Unlaunched/coming soon site: user able to follow through reader and then see posts

[Nic-Sevic]

Quick summary

If a user searches for and follows a site via the reader they are then able to see any content on a coming soon site even if the site has not yet been launched. If you launch and set back to coming soon the content is hidden again (at least when I tested from an already launched site).

Steps to reproduce

1. Find/create site and do not launch
2. With another account search the site address in reader and follow
3. pull up site address and see content

What you expected to happen

Content should remain hidden whether launched or not when in coming soon mode

What actually happened

Content is visible when site not yet launched and someone follows

Context

4340612-zd-woothemes

Operating System

No response

Browser

No response

Simple, Atomic or both?

Simple

Theme-specific issue?

No response

Other notes

No response

Reproducibility

No response

Severity

No response

Available workarounds?

No response

Workaround details

No response

[kimerlin81]

I've tested several times with existing (simple and atomic) sites, but I'm unable to reproduce this.

I followed these steps:

1. Find/create site and do not launch
2. With another account search the site address in reader and follow
3. pull up site address and see content

However, each time I view a site after following it, the "Coming soon" page displays (not the site content).

I then created a new simple site - http://un-launched.com/
It has not been launched and I'm still unable to reproduce this.
I logged into a secondary WP account > went to Reader > searched for "un-launched.com" > followed "un-launched.com" and then opened http://un-launched.com/ in a new tab. I was unable to see anything other than the Coming soon page.
I also tested in an incognito browser.

Screen recording is attached.

Screen.Capture.on.2021-10-05.at.12-38-23.mp4

[edequalsawesome]

I was able to duplicate this after a user reported seeing two new followers on their site in 4609237-zen -- I created a new site titled Unlaunched Test Site, and was then able to follow it from my test account. I then published a post, and I was able to see it on my test account, despite the site being unlaunched.

I've set this with high priority, since it'll apply to every Coming Soon site.

[cometgrrl]

@Automattic/flow-patrol-create Is this something you could look at? It's a little scary that people could gain access to unlaunched sites and their content through this bug.

[simison]

This would be expected, as the site isn't in "private" mode and rather just the front of the page gets replaced with "coming soon" page. Similarly you can just type in the RSS Feed URL and add it to any other RSS feed reader.

For full privacy, you'd switch the site to "private" mode with its quirks and problems that come with it.

For our own Reader could choose to just check the site status and not add them, or not fetch posts until the site is fully public. Not sure how often this happens anyway.

[github-actions]

Support References

This comment is automatically generated. Please do not edit it.

• 4340612-zen
• 4609237-zen

[daledupreez]

Similarly you can just type in the RSS Feed URL and add it to any other RSS feed reader.

This also feels unexpected to me as a user -- I would prefer the feed to be empty before launch. But I think that's a separate improvement/fix.

[simison]

I appreciate it can be surprising. We used to have sites hidden in every way possible during coming soon mode, but it was a constant source of bugs as many features work only when site is public. Even tiled gallery would break.

Instead of keeping fixing those things, we just adjusted only pages be private, and the rest like images, RSS feed, etc are there if one digs them up.

Current model pretty much meets the customer expectations most of the time; "I visit my URL, it should show coming soon page".

[simison]

Switched from a "bug" to "Reader enhancement", happy to converse more if anyone disagrees. :-)

[roo2]

I've been investigating this from a sperate report p1662606196916629-slack-C03NLNTPZ2T, I think I'm pretty close to coming up with a fix and it would definitely be better if we can not make the users posts visible before they launched the site!

[roo2]

Ahh just to clarify, "coming soon" content is not available via search in reader, ( internally there is a "searchable" blog_info index that is only true if the site is blog_public=1 ) but "coming soon" content is available if you subscribe to the blog directly

[roo2]

It looks like to fix this we will have to add a coming_soon index to elastic search, or update the search used by an individual blog's feed to only return "searchable" blogs. I'll leave this task for now.

[simison]

It looks like to fix this we will have to add a coming_soon index to elastic search

What's a blocker for doing just that?

[roo2]

Not a blocker, but I personally don't know how to do it! 😛 and realizing that this issue only affects blogs that have been subscribed to directly, and also that with the way public coming soon was implemented, we know that there are ways to get access to the content, I don't think it's as big a priority to fix right away. When I started investigating I thought that coming soon sites were showing up in reader's search

[mrfoxtalbot]

@simison, do you think you could help us move this forward? While we are at it, we should try to fis #92385 as well.

To me these are not mere enhancements but actual bugs and ones that have privacy/trust implications.

Thank you!

[xavier-lc]

PR ready for review: D159347-code

[mrfoxtalbot]

@xavier-lc, since not all a12s have access to Phabricator, could you please come back and close this issue once the patch is merged? Thank you!

[xavier-lc]

@xavier-lc, since not all a12s have access to Phabricator, could you please come back and close this issue once the patch is merged? Thank you!

Yes, I'll do that 👍

[mrfoxtalbot]

Thanks! Any updates @xavier-lc?

[xavier-lc]

The review is taking a while :/ I think it'll get aproved soon, though.

[xavier-lc]

@mrfoxtalbot the changes have been deployed.

[davemart-in]

Looks like this shipped. Closing this issue out.