Make WordPress Core

Opened 4 years ago

Last modified 3 years ago

#42450 closed defect (bug)

Customize: Ensure customize_autosaved requests only use revision of logged-in user — at Initial Version

Reported by: westonruter Owned by:
Milestone: 4.9.3 Priority: normal
Severity: normal Version: 4.9
Component: Customize Keywords: has-patch has-unit-tests fixed-major
Focuses: Cc:


To reproduce:

  1. Make a change in the customizer to the site title.
  2. Save draft.
  3. Open the preview link in another tab, but then append with customize_autosaved=on to the URL.
  4. Make a second change to the site title, but do not Save Draft.
  5. Switch to other tab (and reload) and see your second change appearing in the tab even though you did't save draft.
  6. Now open the preview URL from that other tab in an incognito window, and you'll see the user's autosave revision also applying there unexpectedly.

Previously #42433.

The logic for adding the customize_autosaved param to the frontend preview URL (#39896) should get improved, in case a plugin does want to preview the autosaved state. In the mean time, the preview link feature is only intended for previewing the fully saved state, not autosaves.

Change History (0)

Note: See TracTickets for help on using tickets.