Private draft posts

Hi, I recently started using a self-hosted instance of writefreely as my public blog as well as a private diary.

One thing that took a little getting used to was the fact that drafts are all publicly accessible, albeit secured behind a secret URL. It took a while but I soon wrapped my head around it - these posts were eventually going to be public anyway, so doesn’t hurt too much for them to be leaked. It’s a really elegant workflow.

The thing that gave me a slight panic today was when I discovered that posts that were destined for my private diary blog also had draft hash URLs attached to them, and continued to be publicly accessible even after they have been published to my private diary blog.

Here’s how you can reproduce it:

  1. Create a new post
  2. Publish it to Drafts
  3. Copy the draft link
  4. Navigate to the Drafts page (/me/posts/)
  5. Use the “move to” dropdown menu to move the post to a private blog
  6. Open the link copied in (3) in an incognito browser window
  7. Observe that the post can still be viewed

I am conscious that this could very well be a desired feature rather than a bug, but for the use-case where a post is destined for a private blog, this public accessibility might be unexpected.

For my own purpose, I’ve forked and added a tiny config.ini flag called private_drafts which, when true, makes drafts only accessible to their owners. Enabling this sadly locks down the ability for drafts to be shared around, but in the case where I am a sole author for my public writing, and also write privately, it’s a trade-off that I’m happy to make.

Here is the commit:

It works fine for my needs, but I was wondering if this is something that you might be open to merging upstream. I’m more than happy to cut a PR, take any feedback and make improvements to my code submission if it means I don’t need to maintain and build my own fork :slight_smile:

Also, totally understand if this is not a direction that you want to take this project.


p.s. Apologies if I posted this in the wrong category. Feel free to re-categorise or point me to a more suitable one.

Hey, thanks for looking into this and bringing it up! It’s a great point, and I’m interested in merging a fix in.

No matter what, we should make sure that a post belonging to a private blog can’t be accessed by its secret URL. For that, I think we’d just need to add a check in handleViewPost(): if a post has a collection_id, look up that collection and hide the post if the collection is private.

But outside of that, there are other ways to have a “private” blog in WF that we might be able to use, instead of adding another config flag. But not sure if they’d fit your setup. Right now, you can:

  • Set the entire instance to private in the config
  • Individually set a blog to Private from its Customize page

The “single user” / “multi-user” setting might also affect things. How is your instance set up? For multi-user?

Agree, this is more elegant.

I have it set up with:

  • single_user = false so that I can run multiple blogs. Strictly speaking, I am running as a single user, but I wasn’t able to create additional blogs in that mode.
  • private = false because I have a combination of public and private blogs.
1 Like

Would something like this work?

This looks about right! Just might need to revise that protectDraft logic to still allow sharing drafts publicly. But if you want to submit that PR, I’ll review and we can discuss there, so we can get it into the next release!

Yup, PR submitted. Cheers!