[wp-trac] [WordPress Trac] #55659: User without post lock can overwrite changes of user with lock via autosave

WordPress Trac noreply at wordpress.org
Tue May 3 16:20:34 UTC 2022

#55659: User without post lock can overwrite changes of user with lock via autosave
 Reporter:  jhart35       |       Owner:  adamsilverstein
     Type:  defect (bug)  |      Status:  assigned
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Autosave      |     Version:  5.9.3
 Severity:  normal        |  Resolution:
 Keywords:  needs-patch   |     Focuses:  rest-api

Comment (by jhart35):

 @adamsilverstein Thanks for the reply! There's another issue coming for
 Gutenberg. I first attempted to fix the problem there, but listening for
 the post lock takeover and then setting a lock on autosaving. But the lock
 wasn't respected and the post continue to autosave. I found that there
 were perhaps more permutations there than I wanted to try and account for.

 For our website, I ended up adding a filter to
 rest_request_before_callbacks to check if the user had the post lock and,
 if not, returning an error. My gut says that the safer answer (that
 doesn't show an error to a user like my solution) is to add an extra
 conditional on Line 223 in the above referenced file and just create an
 autosave rather than calling wp_update_post when the saving user doesn't
 have the lock.

 On the Gutenberg side, I did find that, due to timing issues, the coupling
 of an autosave call when the takeover appears alone can cause a similar
 issue where the user taking over misses some saved changes and then
 overwrites them. But certainly, it seems like somewhere, WP should be
 checking the post_lock before actually updating the post.

Ticket URL: <https://core.trac.wordpress.org/ticket/55659#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list