Full access to drafts?!

I’ve noted this to the hackers list.

Thanks Podz.

I use drafts in the same way as Emanon. Thus, to me, this seems to be a pretty major bug and I’m glad that the guys are aware of it.

You can only read the drafts by entering the URL if you are logged in.

Ahhh, thanks Falo, you’re right. For me that effectively mitigates the problem but probably not for others.

Wish you replied earlier though before I started converting all my drafts into notes:-)

I suppose the issue is that does this work round user levels.
Does a logged in user of level 1 have the ability to read a draft of a level 9 ?

No.

You can only read the drafts by entering the URL if you are logged in.

Oh, thank god. Then this is not an issue for me.

Thanks for the quick response.

>> “Does a logged in user of level 1 have the ability to read a draft of a level 9 ?”
> “No.”

I guess that’ll mean that we can lower the severity of this bug down to a “cosmetic issue”.

Thanks again for the info.

It’s more like a feature, you’ve got the possibility to preview a post in the blog view before publishing it.

Thread title changed – ‘BUG’ removed.

While this has already been answered, thought I’d chime in. This is not a bug or any level of ‘issue’… It’s a feature of the system, having to do with post numbers being the root way to access posts. You could also enter the permalink for a draft post to get to it — as when you are logged in, you can see your draft and private posts (by nice-URI or by post number).

I’ve been using this ability for nearly 18 months to give me a full in-theme preview of drafts within my site, as I write them. Really useful for multi-page posts, where I want to see how the pages are laying out. I’ve actually got a ‘drafts view’ that shows me all draft posts, and a ‘private view’ for private posts, for quick access from the main site interface (rather than going through the admin screens).

-d

Plugin then ??

How about a plugin which drops a button on the Edit screen, then
Click to see the current post (so effectively that button will Save As draft then display).

Like you say David, it allows for a full preview.

Isn’t that what “private” is for?

About using the page number to access your “drafts” and view them, this is a great ability that I’ve never heard of before, and it’s AWESOME. But why doesn’t it do the same with future published posts? Is there something about the “publish” that returns a 404 while a draft doesn’t?

Now that I know about this, I’m totally in favor of having a button or something that allows viewing of drafts before publishing. Wow.

And I saw that you “converted drafts to notes” and just wanted to add that the new plugin by Chris J Davis, Notepad, allows for Quick conversion of Notes to Drafts. It also features a Press It feature like WordPress that allows one click adding of web page information to your Notes, awaiting your attention later.

https://www.chrisjdavis.org/cjd-notepad/

While this doesn’t address the issue, it is another options worth considering if this worries you.

Today I was looking at my logs and noticed my draft has over 4,000 hits on it from one IP (and it was still going until moments ago when I deleted the draft).

Needless to say this was a shock to the system, I had no idea drafts were this visible. Now that I see that they’re only visible to logged in users, I’m half relieved; but if this was a malicious intent, how could they get the post# to begin with?