[wp-trac] [WordPress Trac] #24131: Fix post previews for multisite with domain mapping
WordPress Trac
noreply at wordpress.org
Fri Apr 19 18:10:28 UTC 2013
#24131: Fix post previews for multisite with domain mapping
----------------------------+------------------
Reporter: azaozz | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.6
Component: Administration | Version:
Severity: normal | Resolution:
Keywords: |
----------------------------+------------------
Comment (by azaozz):
Replying to [comment:3 westi]:
> We had a nonce in 3.5.1 and this used to work fine
The nonce was there to ensure only the author can preview posts from
autosave. It has no effect when previewing drafts (we didn't include a
nonce in this case). This has the disadvantage that admins and editors
cannot preview changes to published posts unless they first load the Edit
Post screen to get their nonce.
> The nonce is there to stop the drafts being disclosed to a third party
- without the nonce a third party can load all of your drafts when you
visit a random site and siphon them off elsewhere.
No, the user needs to be logged in and have `'edit_post_' . ID` capability
to preview anything: http://core.trac.wordpress.org/browser/trunk/wp-
includes/query.php#L2718 and http://core.trac.wordpress.org/browser/trunk
/wp-includes/query.php#L2735. This hasn't changed. With or without the
patch all admins and editors can preview all drafts. Non logged-in users
get a 404 when trying to preview.
The only change is that instead of generating and then checking a nonce we
match get_current_user_id() to the autosave author.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24131#comment:6>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list