Make WordPress Core

Opened 7 years ago

Closed 6 years ago

Last modified 6 years ago

#43008 closed defect (bug) (invalid)

Switching post status from publish to draft still allows you to see it

Reported by: danieltj's profile danieltj Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Posts, Post Types Keywords:
Focuses: Cc:

Description

After some testing, I've found a bug regarding draft posts. I did originally think this is a security vulnerability however it is not because this only occurs if you're logged in and the person who saved the post as a draft.

If you have a post and save it as a draft, if you try and view that on the front-end you can see a preview, which the URL usually looks like this http://wp.test/?p=100&preview=true however if you try and view it using the real post URL such as http://wp.test/test-page/ then you'll get a post not found error message.

This is fine so far, however...

If you publish the post and then any time afterwards change the post to a draft again, it's still accessible using the real post URL even though it's still a draft. When a post is set to a draft, in my opinion it should never be accessible through it's real URL. It should only be accessible through the 'not pretty' preview URL instead.

If you're not logged in, you won't be able to see draft posts regardless of when they were drafted, but even so, while logged in you shouldn't either. I've not dug into the code yet to see what's happening here but it doesn't seem like it's by design because it's hidden away from things like post lists and widgets etc.

Change History (4)

#1 @danieltj
7 years ago

  • Summary changed from Switching post status from publish to draft still allows you to see it if admin to Switching post status from publish to draft still allows you to see it

Removed the if admin part of the title as you could be an editor. You just need permission to draft/publish posts.

#2 @Junaidkbr
7 years ago

It's cache issue. Try the pretty permalink in incognito and you'll get the Page not found error as usual. Deleting cookies has the same effect.

Last edited 7 years ago by Junaidkbr (previous) (diff)

#3 @danieltj
6 years ago

  • Resolution set to invalid
  • Status changed from new to closed

#4 @desrosj
6 years ago

  • Milestone Awaiting Review deleted
  • Version 4.9.1 deleted
Note: See TracTickets for help on using tickets.