-
Notifications
You must be signed in to change notification settings - Fork 26.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
examples/cms-wordpress preview role-based security vulnerability #29877
Comments
Please verify that your issue can be recreated with Why was this issue marked with the
|
This issue has been automatically closed because it wasn't verified against next@canary. If you think it was closed by accident, please leave a comment. If you are running into a similar issue, please open a new issue with a reproduction. Thank you. |
This closed issue has been automatically locked because it had no new activity for a month. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you. |
What version of Next.js are you using?
Doesn't matter
What version of Node.js are you using?
Doesn't matter
What browser are you using?
Doesn't matter
What operating system are you using?
Doesn't matter
How are you deploying your application?
Doesn't matter
Describe the Bug
It looks like the example setup for WordPress allows lower privileged WordPress users (like authors) to view unpublished content from all users (as an administrator).
I believe WordPress has a role-based approach to drafts. I.e. authors should only see their drafts. If user's use the link recommended to see drafts by appending
secret= <secret>
in the URI query, they'll have the privileges of an administrator because the recommendedrefreshToken
is from anAdministrator
.Expected Behavior
I wouldn't recommend fetching all data as an administrator. Instead, tokens need to align to each user's account to match their permissions.
To Reproduce
N/A
The text was updated successfully, but these errors were encountered: