[wp-trac] [WordPress Trac] #55659: User without post lock can overwrite changes of user with lock via autosave
WordPress Trac
noreply at wordpress.org
Mon May 2 23:15:05 UTC 2022
#55659: User without post lock can overwrite changes of user with lock via autosave
--------------------------+-----------------------------
Reporter: jhart35 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Autosave | Version: 5.9.3
Severity: normal | Keywords: needs-patch
Focuses: rest-api |
--------------------------+-----------------------------
I work on a website with a large number of writers and editors. We've had
issues with users reporting that titles, content, etc. have been reverting
unintentionally. We tracked the issue down to a situation in which a user
has had the post taken over on them, but doesn't close the tab, and the
tab, despite showing the Takeover modal, continues to autosave in the
background, overwriting whatever the next user is doing.
The issue is here: https://github.com/WordPress/wordpress-
develop/blob/trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-
autosaves-controller.php#L219-L230
There should be a check for the current user having the post lock before
saving the autosave data directly to the database.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/55659>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list