Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable or restrict the theme_preview parameter on the front end #50188

Closed
draganescu opened this issue Apr 28, 2023 · 0 comments · Fixed by #50335
Closed

Disable or restrict the theme_preview parameter on the front end #50188

draganescu opened this issue Apr 28, 2023 · 0 comments · Fixed by #50335
Labels
[Feature] Themes Questions or issues with incorporating or styling blocks in a theme. [Type] Bug An existing feature does not function as intended

Comments

@draganescu
Copy link
Contributor

draganescu commented Apr 28, 2023
edited
Loading

Description

In Add Theme Previews for block themes
 a special GET parameter makes it possible to preview block themes in the site editor.

Because to make this work the PR filtered stylesheet and template options, this special parameter is also taking effect on the front end effectively allowing one to switch the current theme to whatever is installed.

This is problematic security wise because:

  • it exposes what themes the user has installed via trial and error
  • it exposes potentially in progress work
  • it allows for sharing of links with the preview on

The theme_preview GET param should only work if the user is logged in and has the correct permissions for editing themes.

Step-by-step reproduction instructions

  1. Using Gutenberg trunk and the theme preview experiment active
  2. On the front end
  3. Append ?theme_preview=[path to theme]
  4. You'll see the website with the specified theme

Screenshots, screen recording, code snippet

N/A

Environment info

No response

Please confirm that you have searched existing issues in the repo.

Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

Yes
@draganescu draganescu added [Type] Bug An existing feature does not function as intended [Feature] Themes Questions or issues with incorporating or styling blocks in a theme. labels Apr 28, 2023
This was referenced Apr 30, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
[Feature] Themes Questions or issues with incorporating or styling blocks in a theme. [Type] Bug An existing feature does not function as intended
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Theme Preview: Restrict to admin users WordPress/gutenberg
2 participants
@draganescu and others