WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 19 months ago

Last modified 19 months ago

#43008 closed defect (bug) (invalid)

Switching post status from publish to draft still allows you to see it

Reported by: danieltj Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Posts, Post Types Keywords:
Focuses: Cc:

Description

After some testing, I've found a bug regarding draft posts. I did originally think this is a security vulnerability however it is not because this only occurs if you're logged in and the person who saved the post as a draft.

If you have a post and save it as a draft, if you try and view that on the front-end you can see a preview, which the URL usually looks like this http://wp.test/?p=100&preview=true however if you try and view it using the real post URL such as http://wp.test/test-page/ then you'll get a post not found error message.

This is fine so far, however...

If you publish the post and then any time afterwards change the post to a draft again, it's still accessible using the real post URL even though it's still a draft. When a post is set to a draft, in my opinion it should never be accessible through it's real URL. It should only be accessible through the 'not pretty' preview URL instead.

If you're not logged in, you won't be able to see draft posts regardless of when they were drafted, but even so, while logged in you shouldn't either. I've not dug into the code yet to see what's happening here but it doesn't seem like it's by design because it's hidden away from things like post lists and widgets etc.

Change History (4)

#1 @danieltj
3 years ago

  • Summary changed from Switching post status from publish to draft still allows you to see it if admin to Switching post status from publish to draft still allows you to see it

Removed the if admin part of the title as you could be an editor. You just need permission to draft/publish posts.

#2 @Junaidkbr
3 years ago

It's cache issue. Try the pretty permalink in incognito and you'll get the Page not found error as usual. Deleting cookies has the same effect.

Last edited 3 years ago by Junaidkbr (previous) (diff)

#3 @danieltj
19 months ago

  • Resolution set to invalid
  • Status changed from new to closed

#4 @desrosj
19 months ago

  • Milestone Awaiting Review deleted
  • Version 4.9.1 deleted
Note: See TracTickets for help on using tickets.