Create a draft with the same slug as an existing post, the existing post will be 404.

[Toro_Unit]

Step-by-step reproduction instructions

1. create custom post type. and set 'show_in_rest' => true

<?php
function custom_init() {
        $args = array(
                'public' => true,
                'label'  => 'Books',
                'show_in_rest' => true,
        );
        register_post_type( 'book', $args );
}
add_action( 'init', 'custom_init' );

2. Publish new post of the post type.
3. Create draft post of the post type with same slug.
4. Go to the published post. but show draft post. if logged out, 404.

Using the block editor, a page can also create drafts with the same slug, which causes the same problem.

[h2ham]

It also happened in default posts.

1. Set permalink to %postname%.
2. Publish new post of default posts.
3. Create draft post of the default post with same slug.
4. Go to the published post. but show draft post. If logged out, 404.

[peterwilsoncc]

I've attempted to reproduce this on both 5.6 and trunk without success. I've tried with both a CPT per the original post and standard posts per the follow up comment.

Are either of you able to reproduce this with all plugins disabled and using a default theme such as Twenty Twenty-One?

[Toro_Unit]

@peterwilsoncc Thanks.

No plugins are used, and the theme is Twenty Twenty One. reproduced on WordPress 5.5 and 5.6.

When creating a post, please use the block editor.
Quick Edit or Classic Editor don't allow us to create a post with the same slug as an existing post.

[Toro_Unit]

A gif animation of the issue.

[Toro_Unit]

reproduced on page.

Trac ticket: https://core.trac.wordpress.org/ticket/52422.

Using the block editor, a draft can have the same slug as a post that already exists.

There is a part in WP_Query that uses get_page_by_path, so it may load the wrong post.

A hack similar to wp_ajax_inline_save, fixed so that the slug is different.

@torounit
I think the problem with this bug is not that it can be saved with the same slug, but that articles that are not published are called.

[Toro_Unit]

get_page_by_path is used in WP_Query.

• Draft page ( id: 1, slug: foo, status: draft )
• Published page ( id: 2, slug: foo, status: publish )

If the above two posts exist, get_page_by_path will get the draft page. That post will be set to queried_object.

​https://github.com/WordPress/wordpress-develop/blob/5.7.2/src/wp-includes/class-wp-query.php#L1001

[hellofromTonya]

Updating the keywords:

• Marking as needs-refresh as there are merge conflicts
• Marking as has-testing-info as there are step-by-step instructions
• Marking as needs-testing as I too am unable to reproduce the reported problem

I'm not able to reproduce this problem either. It needs more investigation. As 5.9 Beta 1 is in 2 days, moving it to 6.0.

[costdev]

Test Report

Environment

• Server: Apache (Linux)
• WordPress: 6.0-alpha-52448-src
• Browser: Chrome 99.0.4844.84
• OS: Windows 10
• Theme: Twenty Seventeen
• Plugins: None activated

Steps to Reproduce

1. Navigate to Settings > Permalinks.
2. Ensure the permalink structure is set to Post name. Click Save Changes.
3. Navigate to Posts > Add New.
4. Name the post "Test post". Click Publish.
5. Navigate to Posts > Add New.
6. Name the post "Test post 2". Click Save draft.
7. On the right hand side, scroll down and edit the slug from "test-post-2" to "test-post". Click Save draft.
8. Navigate to Posts.
9. Click View on "Test post". Notice that the title is "Test post 2". ✅
10. Copy the link into a Private Browsing/Incognito window. Notice it 404s. ✅
11. Apply 52422.refresh-of-PR-1333.diff (a refresh of PR 1333).
12. Run npm run build:dev.
13. Trash and permanently remove "Test post" and "Test post 2".
14. Repeat steps 1-7. Notice that "test-post" changes to "test-post-2", preventing the use of an existing slug. ✅
15. Continue to step 8 through 10. Notice that both issues in 9 and 10 no longer occur. ✅

Results

1. Issue reproduced. ✅
2. 52422.refresh-of-PR-1333.diff (a refresh of PR 1333) resolves the issue.

[costdev]

Refresh of PR 1333. Tidied up tests, added $message parameters. Tidied up source and improved the explanation.

[costdev]

Patch still applies cleanly against trunk. Adding commit.

[costdev]

As 6.0 RC1 is starting in less than an hour, I'm moving this to the 6.1 milestone and adding the early keyword so that it has plenty of testing/soak time.

Committers: This can be committed to trunk after we branch 6.0.

To clarify: 52422.refresh-of-PR-1333.diff is the commit candidate.

[antonvlasenko]

Test Report

Server: macOs 12.2
WordPress: 6.1-alpha-53344-src
Browser: Safari 15.4
OS: macOs 12.2
Theme: Twenty Twenty-One / Twenty Twenty-Two
Plugins: None activated

I'm able to reproduce the issue and the PR above fixed it in my tests.
Before the fix: ​watch the screen recodring
After the fix: ​watch the screen recording

[azaozz]

Replying to costdev:

To clarify: 52422.refresh-of-PR-1333.diff is the commit candidate.

Probably missing something but why the $prepared_post->post_type = $this->post_type; is removed in the patches?

[ironprogrammer]

Thanks, @costdev!

