WordPress.org

Make WordPress Core

Opened 5 years ago

Last modified 9 months ago

#9604 new enhancement

Edit screens expire

Reported by: chmac Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 2.8
Component: Administration Keywords: needs-patch
Focuses: Cc:

Description

Steps to reproduce:
1) Open an edit post (or page) screen
2) Take your browser offline for 24 hours
3) Put the browser back online
4) Edit the post, type a lengthy, thoughtful, dramatic entry
5) Click save draft / publish as you prefer

Expected result: Your poetic prose is committed to infallible digital memory.

Actual result: You're told "Your attempt to edit blah has failed." Press the back button and likely see the previous version of your post. Your latest prose exists now only in your memory.

Technical details: I think the nonce expires, so the post screen becomes invalid after a while.

Proposed solution: Add a javascript timeout to warn the user that the edit screen has expired. Provide a mechanism for the nonce to be updated.

Change History (5)

comment:1 mrmist5 years ago

  • Keywords needs-patch added
  • Milestone changed from Unassigned to 2.9
  • Type changed from defect (bug) to enhancement
  • Version set to 2.8

Expected result: Your poetic prose is committed to infallible digital memory.

For me, after leaving the session for that long, I would expect it to have died. It also seems to be something of a contrived exercise.

So I'm -1 for allowing the nonce to be renewed, that is contrary to the essence of the nonces.

However I agree that it could be worthwhile to have some warning, though. Think that comes under the heading of enhancement, rather than bug.

comment:2 in reply to: ↑ description hakre5 years ago

Replying to chmac:

Provide a mechanism for the nonce to be updated.

That is the Solution I loved most.

How about: Make the Backend working Offline thanks to Google Gears?

comment:3 Denis-de-Bernardy5 years ago

  • Milestone changed from 2.9 to Future Release

I like the idea, personally. We'd go: hourly check the nonce and renew it as we do, or something like that. But totally needs patch.

comment:4 dd329 months ago

Do the 3.6 Autosave / Heartbeat changes cover this?

comment:5 nacin9 months ago

Not entirely. We refresh nonces but heartbeat still requires a valid nonce to do so. (We discussed this wasn't necessary, as it's no different hitting post.php than it is admin-ajax.php.) So you get a new nonce for 12-24 hours, but not if you haven't been around for a full two nonce ticks.

Note: See TracTickets for help on using tickets.