[wp-trac] [WordPress Trac] #42533: New pages scheduled via Customizer viewable as admin, 404 as visitor

Mon Jan 8 03:14:37 UTC 2018

#42533: New pages scheduled via Customizer viewable as admin, 404 as visitor
--------------------------+--------------------
 Reporter:  bwmarkle      |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  4.9.2
Component:  Customize     |     Version:  4.9
 Severity:  normal        |  Resolution:
 Keywords:  needs-patch   |     Focuses:
--------------------------+--------------------

Comment (by dlh):

 > This could involve a filter for capability check that looks to see if a
 given post is among the IDs in the nav_menus_created_posts setting, and if
 so, force the post to be readable.

 I'm not sure a capability filter will be enough. `WP_Query` disallows
 unauthenticated users access to unpublished posts regardless of
 capabilities: https://github.com/WordPress/wordpress-
 develop/blob/7f94931449a25f2ffe278f3f6d8d2c4c5a16436a/src/wp-includes
 /class-wp-query.php#L3010.

 Perhaps I'm overthinking it, but would tricking WordPress into believing a
 user is logged in have the potential to lead to unintended privilege
 escalation?

 Additionally, the resulting preview might not reflect the intention of
 previewing the "public" version of a site. For example, faking a logged-in
 user might also cause the admin bar to be visible in the preview.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/42533#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform