[wp-trac] [WordPress Trac] #42450: Customize: Ensure customize_autosaved requests only use revision of logged-in user

WordPress Trac noreply at wordpress.org
Tue Jan 16 05:03:58 UTC 2018 

#42450: Customize: Ensure customize_autosaved requests only use revision of logged-
in user
--------------------------------------+--------------------
 Reporter:  westonruter               |       Owner:
     Type:  defect (bug)              |      Status:  new
 Priority:  normal                    |   Milestone:  4.9.2
Component:  Customize                 |     Version:  4.9
 Severity:  normal                    |  Resolution:
 Keywords:  has-patch has-unit-tests  |     Focuses:
--------------------------------------+--------------------
Changes (by dlh):

 * keywords:  has-patch needs-unit-tests => has-patch has-unit-tests


Comment:

 [attachment:42450.2.diff] adds a couple of test assertions for the changes
 in the patch. Also:

 - Moves the `is_user_logged_in()` check to the top of
 `WP_Customize_Manager::handle_dismiss_autosave_or_lock_request()`. This
 would provide parity with the order of similar checks in
 `WP_Customize_Manager::handle_changeset_trash_request()` and `::save()`.
 Additionally, if there is no user, then it seems all but certain that the
 nonce check would fail before `is_user_logged_in()` ran, unless there are
 cases I'm not thinking of.

 - Updates the new Ajax error code in
 `handle_dismiss_autosave_or_lock_request()` to `unauthenticated` to match
 similar responses elsewhere in `WP_Customize_Manager`.

 In my testing, I found that the patch didn't change anything about step
 (5) above ("see your second change appearing in the tab even though you
 didn't save a draft") because the user is still authenticated in the
 second tab. The unchanged behavior seems expected given the title of this
 ticket, but I wanted to double-check just because it was mentioned in the
 steps.

 One other small comment: The new Ajax error in uses a 401 status code,
 which I think, technically, also requires a `WWW-Authenticate` header. The
 other `unauthenticated` responses omit a status code.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/42450#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list