WordPress.org

Ready to get started?Download WordPress

Forums

Full access to drafts?! (16 posts)

  1. Emanon
    Member
    Posted 8 years ago #

    Perhaps I'm knocking on open doors? I searched the forums but couldn't find any discussions about this. If you're more lucky, please give me an URL.

    I don't know if this is to be considered a bug, but anyone can read your drafts simply by entering the post number to the url by hand.

    I use drafts a lot, both as an online persistent clippboard, and for stuff that's just not finished yet.

    I don't want people reading any of it, naturally. If the reader pays a little attention he/she might notice there is a gap between to post numbers, and try and access the number in between...

  2. Mark (podz)
    Support Maven
    Posted 8 years ago #

    I've noted this to the hackers list.

  3. ifelse
    Member
    Posted 8 years ago #

    Thanks Podz.

    I use drafts in the same way as Emanon. Thus, to me, this seems to be a pretty major bug and I'm glad that the guys are aware of it.

  4. Olaf Schmitz
    Member
    Posted 8 years ago #

    You can only read the drafts by entering the URL if you are logged in.

  5. ifelse
    Member
    Posted 8 years ago #

    Ahhh, thanks Falo, you're right. For me that effectively mitigates the problem but probably not for others.

    Wish you replied earlier though before I started converting all my drafts into notes:-)

  6. Mark (podz)
    Support Maven
    Posted 8 years ago #

    I suppose the issue is that does this work round user levels.
    Does a logged in user of level 1 have the ability to read a draft of a level 9 ?

  7. Olaf Schmitz
    Member
    Posted 8 years ago #

    No.

  8. Emanon
    Member
    Posted 8 years ago #

    You can only read the drafts by entering the URL if you are logged in.

    Oh, thank god. Then this is not an issue for me.

    Thanks for the quick response.

  9. ifelse
    Member
    Posted 8 years ago #

    >> "Does a logged in user of level 1 have the ability to read a draft of a level 9 ?"
    > "No."

    I guess that'll mean that we can lower the severity of this bug down to a "cosmetic issue".

    Thanks again for the info.

  10. Olaf Schmitz
    Member
    Posted 8 years ago #

    It's more like a feature, you've got the possibility to preview a post in the blog view before publishing it.

  11. Mark (podz)
    Support Maven
    Posted 8 years ago #

    Thread title changed - 'BUG' removed.

  12. davidchait
    Member
    Posted 8 years ago #

    While this has already been answered, thought I'd chime in. This is not a bug or any level of 'issue'... It's a feature of the system, having to do with post numbers being the root way to access posts. You could also enter the permalink for a draft post to get to it -- as when you are logged in, you can see your draft and private posts (by nice-URI or by post number).

    I've been using this ability for nearly 18 months to give me a full in-theme preview of drafts within my site, as I write them. Really useful for multi-page posts, where I want to see how the pages are laying out. I've actually got a 'drafts view' that shows me all draft posts, and a 'private view' for private posts, for quick access from the main site interface (rather than going through the admin screens).

    -d

  13. Mark (podz)
    Support Maven
    Posted 8 years ago #

    Plugin then :)

    How about a plugin which drops a button on the Edit screen, then
    Click to see the current post (so effectively that button will Save As draft then display).

    Like you say David, it allows for a full preview.

  14. Mark Jaquith
    WordPress Lead Dev
    Posted 8 years ago #

    Isn't that what "private" is for?

  15. Lorelle
    Member
    Posted 8 years ago #

    About using the page number to access your "drafts" and view them, this is a great ability that I've never heard of before, and it's AWESOME. But why doesn't it do the same with future published posts? Is there something about the "publish" that returns a 404 while a draft doesn't?

    Now that I know about this, I'm totally in favor of having a button or something that allows viewing of drafts before publishing. Wow.

    And I saw that you "converted drafts to notes" and just wanted to add that the new plugin by Chris J Davis, Notepad, allows for Quick conversion of Notes to Drafts. It also features a Press It feature like WordPress that allows one click adding of web page information to your Notes, awaiting your attention later.

    http://www.chrisjdavis.org/cjd-notepad/

    While this doesn't address the issue, it is another options worth considering if this worries you.

  16. Arlo
    Member
    Posted 8 years ago #

    Today I was looking at my logs and noticed my draft has over 4,000 hits on it from one IP (and it was still going until moments ago when I deleted the draft).

    Needless to say this was a shock to the system, I had no idea drafts were this visible. Now that I see that they're only visible to logged in users, I'm half relieved; but if this was a malicious intent, how could they get the post# to begin with?

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags