[wp-trac] [WordPress Trac] #42433: Customize: Frontend preview link URL erroneously gets customize_autosaved param
WordPress Trac
noreply at wordpress.org
Mon Nov 6 20:11:01 UTC 2017
#42433: Customize: Frontend preview link URL erroneously gets customize_autosaved
param
------------------------------------+--------------------
Reporter: westonruter | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.9
Component: Customize | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch dev-feedback | Focuses:
------------------------------------+--------------------
Comment (by westonruter):
@obenland Having the autosave param present could lead to unexpected
results whereby a previewer sees changes that the author doesn't intend to
share yet.
This issue is compounded further as I just found and patched in
[attachment:42433.1.diff] whereby `wp_get_post_autosave()` will return the
latest autosave revision for _any_ user if `0` is passed in.
To reproduce:
1. Make a change in the customizer to the site title.
2. Save draft
3. Make a second change and Save Draft again (this will result in
`customize_autosaved=on` being left on the preview URL).
3. Open the preview link in another tab (with `customize_autosaved=on`
present)
4. Make a third change to the site title, but do not Save Draft.
5. Switch to other tab (and reload) and see your third change appearing in
the tab even though you did't save draft.
6. Now open the preview URL from that other tab in an incognito window,
and you'll see the user's autosave revision also applying there
unexpectedly.
So in [attachment:42433.1.diff] it also makes explicitly sure that
whenever `wp_get_post_autosave()` is called, it is always passed a non-
zero user ID.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42433#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list