Go to the url localhost:#####/post/{id_of_draft}/{slug_of_draft} (you can probably figure out the ID and slug)
Expected:
Unable to access the draft because it is not a post yet.
Actual:
The draft is displayed as an actual post. It also looks even stranger because there's a section for displaying comments, but because the post isn't public, there is no form field to write a comment. None of this should be displayed.
Why this is a concern:
If somebody knows the ID of a post, for example if you publish a post and someone sees the ID in the url, they can see your post even if you take it down and make it a draft. They just have to navigate to the url.
Repro:
localhost:#####/post/{id_of_draft}/{slug_of_draft}(you can probably figure out the ID and slug)Expected: Unable to access the draft because it is not a post yet.
Actual: The draft is displayed as an actual post. It also looks even stranger because there's a section for displaying comments, but because the post isn't public, there is no form field to write a comment. None of this should be displayed.
Why this is a concern: If somebody knows the ID of a post, for example if you publish a post and someone sees the ID in the url, they can see your post even if you take it down and make it a draft. They just have to navigate to the url.