766479 - Password protected pages don't work

Status: RESOLVED FIXED

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

Description

[Zandr Milewski [:zandr]]

The "Password Protected" feature on Wordpress Pages doesn't actually work. 

I think this is true across our entire WP deployment, but it's certainly been true of anything called 'air mozilla' for quite a while.

This would have been useful for bug 766400, and this kind of thing will come up again.

Comment 1

[Daniel Maher [:phrawzty]]

For the Airmo page (at least), the symptoms are as follows :
* When a user attempts to access a "password protected" page, WP will instead offer the standard password challenge form.
* After hitting submit, the user is forwarded to /wp-pass.php , whereupon a blank page is displayed (view->source is empty also).
* This occurs regardless of whether the password is correct or not.

Investigation on-going.

Comment 2

[Daniel Maher [:phrawzty]]

A little jiggery-pokery in the in air-dev.a.o has revealed the source of the problem, and thankfully, it's an easy fix.

tl;dr : In wp-admin -> Settings -> General the URL must be *https*, not http. 

The wp-pass.php page calls wp_safe_redirect, an internal function to (you guessed it) return the user to the previous resource. This function tries to avoid hijacking by ensuring that the referring resource and the redirect are are coherent; in this case they were not, since the referrer was an httpS URL, but the WP-generated redirect was base http only. This caused wp_safe_redirect to fail - silently, but such is life.

I've fixed the bug in Airmo dev/stage/prod.

It is entirely possible (probable?) that other Moz WP sites could run into this bug, so they should probably all be verified. I'll create a separate bug for this.