[wp-trac] [WordPress Trac] #43008: Switching post status from publish to draft still allows you to see it if admin
WordPress Trac
noreply at wordpress.org
Tue Jan 2 14:18:48 UTC 2018
#43008: Switching post status from publish to draft still allows you to see it if
admin
-------------------------------+-----------------------------
Reporter: danieltj | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Posts, Post Types | Version: 4.9.1
Severity: normal | Keywords:
Focuses: |
-------------------------------+-----------------------------
After some testing, I've found a bug regarding draft posts. I did
originally think this is a security vulnerability however '''''it is
not''''' because this only occurs if you're logged in and the person who
saved the post as a draft.
If you have a post and save it as a draft, if you try and view that on the
front-end you can see a preview, which the URL usually looks like this
`http://wp.test/?p=100&preview=true` however if you try and view it using
the real post URL such as `http://wp.test/test-page/` then you'll get a
post not found error message.
''This is fine so far, however...''
If you publish the post and then any time afterwards change the post to a
draft again, it's still accessible using the real post URL even though
it's still a draft. When a post is set to a draft, in my opinion it should
never be accessible through it's real URL. It should only be accessible
through the 'not pretty' preview URL instead.
If you're not logged in, you won't be able to see draft posts regardless
of when they were drafted, but even so, while logged in you shouldn't
either. I've not dug into the code yet to see what's happening here but it
doesn't seem like it's by design because it's hidden away from things like
post lists and widgets etc.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43008>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list