Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Address concerns about WordPress authenticated post preview recommendations #46770

Open
1 task done
montchr opened this issue Mar 4, 2023 · 2 comments
Open
1 task done
Labels
examples Issue was opened via the examples template.

Comments

@montchr
Copy link

montchr commented Mar 4, 2023

Verify canary release

  • I verified that the issue exists in the latest Next.js canary release

Provide environment information

n/a

Originates in recommendations within documentation, and results in the "working" but potentially-insecure implementation of those recommendations.

Which example does this report relate to?

cms-wordpress

What browser are you using? (if relevant)

No response

How are you deploying your application? (if relevant)

No response

Describe the Bug

The example circumvents pre-existing security/authorization controls implemented within WordPress core. Users should be able to reasonably expect that a Next.js-based implementation of post previews provides the same level of security and access control as that of WordPress core.

Additionally relevant: #29877 was closed and locked without providing any explanation as to the verification process. How was the verified reproduction performed?

The response is somewhat alarming considering the prominence of the cms-wordpress example, however the unceremonious closure and locking of #29877 results in the flagged misuse of WordPress authentication being buried without context, forcing the original commenter's concerns to go unaddressed, and allowing the potential issues in the example to proliferate.

Expected Behavior

The official example should provide a gold standard baseline for Next.js integration with WordPress, especially with regard to authenticated post previews, as at the time of writing, the WordPress+Next.js ecosystem is populated by numerous differing implementations of post preview functionality over the years, and it would be very much appreciated if Next.js provided an example implementation using authentication best-practices.

For example, an approach leveraging per-user WordPress Application Passwords.

To Reproduce

See #29877

Or, roughly:

  • Follow the guide for setting up post previews.
  • As an Administrator user, create a test post without publishing (save as draft)
  • Copy the post preview URL and open in a private browser session: the post should not be visible without authentication according to WordPress core user permissions
  • Create a new WordPress user with a lower-privileged Role like "Contributor", which does not have the ability to view, edit, or manage anyone's posts except for their own
  • Log in as the new user in a private browser session
  • Go to the preview URL for the unpublished post created by the Administrator user – it should not be accessible
@montchr montchr added the examples Issue was opened via the examples template. label Mar 4, 2023
@balazsorban44
Copy link
Member

Thanks for opening this issue! As a note, examples are not part of Next.js, and its auditing, so we mostly rely on the community to keep them up-to-date and to the standards. That said, I pinged some team members to see if we have the capacity to look into this specific integration.

In any case, if you have a suggestion to improve the example, we welcome PRs! 🙏

Regarding the closing of #29877, I agree it might have been a bit premature to close it, I apologize! I think the confusion was that it used the wrong issue template (we have the one for examples, the one that you used) and most of the required steps were skipped, so we discarded it a bit too quickly. Again, thanks for reopening though!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
examples Issue was opened via the examples template.
Projects
None yet
Development

No branches or pull requests

2 participants