Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can read a private post (draft) in edit mode #255

Closed
darddan opened this issue Jan 30, 2020 · 7 comments · Fixed by #259
Closed

Can read a private post (draft) in edit mode #255

darddan opened this issue Jan 30, 2020 · 7 comments · Fixed by #259
Milestone

Comments

@darddan
Copy link

@darddan darddan commented Jan 30, 2020

Describe the bug

If I'm not logged in, but I know the url of a draft, I can see it's content

Steps to reproduce (if necessary)

Steps to reproduce the behavior:

  1. Login
  2. Create and save a new draft and copy it's url (it looks something like https:://site.com/d/random-id)
  3. Logout (or open a new incognito tab or anything)
  4. (correct behaviour) go to the copied url (https:://site.com/d/random-id) and it shows a 404
  5. (incorrect behaviour) add /edit/ to the copied url (https:://site.com/d/random-id/edit) and it shows you the edit page. You can't actually edit, but now you can see the content.

Expected behavior

What should've happened?

I would expect a 404 or some other error

Application configuration

  • single mode
  • sqlite
  • no open registration
  • federation disabled

Version or last commit:

writefreely -v only prints out WriteFreely but in my package manager it says I have version 0.11.2-2 installed

@robjloranger robjloranger added the bug label Jan 31, 2020
@thebaer

This comment has been minimized.

Copy link
Member

@thebaer thebaer commented Jan 31, 2020

Thanks for the report! Depending on your configuration, this might be correct behavior -- drafts are meant to be shareable on public instances. But we'll want to make sure visibility is consistent between the /d/id draft page and the /d/id/edit page.

What is the visibility setting of your blog (Unlisted, Private, etc.)? And what is the private config value set to in config.ini?

@darddan

This comment has been minimized.

Copy link
Author

@darddan darddan commented Jan 31, 2020

The above behaviour is from an unlisted instance. If I set the the instance to private then I can see the drafts even without the /edit part

@thebaer

This comment has been minimized.

Copy link
Member

@thebaer thebaer commented Jan 31, 2020

Hmm, that's pretty odd. You should see the same behavior either way, if you're just talking about the blog setting (as opposed to the instance setting). Is the unlisted instance above set to private = true in config.ini, or private = false?

@darddan

This comment has been minimized.

Copy link
Author

@darddan darddan commented Jan 31, 2020

in the config file private is equals to false. In the earlier comment (unlisted and private settings) I was talking about the publicity settings in site.com/me/c/username

@thebaer

This comment has been minimized.

Copy link
Member

@thebaer thebaer commented Feb 5, 2020

Gotcha, thanks. So from my understanding, the primary things to address here are:

  • [Bug]: Ensure that unauthenticated users can't access the /edit page
  • [Documentation]: Document the sharing abilities for drafts (writefreely/documentation#13)

Out of curiosity, is there something about how you use WriteFreely that requires completely private / unshareable drafts?

@thebaer thebaer added this to the 0.12 milestone Feb 5, 2020
@darddan

This comment has been minimized.

Copy link
Author

@darddan darddan commented Feb 6, 2020

I use it for notes in general (drafts for private, and published for public). But I assume that's not the target audience either way.
I added another authentication layer in nginx for the /d/ urls if someone else uses it for the same purpose.

@thebaer

This comment has been minimized.

Copy link
Member

@thebaer thebaer commented Feb 6, 2020

Ah, makes sense. Yeah, we plan to support that exact use case another way, so we can keep WriteFreely focused on public content. But that's great to know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

3 participants
You can’t perform that action at this time.