[wp-trac] [WordPress Trac] #35131: Unexpected 404: pending post hides published post with matching slug

WordPress Trac noreply at wordpress.org
Thu Dec 17 08:55:53 UTC 2015 

#35131: Unexpected 404: pending post hides published post with matching slug
--------------------------+-----------------------------
 Reporter:  bobbingwide   |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Query         |    Version:  4.3.1
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 While attempting to recreate #35012 and #35031 I also noted the anomaly
 previously reported in #22902 where an authorized user could see all the
 posts displayed as if they were a single page.

 Investigating this led me to determining that the existence of a new
 "pending" post with the same slug as an existing post prevents the user
 from visiting the existing post using its permalink.

 Example:
 post: 31766, status: pending, title: Cycle 1, slug: cycle-1 date:
 2015-12-16 11:18:26
 Content: You might be able to see this if you're logged in.

 post: 31764, status: publish, title: Cycle 1, slug: cycle-1 date:
 2015-12-16 11:17:17
 Content: You should be able to see this.


 Steps:
 1. Create posts as above
 2. Log out or otherwise visit the site as a visitor
 3. View the blog page or the archive
 4. Note that you see the published post, not the pending post
 5. Click on the published post's permalink
 6. You'll get a 404.

 === Expected result ===
 Displays the published post.

 === Actual result ===
 Displays a 404 page.

 === Explanation ===
 - The query in WP_query returns two posts: 31766:pending and
 31764:publish.
 - Even though there are two posts in the result set, `is_single` is true.
 - The logic to "Check post status to determine if post should be
 displayed." kicks in and the post array is emptied.
 - This eventually leads to the 404.

 === My Conclusion ===
 There are two problems leading to this one
 1. The pending post should not have been given the same slug as the
 published post.
 2. `is_single` should not have been set to true.

 === Proposed solution ===
 If it's not possible to deal with the underlying cause then the logic in
 the "Check post status..." should be adjusted to filter out the posts that
 the user shouldn't have been able to see. If the resulting set contains
 more than one post then is_single should become false.

 I noticed this on 4.4 but have reproduced it on 4.3.
 I imagine the actual bug goes back a long long way.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/35131>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list