Address concerns about WordPress authenticated post preview recommendations #46770
Comments
|
Also see the numerous upstream issues for the plugin recommended in the Next.js example:
|
|
Thanks for opening this issue! As a note, examples are not part of Next.js, and its auditing, so we mostly rely on the community to keep them up-to-date and to the standards. That said, I pinged some team members to see if we have the capacity to look into this specific integration. In any case, if you have a suggestion to improve the example, we welcome PRs! 🙏 Regarding the closing of #29877, I agree it might have been a bit premature to close it, I apologize! I think the confusion was that it used the wrong issue template (we have the one for examples, the one that you used) and most of the required steps were skipped, so we discarded it a bit too quickly. Again, thanks for reopening though! |
|
This issue has been automatically marked as stale due to two years of inactivity. It will be closed in 7 days unless there’s further input. If you believe this issue is still relevant, please leave a comment or provide updated details. Thank you. |
|
This issue has been automatically closed due to two years of inactivity. If you’re still experiencing a similar problem or have additional details to share, please open a new issue following our current issue template. Your updated report helps us investigate and address concerns more efficiently. Thank you for your understanding! |
|
This closed issue has been automatically locked because it had no new activity for 2 weeks. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you. |
Verify canary release
Provide environment information
Originates in recommendations within documentation, and results in the "working" but potentially-insecure implementation of those recommendations.
Which example does this report relate to?
cms-wordpress
What browser are you using? (if relevant)
No response
How are you deploying your application? (if relevant)
No response
Describe the Bug
The example circumvents pre-existing security/authorization controls implemented within WordPress core. Users should be able to reasonably expect that a Next.js-based implementation of post previews provides the same level of security and access control as that of WordPress core.
Additionally relevant: #29877 was closed and locked without providing any explanation as to the verification process. How was the verified reproduction performed?
The response is somewhat alarming considering the prominence of the
cms-wordpressexample, however the unceremonious closure and locking of #29877 results in the flagged misuse of WordPress authentication being buried without context, forcing the original commenter's concerns to go unaddressed, and allowing the potential issues in the example to proliferate.Expected Behavior
The official example should provide a gold standard baseline for Next.js integration with WordPress, especially with regard to authenticated post previews, as at the time of writing, the WordPress+Next.js ecosystem is populated by numerous differing implementations of post preview functionality over the years, and it would be very much appreciated if Next.js provided an example implementation using authentication best-practices.
For example, an approach leveraging per-user WordPress Application Passwords.
To Reproduce
See #29877 –
Or, roughly:
The text was updated successfully, but these errors were encountered: