WordPress.org

Make WordPress Core

Opened 6 weeks ago

Closed 8 days ago

#44089 closed defect (bug) (fixed)

Clear post password cookie when logging out

Reported by: johnbillion Owned by: SergeyBiryukov
Milestone: 4.9.7 Priority: normal
Severity: normal Version:
Component: Posts, Post Types Keywords: good-first-bug has-patch fixed-major
Focuses: Cc:

Description

I think it is expected behaviour that when a user logs out of WordPress, they are also "logged out" of viewing password protected posts for which they've entered the password. This is not the case. The wp-postpass_{hash} cookie is not cleared when a user logs out.

Example scenario:

  1. Log in to WordPress.
  2. Publish a password protected post.
  3. Navigate to the post permalink and enter the password to view the post.
  4. Log out of WordPress.

The password protected post is still viewable at its permalink, despite the user having just logged out. It's correct that viewing a password protected post is not tied to a user session, but I think most users would expect that after logging out of their account they would no longer be able to see the contents of a password protected post that they just published.

Previously: #32567

Related: There is no way for any user -- logged in or not -- to "log out" of viewing a password protected post. I'm sure there's an existing ticket for this but I can't find it.

Attachments (5)

44089.diff (978 bytes) - added by ianbelanger 6 weeks ago.
Removes Password Protected Page cookie on user logout
44089.2.diff (709 bytes) - added by subrataemfluence 6 weeks ago.
Proposed
44089.3.diff (560 bytes) - added by ianbelanger 6 weeks ago.
Updated patch to remove unit test changes
44089.4.diff (709 bytes) - added by subrataemfluence 6 weeks ago.
44089.5.diff (661 bytes) - added by skoldin 4 weeks ago.
A simpler way to remove post password cookie on logout. Created at WordCamp SPb 2018

Download all attachments as: .zip

Change History (14)

#1 follow-up: @subrataemfluence
6 weeks ago

  • Keywords 2nd-opinion added

I think there is a slight difference between a Page/Post visible to logged in users, which we usually called as "Private Pages" and a Page/Post visible only by entering a Password which is applicable for that Page/Post only.

Let's take an example of a Password Protected Post/Page which sends an itemized Cost Proposal for organizing an event in company's auditorium. The authority does not want the Proposal to be visible to public, but those who applied for a booking are able to see it by means of entering a password set and provided by the company itself.

If the booking application has a section like "Ask for a Quote" and an Event Organizer sends an email to the webmaster from there, he can always do that even he is not a registered account holder of the site yet.

The webmaster/admin can then prepare a Password protected Page / Post with Cost Proposal and can then email the Page / Post link to Event Organizers with the password (set by the admin) required to open that page.

Although the Event Organizer is not a registered member of the site, he will still be able to access the page by entering the password, but others without it won't be able to see.

The Event Organizer company can have several staffs who have the power to deal with cost factors. If the manager of this company passes on the link and the password, they will be able to see it. Otherwise, either these employees need to have a separate account on the site or the manager has to share his own credential (if he has any) with his employee(s) to get them the access to see it.

Another example is when we receive our Credit Card bills, we don't have to login to any different systems (except our email), rather than just type in the password provided by the company to open the document.

To my understanding, a Password Protected page and a so-called Private page should be treated differently. I see it other way round. In order to access a Password Protected page / post one doesn't have to be a registered user of the site.

I would be happy to be corrected!

#2 in reply to: ↑ 1 @johnbillion
6 weeks ago

  • Keywords 2nd-opinion removed

Replying to subrataemfluence:

To my understanding, a Password Protected page and a so-called Private page should be treated differently. I see it other way round. In order to access a Password Protected page / post one doesn't have to be a registered user of the site.

Correct. This ticket has nothing to do with Private posts and pages, only password protected. This is just about clearing the password cookie when a logged-in user logs out.

@ianbelanger
6 weeks ago

Removes Password Protected Page cookie on user logout

#3 @ianbelanger
6 weeks ago

  • Keywords has-patch added; needs-patch removed

@subrataemfluence
6 weeks ago

Proposed

@ianbelanger
6 weeks ago

Updated patch to remove unit test changes

#4 @subrataemfluence
6 weeks ago

Sorry for the wrong patch! Uploading again.

@skoldin
4 weeks ago

A simpler way to remove post password cookie on logout. Created at WordCamp SPb 2018

#5 @SergeyBiryukov
4 weeks ago

  • Milestone changed from Awaiting Review to 4.9.7

#6 @SergeyBiryukov
4 weeks ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 43317:

Posts, Post Types: Clear post password cookie when logging out.

Props skoldin, subrataemfluence, ianbelanger, johnbillion.
Fixes #44089.

#7 @SergeyBiryukov
4 weeks ago

  • Keywords fixed-major added
  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopening for 4.9.7 consideration.

#8 @SergeyBiryukov
4 weeks ago

In 43318:

Posts, Post Types: Use COOKIEPATH when clearing post password cookie, as that's the path it's created with.

See #44089.

#9 @SergeyBiryukov
8 days ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 43349:

Posts, Post Types: Clear post password cookie when logging out.

Props skoldin, subrataemfluence, ianbelanger, johnbillion.
Merges [43317] and [43318] to the 4.9 branch.
Fixes #44089.

Note: See TracTickets for help on using tickets.