WordPress.org

Make WordPress Core

#43570 closed defect (bug) (fixed)

preview draft access denied html status code is 500 instead of 401

Reported by: graymouser Owned by: pento
Milestone: 5.1 Priority: normal
Severity: normal Version: 2.7
Component: Posts, Post Types Keywords: has-patch
Focuses: Cc:
PR Number:

Description

When logged out attempting to view an edit post 'preview changes' link (i.e. link with ending like ?preview_id=7954&preview_nonce=5fd05f823e&post_format=standard&_thumbnail_id=7963&preview=true) shows;

"Sorry, you are not allowed to preview drafts."

Which is correct, however the HTML status code returned is 500 (internal server error), whereas I believe it should actually be 401 (unauthorized).

Another option would be to have it the same as the edit post link which redirects to login page for non-logged in users.

Easy way to test is to edit a post, click on 'preview changes' then copy paste the preview url into a new private browsing window.

The reason this is relevant is Google Search Console/Webmaster tools reports this as an error in site crawls.

Attachments (1)

43570.diff (544 bytes) - added by graymouser 20 months ago.
Patch from https://github.com/WordPress/WordPress/pull/353

Download all attachments as: .zip

Change History (10)

#2 @graymouser
20 months ago

  • Keywords has-patch added

#3 @johnbillion
20 months ago

  • Component changed from General to Posts, Post Types
  • Milestone changed from Awaiting Review to 5.0
  • Owner set to johnbillion
  • Status changed from new to reviewing

Thanks for the patch @graymouser, and welcome to WordPress Trac!

#4 @johnbillion
13 months ago

  • Milestone changed from 5.0 to 5.0.1

#5 @pento
11 months ago

  • Milestone changed from 5.0.1 to 5.0.2

#6 @pento
11 months ago

  • Milestone changed from 5.0.2 to 5.0.3

#7 @ocean90
10 months ago

  • Milestone changed from 5.0.3 to 5.1
  • Version changed from 4.9.4 to 2.7

The response code can also be defined as the second argument of wp_die(), see [30355]. Maybe 400 would be a better code since authorisation isn't checked here.

#8 @pento
10 months ago

  • Owner changed from johnbillion to pento
  • Status changed from reviewing to accepted

We've used 403 in the past for failed nonce checks (rest_cookie_check_errors(), check_ajax_referer(), and anything that calls wp_nonce_ays()).

#9 @pento
10 months ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 44610:

Posts: Set a HTTP 403 error when an incorrect post preview nonce is sent.

Props graymouser.
Fixes #43570.

Note: See TracTickets for help on using tickets.