[wp-trac] [WordPress Trac] #16483: Visibility: password-protected exposes multiple pages
WordPress Trac
noreply at wordpress.org
Wed Mar 26 19:55:24 UTC 2014
#16483: Visibility: password-protected exposes multiple pages
-------------------------------------------------+-------------------------
Reporter: monkeyhouse | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Future
Component: Security | Release
Severity: minor | Version: 3.0.4
Keywords: has-patch dev-feedback needs- | Resolution:
testing | Focuses:
-------------------------------------------------+-------------------------
Comment (by nacin):
Replying to [comment:8 F J Kaiser]:
> Keep in mind that #20308 will allow to query by {{{has_password}}} as
well as by {{{post_password}}}. So this ticket will likely go against the
new feature for {{{WP_Query}}} arguments.
Yes and no. There are two options:
1. Use one cookie not keyed to a post, which means multiple posts can be
accessed at once after entering a single password, but a post with a
different password cannot be accessed without overwriting the cookie.
(Current.)
2. Use a cookie keyed to each post, which means multiple posts can be
viewed even if they don't have the same password. Every post causes a
prompt even if they have the same password. (Proposed.)
I wouldn't mind a way to toggle between these states. Really, what we need
is a filter on the cookie name, right?
But in both cases, multiple posts having the same password are still
linked in some regard: the user has a single password that unlocks one or
more posts. Whether they need to enter it again or not doesn't really
affect how WP_Query can now query for post passwords. I would be OK with
ignoring that API change for the purposes of making a decision here.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/16483#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list