[wp-trac] [WordPress Trac] #37887: Make attachments atomic until a Customizer session is published

WordPress Trac noreply at wordpress.org
Sat Jan 14 01:49:42 UTC 2017 

#37887: Make attachments atomic until a Customizer session is published
-------------------------+-----------------------------
 Reporter:  fjarrett     |       Owner:
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Future Release
Component:  Customize    |     Version:  4.7
 Severity:  normal       |  Resolution:
 Keywords:  needs-patch  |     Focuses:  administration
-------------------------+-----------------------------

Comment (by azaozz):

 Replying to [comment:7 fjarrett]:
 > But the attachment is actually visible to ''the world'', not just
 trusted logged-in users.
 >
 > 1. Open the Customizer and upload a new header image
 > 2. Do not click Save & Publish - just exit the Customizer
 > 3. Go to the Media Library and click the image to open the Attachment
 Details modal
 > 4. Click "View attachment page" - this is a public URL

 Another case:
 1. Open the Customizer and upload a new header image
 2. Do not click Save & Publish - just exit the Customizer
 3. Talk to your colleague that is also an admin on the site and ask them
 to see if the image you uploaded for header background is good.
 4. What image?

 Yet another case:
 1. Open the Customizer and select an existing header image
 2. Do not click Save & Publish - just exit the Customizer
 3. Go to the Media Library. Would you expect the image you selected for
 header background to still be there?

 > Making images public to the world ''without clicking Save & Publish'' is
 definitely an unexpected UX.

 No, its not. This is how uploading works in WordPress and is the simplest,
 most logical way. Look at uploading images on draft posts. If this is ever
 changed for posts, we can use the same workflow in the customizer, but I
 don't think the workflows should be different.

 Also auto-deleting uploaded files in some specific cases will always be
 bad UX. We will be guessing what the user intent may be and will
 definitely get it wrong in some cases. (And, well, we will be deleting
 files which is a non-recoverable action. What if the user doesn't realize
 the file was deleted and deletes the original from their computer. Then
 after a few days... ''my file is missing!!! WordPress ate my
 homework!!!'', etc.).

 There is also the fact that uploaded files cannot ever be 100% private as
 the wp-content/uploads directory is publicly accessible. This is the main
 reason there is no "trashed" state for attachments. To make this 100% the
 files have to be moved above the web server root.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/37887#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list