instances. Also patches _set_preview() and moves _show_post_preview() to 'set_current_user' priority 20 instead. (Updated patch from #23665)

comment:7 johnjamesjacoby12 months ago

  • Cc johnjamesjacoby added

comment:8 ethitter12 months ago

  • Cc erick@… added

comment:9 vickybiswas12 months ago

  • Cc vickybiswas@… added

azaozz12 months ago

comment:10 azaozz12 months ago

In 24131-2.patch:

  • Add nonces to all preview links. Nonces are added with the 'preview_post_link' filter for back-compat.
  • Add the ability to deny showing a preview to 'the_preview' filter.

Todo: consider merging @johnjamesjacoby's patch that introduces wp_get_preview_post_url();

comment:11 markjaquith10 months ago

  • Milestone changed from 3.6 to Future Release

comment:12 markjaquith10 months ago

Move back to 3.6 if this can be confirmed as a regression. More info required about the problem and how the proposed solutions will work.

comment:13 azaozz10 months ago

Don't think this is a regression from 3.5.1. This was made more obvious after the change in 3.6.

It has to do with the way remote login works. Checking a nonce on init is too early on the front end. If the user hasn't visited the front end before, the nonce check fails on the first attempt.

24131-2.patch is an alternative solution (bearing in mind westi's comment) that fixes this by moving the nonce check to _set_preview() which runs later.

comment:14 jeremyfelt3 months ago

  • Focuses multisite added

comment:15 nacin3 months ago

  • Component changed from Administration to Posts, Post Types
  • Focuses administration added
Note: See TracTickets for help on using tickets.