Switching post status from publish to draft still allows you to see it

[danieltj]

After some testing, I've found a bug regarding draft posts. I did originally think this is a security vulnerability however it is not because this only occurs if you're logged in and the person who saved the post as a draft.

If you have a post and save it as a draft, if you try and view that on the front-end you can see a preview, which the URL usually looks like this http://wp.test/?p=100&preview=true however if you try and view it using the real post URL such as http://wp.test/test-page/ then you'll get a post not found error message.

This is fine so far, however...

If you publish the post and then any time afterwards change the post to a draft again, it's still accessible using the real post URL even though it's still a draft. When a post is set to a draft, in my opinion it should never be accessible through it's real URL. It should only be accessible through the 'not pretty' preview URL instead.

If you're not logged in, you won't be able to see draft posts regardless of when they were drafted, but even so, while logged in you shouldn't either. I've not dug into the code yet to see what's happening here but it doesn't seem like it's by design because it's hidden away from things like post lists and widgets etc.

[danieltj]

Removed the if admin part of the title as you could be an editor. You just need permission to draft/publish posts.

[Junaidkbr]

It's cache issue. Try the pretty permalink in incognito and you'll get the Page not found error as usual. Deleting cookies has the same effect.