[wp-trac] [WordPress Trac] #42450: Customize: Ensure customize_autosaved requests only use revision of logged-in user

WordPress Trac noreply at wordpress.org
Mon Nov 6 23:09:10 UTC 2017


#42450: Customize: Ensure customize_autosaved requests only use revision of logged-
in user
--------------------------+--------------------
 Reporter:  westonruter   |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  4.9.1
Component:  Customize     |     Version:  trunk
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+--------------------
Description changed by westonruter:

Old description:

> To reproduce:
>
> 1. Make a change in the customizer to the site title.
> 2. Save draft.
> 3. Open the preview link in another tab, but then append with
> `customize_autosaved=on` to the URL.
> 4. Make a second change to the site title, but do not Save Draft.
> 5. Switch to other tab (and reload) and see your second change appearing
> in the tab even though you did't save draft.
> 6. Now open the preview URL from that other tab in an incognito window,
> and you'll see the user's autosave revision also applying there
> unexpectedly.
>
> Previously #42433.
>
> The logic for adding the `customize_autosaved` param to the frontend
> preview URL (#39896) should get improved, in case a plugin does want to
> preview the autosaved state. In the mean time, the preview link feature
> is only intended for previewing the fully saved state, not autosaves.
> Nevertheless, the `customize_autosaved=on` preview URL may not ultimately
> have the changeset autosave revision fully populated yet since pending
> changes are sent in POST requests before being written into the changeset
> at the autosave interval.
>
> Having the `customize_autosaved=on` param present currently leads to
> unexpected results whereby a previewer sees changes that the author
> doesn't intend to share yet.

New description:

 To reproduce:

 1. Make a change in the customizer to the site title.
 2. Save draft.
 3. Open the preview link in another tab, but then append with
 `customize_autosaved=on` to the URL.
 4. Make a second change to the site title, but do not Save Draft.
 5. Switch to other tab (and reload) and see your second change appearing
 in the tab even though you did't save draft.
 6. Now open the preview URL from that other tab in an incognito window,
 and you'll see the user's autosave revision also applying there
 unexpectedly.

 Previously #42433.

 The logic for adding the `customize_autosaved` param to the frontend
 preview URL (#39896) should get improved, in case a plugin does want to
 preview the autosaved state. In the mean time, the preview link feature is
 only intended for previewing the fully saved state, not autosaves.
 Nevertheless, the `customize_autosaved=on` preview URL may not ultimately
 have the changeset autosave revision fully populated yet since pending
 changes are sent in POST requests before being written into the changeset
 at the autosave interval.

--

--
Ticket URL: <https://core.trac.wordpress.org/ticket/42450#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list