[wp-trac] [WordPress Trac] #55659: User without post lock can overwrite changes of user with lock via autosave
WordPress Trac
noreply at wordpress.org
Tue May 3 16:20:34 UTC 2022
#55659: User without post lock can overwrite changes of user with lock via autosave
--------------------------+------------------------------
Reporter: jhart35 | Owner: adamsilverstein
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: Awaiting Review
Component: Autosave | Version: 5.9.3
Severity: normal | Resolution:
Keywords: needs-patch | Focuses: rest-api
--------------------------+------------------------------
Comment (by jhart35):
@adamsilverstein Thanks for the reply! There's another issue coming for
Gutenberg. I first attempted to fix the problem there, but listening for
the post lock takeover and then setting a lock on autosaving. But the lock
wasn't respected and the post continue to autosave. I found that there
were perhaps more permutations there than I wanted to try and account for.
For our website, I ended up adding a filter to
rest_request_before_callbacks to check if the user had the post lock and,
if not, returning an error. My gut says that the safer answer (that
doesn't show an error to a user like my solution) is to add an extra
conditional on Line 223 in the above referenced file and just create an
autosave rather than calling wp_update_post when the saving user doesn't
have the lock.
On the Gutenberg side, I did find that, due to timing issues, the coupling
of an autosave call when the takeover appears alone can cause a similar
issue where the user taking over misses some saved changes and then
overwrites them. But certainly, it seems like somewhere, WP should be
checking the post_lock before actually updating the post.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/55659#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list