Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

examples/cms-wordpress preview role-based security vulnerability #29877

Closed
WillSquire opened this issue Oct 13, 2021 · 3 comments
Closed

examples/cms-wordpress preview role-based security vulnerability #29877

WillSquire opened this issue Oct 13, 2021 · 3 comments
Assignees
@jankaifer
Labels
bug Issue was opened via the bug report template. please verify canary The issue should be verified against next@canary. It will be closed after 30 days of inactivity

Comments

@WillSquire
Copy link

What version of Next.js are you using?

Doesn't matter

What version of Node.js are you using?

Doesn't matter

What browser are you using?

Doesn't matter

What operating system are you using?

Doesn't matter

How are you deploying your application?

Doesn't matter

Describe the Bug

It looks like the example setup for WordPress allows lower privileged WordPress users (like authors) to view unpublished content from all users (as an administrator).

I believe WordPress has a role-based approach to drafts. I.e. authors should only see their drafts. If user's use the link recommended to see drafts by appending secret= <secret> in the URI query, they'll have the privileges of an administrator because the recommended refreshToken is from an Administrator.

Expected Behavior

I wouldn't recommend fetching all data as an administrator. Instead, tokens need to align to each user's account to match their permissions.

To Reproduce

N/A
@WillSquire WillSquire added the bug Issue was opened via the bug report template. label Oct 13, 2021
@jankaifer jankaifer self-assigned this Dec 1, 2022
@jankaifer jankaifer added the please verify canary The issue should be verified against next@canary. It will be closed after 30 days of inactivity label Dec 1, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Dec 1, 2022

Please verify that your issue can be recreated with next@canary.

Why was this issue marked with the please verify canary label?

We noticed the provided reproduction was using an older version of Next.js, instead of canary.

The canary version of Next.js ships daily and includes all features and fixes that have not been released to the stable version yet. You can think of canary as a public beta. Some issues may already be fixed in the canary version, so please verify that your issue reproduces by running npm install next@canary and test it in your project, using your reproduction steps.

If the issue does not reproduce with the canary version, then it has already been fixed and this issue can be closed.

How can I quickly verify if my issue has been fixed in canary?

The safest way is to install next@canary in your project and test it, but you can also search through closed Next.js issues for duplicates or check the Next.js releases.

My issue has been open for a long time, why do I need to verify canary now?

Next.js does not backport bug fixes to older versions of Next.js. Instead, we are trying to introduce only a minimal amount of breaking changes between major releases.

What happens if I don't verify against the canary version of Next.js?

An issue with the please verify canary that receives no meaningful activity (e.g. new comments that acknowledge verification against canary) will be automatically closed and locked after 30 days.

If your issue has not been resolved in that time and it has been closed/locked, please open a new issue, with the required reproduction, using next@canary.

I did not open this issue, but it is relevant to me, what can I do to help?

Anyone experiencing the same issue is welcome to provide a minimal reproduction following the above steps. Furthermore, you can upvote the issue using the 👍 reaction on the topmost comment (please do not comment "I have the same issue" without repro steps). Then, we can sort issues by votes to prioritize.

I think my reproduction is good enough, why aren't you looking into it quicker?

We look into every Next.js issue and constantly monitor open issues for new comments.

However, sometimes we might miss one or two due to the popularity/high traffic of the repository. We apologize, and kindly ask you to refrain from tagging core maintainers, as that will usually not result in increased priority.

Upvoting issues to show your interest will help us prioritize and address them as quickly as possible. That said, every issue is important to us, and if an issue gets closed by accident, we encourage you to open a new one linking to the old issue and we will look into it.

Useful Resources

@balazsorban44
Copy link
Member

This issue has been automatically closed because it wasn't verified against next@canary. If you think it was closed by accident, please leave a comment. If you are running into a similar issue, please open a new issue with a reproduction. Thank you.

@github-actions
Copy link
Contributor

github-actions bot commented Feb 2, 2023

This closed issue has been automatically locked because it had no new activity for a month. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 2, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jankaifer jankaifer

Labels
bug Issue was opened via the bug report template. please verify canary The issue should be verified against next@canary. It will be closed after 30 days of inactivity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@WillSquire @jankaifer @balazsorban44