PROBLEM: "You do not have permission to preview drafts."

  • Resolved Fred Chapman

    (@fwchapman)


    11 years, 5 months ago

    If you search the forums, you will find that this problem has come up over and over for years with no satisfactory resolution:

    You do not have permission to preview drafts.

    Administrators obviously have permission to preview drafts and should never see this error message, but they do. The error message is obviously a mistake and indicates a deeper problem that actually has nothing to do with permissions, roles, and capabilities.

    The problem happens if, and only if, the WordPress Address and the Site Address are different on the General Settings page. There are legitimate reasons to make these two URLs be different, such as using a shared SSL certificate, as I have already describe here.

    You can argue that this is “not a core bug” if you like, in which case I will reply that this is a “design flaw” in WordPress. Whatever you call it, it is a problem, and it should be fixed. The only way to fix it to make WordPress support the kind of functionality people say they want is by changing the WordPress core.

    Is anyone here interested in actually solving this problem?

    Thank you,

    Fred Chapman

Viewing 9 replies - 1 through 9 (of 9 total)

  • As stated previously, this is not a core bug. It’s specific to your site.

    Thread Starter Fred Chapman

    (@fwchapman)

    esmi, thanks so much for your reply! I’m glad to have an opportunity to discuss this with you.

    How did you come to the conclusion that this is not a core bug? To the best of my understanding, it’s not specific to my site. Any site for which the WordPress Address and the Site Address are different will exhibit this behavior. To confirm this, I created a fresh WordPress installation using the default theme and retested the behavior. I had exactly the same problem I reported originally. I can provide more details about my test site if you think that would help.

    I’m not the only person who has reported this problem. There are other discussions about this in the forums, and there has never been a truly satisfactory resolution. To me, suggesting that the two URLs must match is a temporary workaround, not a real solution.

    I want to be able to use different URLs for the WordPress Address and Site Address and still preview drafts. Do you know any way to do that? Is there a strong argument to be made for why I shouldn’t be allowed to do that? If so, can we at least change the error message so that it makes sense, or provide clearer instructions on how WordPress is intended to be used?

    Thanks again,

    Fred

    How did you come to the conclusion that this is not a core bug?

    10 years experience working with WordPress, 5 years experience on these forums. – 4.5 of which have been as a moderator. The issue that you describe crops up very rarely and has always been associated with a specific site or server. A core bug, on the other hand, results in a significant number of reports (usually double figures or more) across a wide range of sites, set ups & servers.

    And I have managed and run quite few sites where the site and WordPress urls do not match – usually the result of my preferred way of moving WordPress to take over the root domain after developing a new site in a sub-folder for a re-launch. And not once have I ever had this issue.

    No one has said that the two urls in Settings -> General must match. However, you cannot use whatever urls you want in there. There are only specific scenarios differing urls work effectively and as designed.

    Thread Starter Fred Chapman

    (@fwchapman)

    esmi, thanks for explaining your reasoning. To find out if my situation fits the general trend you’ve observed over the years, let me describe my WordPress configuration.

    My test site uses WordPress 3.5.1 with the Twenty Twelve theme and no plugins. I set the WordPress address to

    https://secure60.inmotionhosting.com/~fwchap5/test

    and the site address to

    https://test.fwchapman.com

    The reason I specify a server-based WordPress address is so that I can use my web host’s shared SSL certificate to secure logins and site administration over HTTPS. I can get everything else in WordPress to work with this configuration, except for previewing drafts.

    In your professional opinion, should WordPress be able to handle my shared SSL configuration or am I asking too much of WordPress by trying to use it in this way? If WordPress is not designed to work this way, is it reasonable to ask to change the design to support shared SSL?

    Fred

    P.S. I’m planning to partner with a local hosting company to develop WordPress hosting that includes a dedicated SSL certificate as part of our standard package. That will avoid the shared SSL problem, but it won’t address any underlying issues in WordPress.

    In your professional opinion, should WordPress be able to handle my shared SSL configuration

    Not using the approach that you have currently chosen. In effect you’re trying to force WP to use two different domain names and that’s not what those two url fields are for. In light of these details, I’d argue that WP is actually trying to correctly enforce security by rejecting your login privileges because the domain that you logged in at does not match the domain of the blog section.

    Does that make sense?

    Have you reviewed Administration_Over_SSL? Would any of that help you out temporarily?

    Thread Starter Fred Chapman

    (@fwchapman)

    esmi, I see what you mean about WordPress concluding there is a security problem because the URLs have different domains. WordPress isn’t talking about “permission” in the sense of roles and capabilities, but in the more fundamental sense of account login privileges.

    In my shared SSL configuration, I can view media attachment pages, but not preview drafts. The difference seems to be that draft previews use a nonce and media attachment pages don’t. Draft previews have extra security, and I guess that’s why WordPress objects.

    I haven’t tried directly modifying .htaccess as described in Administration_Over_SSL. Instead, I’ve been using the WordPress HTTPS plugin, which enables me to serve logins and administration over HTTPS using a shared SSL certificate.

    I’ve basically traded the convenience of draft previews for stronger site security. I can get both with a dedicated SSL certificate, but it costs more money, and I didn’t want to burden my clients with the extra cost; some web hosts charge as much for dedicated SSL as they do for hosting! It looks like the best solution is to offer my own hosting and include a dedicated SSL certificate with my standard package.

    I’m not sure it’s worth the trouble for WordPress to support shared SSL when dedicated SSL certificates (like Comodo’s Positive SSL) are available at such low cost (from resellers like Namecheap). I will mark this topic resolved.

    esmi, thanks to you, I understand the underlying issues better than before. I appreciate all your time and patience. You are a credit to the WordPress community, and you have a really nice resume, too. ??

    Best wishes,

    Fred

    I’m glad I could help in some way ??

    Hello, I see these posts are two months old. Hopefully you are still following this. I am trying to solve this problem.

    “You do not have permission to preview drafts.”

    I published the drafts, so they are no longer drafts and should be visible to the public.

    Thanks in Advance,
    Necole

    @necole2606 – please start your own thread per the forum guidelines – https://codex.www.ads-software.com/Forum_Welcome#Where_To_Post – resolved threads aren’t a good place to ask.

    You can start a new one here:

    https://www.ads-software.com/support/forum/how-to-and-troubleshooting#postform

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘PROBLEM: "You do not have permission to preview drafts."’ is closed to new replies.