Opened 7 years ago
Last modified 3 years ago
#42533 new defect (bug)
New pages scheduled via Customizer viewable as admin, 404 as visitor
Reported by: | bwmarkle | Owned by: | |
---|---|---|---|
Milestone: | Future Release | Priority: | normal |
Severity: | normal | Version: | 4.9 |
Component: | Customize | Keywords: | needs-patch |
Focuses: | Cc: |
Description
I'm not 100% if this is a bug, but here's the issue I am seeing:
If I add a new page via the Customizer and schedule the changes for 5 minutes in the future:
- As an admin viewing the Share Preview Link, I can view the new page.
- As a visitor viewing the Share Preview Link, I get a 404 when trying to access the new page.
I posted a Google Doc with steps to reproduce and screenshots here:
https://docs.google.com/document/d/1tiTjWjlUnVGNDaUZjFWmyg1BFRz6nF7tCTO-jjaXXUs/edit?usp=sharing
If the document is unreachable, here are the steps from the doc:
- Install a new WordPress site via Softaculous
- Install WordPress Beta Tester plugin and upgrade to latest WordPress versions:
- Access the Customizer
- Menus > Top Menu > Add Items > Add New Page New Page 1 > Add
- Schedule the changes for the future, like 1 hour in the future.
- Copy the Share Preview Link, you’ll need it in step 10.
- Click the Share Preview Link
- Click the link in the menu for New Page 1. You’re currently logged in as an admin, and you can see it.
- Logout of WordPress.
- As a visitor, access the Share Preview Link (the link you copied in step 6).
- Click New Page 1 in the menu. You’ll get a 404.
This 404 I believe is a bug. If I’ve been working on New Page 1 and I want a client to preview my draft, I would expect them to be able to see it without logging in.
Change History (14)
This ticket was mentioned in Slack in #core by westonruter. View the logs.
7 years ago
#3
@
7 years ago
We'd essentially need to force a given draft to be viewable by an unauthenticated user if it is a customization draft.
This could involve a filter for capability check that looks to see if a given post is among the IDs in the nav_menus_created_posts
setting, and if so, force the post to be readable.
This ticket was mentioned in Slack in #core-customize by dlh. View the logs.
7 years ago
#9
@
7 years ago
This could involve a filter for capability check that looks to see if a given post is among the IDs in the nav_menus_created_posts setting, and if so, force the post to be readable.
I'm not sure a capability filter will be enough. WP_Query
disallows unauthenticated users access to unpublished posts regardless of capabilities: https://github.com/WordPress/wordpress-develop/blob/7f94931449a25f2ffe278f3f6d8d2c4c5a16436a/src/wp-includes/class-wp-query.php#L3010.
Perhaps I'm overthinking it, but would tricking WordPress into believing a user is logged in have the potential to lead to unintended privilege escalation?
Additionally, the resulting preview might not reflect the intention of previewing the "public" version of a site. For example, faking a logged-in user might also cause the admin bar to be visible in the preview.
As discussed in today's 4.9 bug scrub, we'll punt this to 4.9.1 in order to give enough time to work through this patch and testing/review.