Test Report

Patch 52422 (PR 1333 refresh via @costdev) 👍🏻

Env

• WordPress 6.1-alpha-53344-src
• Safari 15.4
• Chrome 101.0.4951.54
• macOS 12.3.1 (Monterey)
• Theme: Twenty Twenty-Two
• Gutenberg DISABLED 🔴

Steps to Test

1. Ensure permalink structure is set to "Post name" in Settings > Permalinks.
2. Under Posts > Add New create a new post with the title "Test Post" and Publish.
3. In another tab, verify that the post is published at <your site url>/test-post/.
4. Navigate to Posts > Add New and create another new post with the title "Test Post 2", and click Save draft (DO NOT click Publish).
5. Find the "Permalink" metabox on the right-hand side of the post editor and update the "URL Slug" to test-post by removing the -2 -- this will match the slug of the first new post. Click Save draft again (DO NOT click Publish).
6. In the second tab, refresh the page at <your site url>/test-post/.
7. Observe that the post title displayed is now "Test Post 2", indicating that the draft post is overriding the original post's slug. 🐞
8. Open the page in Private Browsing/Incognito mode and observe that a 404 error (not found) is returned, as the draft post is not published. 🐞
9. Apply patch. 🛠
10. From the main Posts page, "Move to Trash" and "Delete Permanently" both "Test Post" and "Test Post 2".
11. Repeat Steps 2 through 5.
12. Observe that the "Permalink" metabox in the post editor refreshes the "VIEW POST" link to <your site url>/test-post-2/. ✅
13. In the second tab, refresh the page at <your site url>/test-post/.
14. Observe that the post title remains "Test Post", indicating the draft has not overridden the published post's slug. ✅
15. In Private Browsing/Incognito, observe that the originally published post is displayed (404 error has been mitigated). ✅

Expected Results

• I was able to reproduce the reported issue (see Steps 7-8). ✅
• The patch corrects the identified issue (see Steps 12-15). ✅

Additional Notes

• The above reproduction steps do not apply to Pages, but only to Posts. Pages seem unaffected by this issue (i.e. a draft page does not override an existing published page slug).

[hellofromTonya]

As there is a valid question about why $prepared_post->post_type = $this->post_type; is removed in the patch, I'm removing the commit keyword until code review is finished. once finished, then commit can be applied to alert it's ready to be committed.

[costdev]

I'm not sure why $prepared_post->post_type = $this->post_type; was removed. There's no context in the original PR and 52422.refresh-of-PR-1333.diff is just a refresh with some improvements, source formatting and explanations.

Whether or not this line is redundant, the change doesn't appear to belong within this ticket's scope.

@Toro_Unit Can you provide any information about why this line was removed?

[costdev]

Following up on comment 16, $prepared_post->post_type = $this->post_type; doesn't appear to have any effect.

I added the line back in along with some logging before and after it. Results below.

Before: wp_block | After: wp_block
Before: wp_block | After: wp_block
Before: page | After: page
Before: page | After: page
Before: post | After: post
Before: post | After: post
Before: post | After: post

// ...continues with `post | post` for a while.

---

I believe this is because WP_REST_Posts_Controller::prepare_item_for_database() sets the post type ​at this location.

Whether this line is redundant is a matter for another ticket, and @rachelbaker might be able to give some insight on this.

Until then, I'll add the line back in and submit a PR to show CI passing.

Trac ticket: https://core.trac.wordpress.org/ticket/52422

[costdev]

CI is passing on the PR. @hellofromTonya, @azaozz, is there anything else you think this needs before we can re-add commit?

[azaozz]

Replying to costdev:

Whether this line is redundant is a matter for another ticket...

Right, exactly. The last patch LGTM.

[Toro_Unit]

@costdev Thank you update patch !!!

I can't recall why $prepared_post->post_type = $this->post_type; was removed.

I think it is a mistake. ( Or it could have been removed because it would not affect anything. )

I rolledback tha line and tested it and confirmed that the problem is fixed for both page and custom post type.

[chaion07]

Thanks @Toro_Unit for reporting this. We reviewed this ticket during a ​recent bug-scrub session. Based on the feedback received from the team we are confident that Colin's patch can potentially solve the problem.

Props to @Toro_Unit

Cheers!

[audrasjb]

As per today's bug scrub, self assigning for commit.

PHPUnit tests were failing after the last commit, so I restarted them to make sure this PR passes the tests before commit.

@audrasjb Seems the tests failed again. I rebased on trunk and pushed. Tests passed! 🎉

[peterwilsoncc]

I added a note to the PR but it didn't come through here.

I think the PR should focus on the logic around when the REST API uses get_sample_permalink() rather than change the logic using wp_unique_post_slug().

This will ensure all the appropriate filters fire too.

[Toro_Unit]

@peterwilsoncc

​https://github.com/WordPress/wordpress-develop/blob/6.0/src/wp-admin/includes/ajax-actions.php#L2082-L2086

This hack is also used for quick editing.

I think the best way to do this is to modify wp_insert_post and remove this hack.

[peterwilsoncc]

Thanks @Toro_Unit, let's go with what we have then.

[audrasjb]

In 53813:

Posts, Post Types: Force unique slugs for draft posts.

This fixes a behavior where a draft created with the same slug as an existing post would set the existing post to a 404.

wp_unique_post_slug() returns the same slug for 'draft' or 'pending' posts, so to ensure that a unique slug is generated, this changeset adds the post data with the 'publish' status to wp_unique_post_slug().

Props Toro_Unit, h2ham, peterwilsoncc, costdev, antonvlasenko, azaozz, ironprogrammer, audrasjb, hellofromTonya.
Fixes #52422.

[SergeyBiryukov]

In 54055:

Tests: Correct the @covers tag in a WP_REST_Posts_Controller test for unique post slugs.

This addresses a notice when generating the code coverage report:

"@covers WP_REST_Request::create_item" is invalid

The WP_REST_Request class does not have a create_item() method, WP_REST_Posts_Controller is the class being tested here.

Includes fixing a typo in the test method name.

Follow-up to [53813].

See #52422, #55652.