-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Disable offline commenting and offline browsing for authenticated users #363
Comments
Offline commenting should probably be turned off entirely for authenticated users. |
Offline browsing overall should probably be turned off for authenticated users, as currently this can cause issues with the admin bar being cached. See #252. |
Another reason to turn off offline browsing for logged-in users: nonce links can fail. |
@westonruter we will be taking this issues further on, Initial approaches :
Suggested approach : As mentioned above in the second approach. we need to conditionally load these scripts mentioned in https://github.com/GoogleChromeLabs/pwa-wp/blob/develop/wp-includes/components/class-wp-service-worker-navigation-routing-component.php#L298-L314 Also, another approach would be that, |
Sorry for delay in being able to respond. It used to be that the service worker respected the user's authentication state so that it could register user-specific logic. This was eliminated in #279 since it at the time the plugin was configured to automatically reload when a service worker update was detected. This had the extremely annoying behavior of causing a page to reload once the user logged-in, potentially resulting in loss input if the user had started to type something (e.g. in a search box). So in order to make the installed service worker consistent across all authentication states, the service worker was set to run without the user being authenticated in a similar way to the REST API behaves if no nonce is included in the request. This is that snippet you referred to. Another possibility would be to add logic so that the Lastly, we could also consider just removing the offline commenting functionality entirely. I don't recall this being a feature that anyone has ever used in practice. It should perhaps get removed and go the way of integrations #403 by being deprecated/eliminated. It may be better to bring in background sync later as part of a revamp of commenting in WordPress, where XHR comment submission could be employed instead of full-page submission which would also address the problem of a submitted comment being accidentally lost if the user doesn't hit the back button properly to get back to the form. |
@westonruter
Please do share your views on the same. Attaching an Implementation without the template for Comments form submission. comment.offline.testing.mp4 |
Thank you for the video. I like the idea of serving back the offline template in response to POST submissions, which we are currently doing actually. You can see that we currently send back the offline template and provide the error message as
Clearly this would need to be replaced with something like showing the
This would probably need to be in bold. The go back link would be So then the question is whether it should be extended to all POST requests and not just the comment submission from. I suppose? |
Yes, I guess It should be implemented for all the POST requests. Also let me know if a seperate issue will be created for the same or should it be implemented in the same one? |
It can be done as part of the same issue, yes. |
QA Passed ✅ The expected changes are working fine. Screen.Recording.2022-04-19.at.7.16.58.PM.mov |
There are two scenarios where offline commenting can currently fail due to user authentication:
When a site requires that “Users must be registered and logged in to comment”, when a user does try to submit a comment and it is queued via background sync, it could be that once the user goes back online their session will have expired. At that point, there comment will lost.
Otherwise, even when non-authenticated users can post comments, when an admin user is logged-in, the comment form includes a
_wp_unfiltered_html_comment
input that has a nonce:If an admin user submits a comment when offline and the comment is submitted after the session has expired, then if the user had included any privileged HTML in the comment, this will get stripped out by Kses filtering upon submission.
The text was updated successfully, but these errors were encountered: