Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Preview mode pages can be accessed publicly #16020

Closed
kyashrathore opened this issue Aug 9, 2020 · 4 comments · Fixed by #16579
Closed

Preview mode pages can be accessed publicly #16020

kyashrathore opened this issue Aug 9, 2020 · 4 comments · Fixed by #16579
Assignees
@ijjk
Milestone
iteration 8

Comments

@kyashrathore
Copy link

Description

I have a post in draft, path for which is /posts/id. I want for rebuild it on request since data is new.
So I made it a preview url using preview mode feature. Now the url is /api/preview?secret=token&slug=/posts/id.
Now when I make this request this page is generated and stored on disk and any one with url /posts/id can visit this.

To Reproduce

Steps to reproduce

This sandbox is not working because it says res.redirect is not a function (which we can ignore) but you can see code or check repo also.

Go to this sandbox and check

Expected behavior

I am no expert but I think it should not write preview pages on disk, it should serve them from memory. when someone visit /posts/id it should return 404.

System information

  • OS [ Windows]
  • Version of Next.js: [lates]
@biiishal
Copy link

From a quick look, I think this is more of an issue related to the fetch logic in the app code itself.

In your [postId].js file you're fetching Posts with a slug, but not the one's which have published: true. So, the app is working as it's supposed to — returning the draft article with correct slug.

I reckon you'd do something like: const fetchPost = (id) => posts.find((post) => (post.id === id && post.published)); , which would only return published article.

@kyashrathore
Copy link
Author

kyashrathore commented Aug 11, 2020
edited
Loading

Lets say fetchPost logic is const fetchPost = (id,uid) => posts.find((post) => (post.id ==id || post.uid == uid)) and I am sending uid only when preview mode is activated. (which is the actual case). uid is valid or not is checked in api/preview function itself.

Even if it is wrong in this case and is corrected and made valid in every aspect, if generated page is there in disk then it will be on /posts/id because for that there is no check.

@Timer Timer added this to the iteration 8 milestone Aug 24, 2020
@ijjk ijjk added the point: 2 label Aug 26, 2020
@ijjk ijjk mentioned this issue Aug 26, 2020
Merged
@ijjk
Copy link
Member

ijjk commented Aug 26, 2020

Hi, preview mode pages don't appear to be cached or made available publicly as described, I opened a PR here adding tests for this to our test suite. You might have had the preview mode cookie left set in the browser which made it appear to be available when it shouldn't have been.

If this isn't the case and the mentioned PR doesn't capture the case this occurs please reply with additional details and we can investigate further!

@kodiakhq kodiakhq bot closed this as completed in #16579 Aug 26, 2020
kodiakhq bot pushed a commit that referenced this issue Aug 26, 2020
@ijjk
Add tests for preview mode caching (#16579)
990c179 
This adds tests to ensure preview mode pages aren't cached and made publicly available or written to the disk. 

Closes: #16020
@balazsorban44
Copy link
Member

This issue has been automatically locked due to no recent activity. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you.

@vercel vercel locked as resolved and limited conversation to collaborators Jan 29, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ijjk ijjk

Labels
None yet
Projects
None yet
Milestone
iteration 8
Development

Successfully merging a pull request may close this issue.

Add tests for preview mode caching ijjk/next.js
5 participants
@Timer @biiishal @balazsorban44 @ijjk @kyashrathore