Skip to content

Disable or restrict the theme_preview parameter on the front end #50188

New issue
New issue
Closed
#50335
Closed
Disable or restrict the theme_preview parameter on the front end#50188
#50335
Labels
[Feature] ThemesQuestions or issues with incorporating or styling blocks in a theme.[Type] BugAn existing feature does not function as intended
@draganescu

Description

@draganescu
draganescu
opened on Apr 28, 2023

Description

In Add Theme Previews for block themes
 a special GET parameter makes it possible to preview block themes in the site editor.

Because to make this work the PR filtered stylesheet and template options, this special parameter is also taking effect on the front end effectively allowing one to switch the current theme to whatever is installed.

This is problematic security wise because:

  • it exposes what themes the user has installed via trial and error
  • it exposes potentially in progress work
  • it allows for sharing of links with the preview on

The theme_preview GET param should only work if the user is logged in and has the correct permissions for editing themes.

Step-by-step reproduction instructions

  1. Using Gutenberg trunk and the theme preview experiment active
  2. On the front end
  3. Append ?theme_preview=[path to theme]
  4. You'll see the website with the specified theme

Screenshots, screen recording, code snippet

N/A

Environment info

No response

Please confirm that you have searched existing issues in the repo.

Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

Yes

Metadata

Metadata

Assignees

No one assigned

    Labels

    [Feature] ThemesQuestions or issues with incorporating or styling blocks in a theme.[Type] BugAn existing feature does not function as intended

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions