Opened 7 years ago
Closed 7 years ago
#42450 closed defect (bug) (fixed)
Customize: Ensure customize_autosaved requests only use revision of logged-in user
Reported by: | westonruter | Owned by: | westonruter |
---|---|---|---|
Milestone: | 4.9.3 | Priority: | normal |
Severity: | normal | Version: | 4.9 |
Component: | Customize | Keywords: | has-patch has-unit-tests fixed-major |
Focuses: | Cc: |
Description (last modified by )
To reproduce:
- Make a change in the customizer to the site title.
- Save draft.
- Open the preview link in another tab, but then append with
customize_autosaved=on
to the URL. - Make a second change to the site title, but do not Save Draft.
- Switch to other tab (and reload) and see your second change appearing in the tab even though you did't save draft.
- Now open the preview URL from that other tab in an incognito window, and you'll see the user's autosave revision also applying there unexpectedly.
Previously #42433.
The logic for adding the customize_autosaved
param to the frontend preview URL (#39896) should get improved, in case a plugin does want to preview the autosaved state. In the mean time, the preview link feature is only intended for previewing the fully saved state, not autosaves. Nevertheless, the customize_autosaved=on
preview URL may not ultimately have the changeset autosave revision fully populated yet since pending changes are sent in POST requests before being written into the changeset at the autosave interval.
Attachments (2)
Change History (19)
#7
@
7 years ago
Sure, I can take a look at this on Monday. Do I understand correctly that we just need unit tests?
#9
@
7 years ago
I was wrong about being able to take this. This is unfortunately late notice, and I apologize for that.
This ticket was mentioned in Slack in #core-customize by westonruter. View the logs.
7 years ago
#11
@
7 years ago
- Keywords has-unit-tests added; needs-unit-tests removed
42450.2.diff adds a couple of test assertions for the changes in the patch. Also:
- Moves the
is_user_logged_in()
check to the top ofWP_Customize_Manager::handle_dismiss_autosave_or_lock_request()
. This would provide parity with the order of similar checks inWP_Customize_Manager::handle_changeset_trash_request()
and::save()
. Additionally, if there is no user, then it seems all but certain that the nonce check would fail beforeis_user_logged_in()
ran, unless there are cases I'm not thinking of.
- Updates the new Ajax error code in
handle_dismiss_autosave_or_lock_request()
tounauthenticated
to match similar responses elsewhere inWP_Customize_Manager
.
In my testing, I found that the patch didn't change anything about step (5) above ("see your second change appearing in the tab even though you didn't save a draft") because the user is still authenticated in the second tab. The unchanged behavior seems expected given the title of this ticket, but I wanted to double-check just because it was mentioned in the steps.
One other small comment: The new Ajax error in uses a 401 status code, which I think, technically, also requires a WWW-Authenticate
header. The other unauthenticated
responses omit a status code.
This ticket was mentioned in Slack in #core by desrosj. View the logs.
7 years ago
This ticket was mentioned in Slack in #core by desrosj. View the logs.
7 years ago
#15
@
7 years ago
- Owner set to westonruter
- Resolution set to fixed
- Status changed from new to closed
In 42615:
In 42118: