WordPress.org

Make WordPress Core

Opened 8 months ago

Last modified 2 months ago

#42533 new defect (bug)

New pages scheduled via Customizer viewable as admin, 404 as visitor

Reported by: bwmarkle Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 4.9
Component: Customize Keywords: needs-patch
Focuses: Cc:

Description

I'm not 100% if this is a bug, but here's the issue I am seeing:

If I add a new page via the Customizer and schedule the changes for 5 minutes in the future:

  • As an admin viewing the Share Preview Link, I can view the new page.
  • As a visitor viewing the Share Preview Link, I get a 404 when trying to access the new page.

I posted a Google Doc with steps to reproduce and screenshots here: https://docs.google.com/document/d/1tiTjWjlUnVGNDaUZjFWmyg1BFRz6nF7tCTO-jjaXXUs/edit?usp=sharing

If the document is unreachable, here are the steps from the doc:

  1. Install a new WordPress site via Softaculous
  2. Install WordPress Beta Tester plugin and upgrade to latest WordPress versions:
  3. Access the Customizer
  4. Menus > Top Menu > Add Items > Add New Page New Page 1 > Add
  5. Schedule the changes for the future, like 1 hour in the future.
  6. Copy the Share Preview Link, you’ll need it in step 10.
  7. Click the Share Preview Link
  8. Click the link in the menu for New Page 1. You’re currently logged in as an admin, and you can see it.
  9. Logout of WordPress.
  10. As a visitor, access the Share Preview Link (the link you copied in step 6).
  11. Click New Page 1 in the menu. You’ll get a 404.

This 404 I believe is a bug. If I’ve been working on New Page 1 and I want a client to preview my draft, I would expect them to be able to see it without logging in.

Change History (13)

This ticket was mentioned in Slack in #core by westonruter. View the logs.


8 months ago

#2 @jbpaul17
8 months ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to 4.9.1

As discussed in today's 4.9 bug scrub, we'll punt this to 4.9.1 in order to give enough time to work through this patch and testing/review.

#3 @westonruter
8 months ago

We'd essentially need to force a given draft to be viewable by an unauthenticated user if it is a customization draft.

This could involve a filter for capability check that looks to see if a given post is among the IDs in the nav_menus_created_posts setting, and if so, force the post to be readable.

#4 @westonruter
8 months ago

  • Component changed from General to Customize

#5 @westonruter
8 months ago

  • Priority changed from normal to high

#6 @westonruter
8 months ago

  • Priority changed from high to normal

#7 @johnbillion
8 months ago

  • Milestone changed from 4.9.1 to 4.9.2

This ticket was mentioned in Slack in #core-customize by dlh. View the logs.


7 months ago

#9 @dlh
7 months ago

This could involve a filter for capability check that looks to see if a given post is among the IDs in the nav_menus_created_posts setting, and if so, force the post to be readable.

I'm not sure a capability filter will be enough. WP_Query disallows unauthenticated users access to unpublished posts regardless of capabilities: https://github.com/WordPress/wordpress-develop/blob/7f94931449a25f2ffe278f3f6d8d2c4c5a16436a/src/wp-includes/class-wp-query.php#L3010.

Perhaps I'm overthinking it, but would tricking WordPress into believing a user is logged in have the potential to lead to unintended privilege escalation?

Additionally, the resulting preview might not reflect the intention of previewing the "public" version of a site. For example, faking a logged-in user might also cause the admin bar to be visible in the preview.

This ticket was mentioned in Slack in #core-customize by westonruter. View the logs.


6 months ago

#11 @westonruter
6 months ago

  • Milestone changed from 4.9.2 to Future Release

This ticket was mentioned in Slack in #forums by chetan200891. View the logs.


2 months ago

This ticket was mentioned in Slack in #core by chetan200891. View the logs.


2 months ago

Note: See TracTickets for help on using tickets.