Skip to content

Fix draft content leaking to public site#1068

Merged
rchlfryn merged 2 commits intomainfrom
fix/draft-status-filter
May 9, 2026
Merged

Fix draft content leaking to public site#1068
rchlfryn merged 2 commits intomainfrom
fix/draft-status-filter

Conversation

@busbyk
Copy link
Copy Markdown
Collaborator

@busbyk busbyk commented May 8, 2026
edited
Loading

Description

Draft content was being served to public visitors on homePages and individual event pages. The root cause: Payload's draft: false parameter on payload.find() does not automatically add a _status: 'published' filter — it only controls whether to query the versions table vs the main table. Without an explicit _status filter, documents with _status: 'draft' are returned to public visitors.

The pages and posts queries already had this filter. The homePages and events/[slug] queries did not.

This was surfaced when a deployment cleared the ISR cache, and the fresh queries returned draft content that had been sitting in the database (previously masked by stale cache).

Related Issues

Fixes #1067

Key Changes

  • getCachedHomePage.ts: Add _status: 'published' filter when not in draft mode
  • events/[slug]/page.tsx: Add _status: 'published' filter when not in draft mode
  • Both now match the pattern already used by [slug]/page.tsx and blog/[slug]/page.tsx
  • Removes a lingering console.log statement that's not necessary

How to test

  1. In the admin panel, edit a homepage and save as draft with visible changes
  2. Visit the published homepage — should show the previously published version, not the draft
  3. Repeat for an event: save as draft, verify the public page returns 404 or shows published version
  4. Enable draft mode (preview) — draft content should be visible

Screenshots / Demo video

https://www.loom.com/share/3ad0ffddf6f942d7903af35b5ac22d1f

FYI

The status column can be pretty confusing, specifically when there is a "previously published" version but not a "currently published version with a newer draft". They both show "Draft (has published version)" even when there is only a previously published version (meaning no published version, really) and not a currently published version. See this comment: payloadcms/payload#10838 (comment)

@busbyk @claude
Fix draft content leaking to public site for homePages and events
618e96d 
Add _status: 'published' filter to getCachedHomePage and
queryEventBySlug queries. These queries were missing the filter
that pages and posts already had, allowing draft content to be
served to public visitors.

Fixes #1067

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 8, 2026

Preview deployment: https://fixxdraft-status-filter.preview.avy-fx.org

@busbyk busbyk requested a review from rchlfryn May 8, 2026 20:08
@busbyk busbyk marked this pull request as ready for review May 8, 2026 20:08
@busbyk busbyk requested a review from stevekuznetsov May 8, 2026 20:25
@rchlfryn rchlfryn added this pull request to the merge queue May 9, 2026
Merged via the queue into main with commit c073c56 May 9, 2026
9 checks passed
@rchlfryn rchlfryn deleted the fix/draft-status-filter branch May 9, 2026 17:54
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 9, 2026

🚀 This is included in version v1.13.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rchlfryn rchlfryn rchlfryn approved these changes

@stevekuznetsov stevekuznetsov Awaiting requested review from stevekuznetsov

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SAC issues from recent update?

2 participants

@busbyk @rchlfryn