Bug #96621
open
Visiting the workspace preview of a page makes all pages "workspace version" even without the "?ADMCMD_prev=..." part
0%
Description
Premise: tested on TYPO3 12.0.0-dev, but it should affects also lesser versions (10,11)
Prerequisites¶
- TYPO3 installation, fresh
- A draft workspace
- use admin user, is good as well
Steps to reproduce¶
On LIVE workspace
1. Create a page "test"
2. switch to draft workspace and go to "test"
3. Create a content element and save it
4. Go to the workspace module and generate the preview link
5. Log out from TYPO3 or open a new browser window in incognito mode or change browser
6. Visit the preview link given to you
Issue description¶
- If I visit the link for the generated workspace, for example:
https://typo3.whatever/test?ADMCMD_prev=246e0166ff13bd8f265e7e0060a50806
I see the draft workspace version - the one with the yellow box on the right upper corner - and the content element is of course visible
- If I visit the same link (on the same browser) , but the LIVE version i.e.
https://typo3.whatever/test
I still see the workspace version with the yellow box. This is true for every other page of the site.
It is possible to use the "stop preview" to obtain the message that we "log out from Workspace preview mode." with the link of the same page, live version.
I suspect that the responsible is the ADMCMD_prev cookie (a session cookie if I am not wrong)... I guess it is set when I visit the workspace link and remains valid for the whole site, until you remove it.
Additional notes¶
Not tested with multiple sites on the same installation
Updated by Riccardo De Contardi about 2 years ago
- Related to Bug #75063: Workspace-Preview for Non-Admin Users not working correctly for extbase content added
Updated by Oliver Hader about 2 years ago
- Status changed from New to Needs Feedback
Using a workspace preview link containing ADMCMD_prev creates a virtual backend user session, which is stored in a cookie. This allows to navigate (click other links) in a workspace preview and still seeing their workspace contents (if any).
Thus, the system cannot determine automatically when the workspace preview shall be ended. That's the reason for having that "logout" button which actually drops the corresponding cookie and terminated the virtual backend user session. The behavior is not new, but at least exists since TYPO3 v6.2.
Alternatives would be a preview domain or preview URL segment. Adding ?ADMCMD_prev=[value] to each link in the frontend preview is not a good solution, since those links might be copy&pasted, allowing others to get the workspace preview or at least a strange frontend experience (having that "logout" button or similar).
Examples for a preview trigger:
- https://preview.example.org/some/page →
previewsubdomain explicitly states workspace preview mode - https://example.org/_preview/some/page →
_previewprefix explicitly states workspace preview mode- potential conflicts with other route configuration needs to be considered
- e.g. segments starting with
_(or similar) might be declared as "system-internal" in TYPO3 v12
Updated by Riccardo De Contardi about 2 years ago
Oliver Hader wrote in #note-2:
Thus, the system cannot determine automatically when the workspace preview shall be ended. That's the reason for having that "logout" button which actually drops the corresponding cookie and terminated the virtual backend user session. The behavior is not new, but at least exists since TYPO3 v6.2.
I understand; The odd behavior is that the preview is triggered also without the ADMCMD_prev part.
Also, when in workspace I read "generate preview link" I would expect that it should be valid only for that link
So, in my opinion there are two sources of confusion:
1) the "virtual backend user session" continues without the ?ADMCMD_prev=[value] part
2) the link is actually a "preview version" of the whole workspace, not only of the single page
[...]. Adding
?ADMCMD_prev=[value]to each link in the frontend preview is not a good solution, since those links might be copy&pasted, allowing others to get the workspace preview or at least a strange frontend experience (having that "logout" button or similar)
IIRC the link is valid for 1h
Correct me if I am wrong; the whole point of the "generate preview link" is to have an easy tool to generate a preview link that can be copied and pasted and sent to people that don't have access to the CMS
Examples for a preview trigger:
- https://preview.example.org/some/page →
previewsubdomain explicitly states workspace preview mode- https://example.org/_preview/some/page →
_previewprefix explicitly states workspace preview mode
- potential conflicts with other route configuration needs to be considered
- e.g. segments starting with
_(or similar) might be declared as "system-internal" in TYPO3 v12
If I've understood it, a solution like https://preview.example.org/some/page would mean that an alternative domain should be set in the site config (the yaml file I mean) and tied to the workspace.
Correct me if I am wrong, but that would be still a preview for the whole workspace.