Make WordPress Core

Opened 4 years ago

Last modified 3 years ago

#42450 closed defect (bug)

Customize: Ensure customize_autosaved requests only use revision of logged-in user — at Version 1

Reported by: westonruter Owned by:
Milestone: 4.9.3 Priority: normal
Severity: normal Version: 4.9
Component: Customize Keywords: has-patch has-unit-tests fixed-major
Focuses: Cc:

Description (last modified by westonruter)

To reproduce:

  1. Make a change in the customizer to the site title.
  2. Save draft.
  3. Open the preview link in another tab, but then append with customize_autosaved=on to the URL.
  4. Make a second change to the site title, but do not Save Draft.
  5. Switch to other tab (and reload) and see your second change appearing in the tab even though you did't save draft.
  6. Now open the preview URL from that other tab in an incognito window, and you'll see the user's autosave revision also applying there unexpectedly.

Previously #42433.

The logic for adding the customize_autosaved param to the frontend preview URL (#39896) should get improved, in case a plugin does want to preview the autosaved state. In the mean time, the preview link feature is only intended for previewing the fully saved state, not autosaves. Nevertheless, the customize_autosaved=on preview URL may not ultimately have the changeset autosave revision fully populated yet since pending changes are sent in POST requests before being written into the changeset at the autosave interval.

Having the customize_autosaved=on param present currently leads to unexpected results whereby a previewer sees changes that the author doesn't intend to share yet.

Change History (1)

#1 @westonruter
4 years ago

  • Description modified (diff)
Note: See TracTickets for help on using tickets.