WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

Last modified 22 months ago

#42433 closed defect (bug) (fixed)

Customize: Frontend preview link URL erroneously gets customize_autosaved param

Reported by: westonruter Owned by: westonruter
Milestone: 4.9 Priority: normal
Severity: normal Version: 4.9
Component: Customize Keywords: has-patch commit dev-reviewed
Focuses: Cc:
PR Number:

Description

In [41969] (for #39896) the logic for getFrontendPreviewUrl was updated to include additional query params to better reflect the current state of the Customizer. However, the logic for including customize_autosaved is currently broken, resulting in the param being added when it shouldn't (e.g. when in saved saved). In any case, the Preview Link control disables when not in a saved state since frontend URL is not intended to be shared when not in a saved state. The only reason for including customize_autosaved here was for power users who wanted to manually right-click on the link to view the autosaved revision on the frontend. However, the parameter is not getting removed when going back into the saved state, so it should just be removed for now.

Attachments (4)

customize-preview-link-unavailable.png (85.4 KB) - added by westonruter 2 years ago.
customize-preview-link-available.png (74.0 KB) - added by westonruter 2 years ago.
42433.0.diff (545 bytes) - added by westonruter 2 years ago.
42433.1.diff (2.9 KB) - added by westonruter 2 years ago.

Download all attachments as: .zip

Change History (15)

@westonruter
2 years ago

#1 @westonruter
2 years ago

  • Keywords has-patch dev-feedback added

This ticket was mentioned in Slack in #core-committers by westonruter. View the logs.


2 years ago

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.


2 years ago

#4 @obenland
2 years ago

This can't wait until 4.9.1?

@westonruter
2 years ago

#5 @westonruter
2 years ago

@obenland Having the autosave param present could lead to unexpected results whereby a previewer sees changes that the author doesn't intend to share yet.

This issue is compounded further as I just found and patched in 42433.1.diff whereby wp_get_post_autosave() will return the latest autosave revision for _any_ user if 0 is passed in.

To reproduce:

  1. Make a change in the customizer to the site title.
  2. Save draft
  3. Make a second change and Save Draft again (this will result in customize_autosaved=on being left on the preview URL).
  4. Open the preview link in another tab (with customize_autosaved=on present)
  5. Make a third change to the site title, but do not Save Draft.
  6. Switch to other tab (and reload) and see your third change appearing in the tab even though you did't save draft.
  7. Now open the preview URL from that other tab in an incognito window, and you'll see the user's autosave revision also applying there unexpectedly.

So in 42433.1.diff it also makes explicitly sure that whenever wp_get_post_autosave() is called, it is always passed a non-zero user ID.

#6 @westonruter
2 years ago

@obenland I think 42433.1.diff can go in 4.9.1 if we just get 42433.0.diff in 4.9.

This ticket was mentioned in Slack in #core by westonruter. View the logs.


2 years ago

#8 @obenland
2 years ago

  • Keywords commit dev-reviewed added; dev-feedback removed

Okay, yes that makes sense. Let's go with 42433.0.diff

#9 @westonruter
2 years ago

  • Owner set to westonruter
  • Resolution set to fixed
  • Status changed from new to closed

In 42118:

Customize: Prevent customize_autosaved=on from getting added to frontend preview URLs.

Amends [41969].
See #39896, #42450.
Fixes #42433.

#10 @westonruter
22 months ago

In 42615:

Customize: Ensure customize_autosaved requests only use revision of logged-in user.

Props dlh, westonruter.
See #42433, #39896.
Fixes #42450.

#11 @SergeyBiryukov
22 months ago

In 42620:

Customize: Ensure customize_autosaved requests only use revision of logged-in user.

Props dlh, westonruter.
See #42433, #39896.
Merges [42615] to the 4.9 branch.
Fixes #42450.

Note: See TracTickets for help on using tickets.