Make sure the token is valid in getIsPreview()

Resolves #14066
craftcms · Dec 26, 2023 · a48f008 · a48f008
1 parent 6e0881c
commit a48f008
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 - `craft\services\Security::$sensitiveKeywords` is no longer case-sensitive. ([#14064](https://github.com/craftcms/cms/discussions/14064))
 - Fixed a bug where the `index-assets/cleanup` command accepted `--cache-remote-images`, `--create-missing-assets`, and `--delete-missing-assets` options, even though they didn’t do anything.
 - Fixed a bug where automatically-created relations could be lost when a new site was added to an entry. ([#14065](https://github.com/craftcms/cms/issues/14065))
+- Fixed a bug where `craft\web\Request::getIsPreview()` was returning `true` for requests with expired tokens. ([#14066](https://github.com/craftcms/cms/discussions/14066))
 
 ## 4.5.13 - 2023-12-15
 

diff --git a/src/web/Request.php b/src/web/Request.php
@@ -697,7 +697,11 @@ public function getActionSegments(): ?array
      */
     public function getIsPreview(): bool
     {
-        return $this->getQueryParam('x-craft-preview') !== null || $this->getQueryParam('x-craft-live-preview') !== null;
+        return (
+            ($this->getQueryParam('x-craft-preview') ?? $this->getQueryParam('x-craft-live-preview')) !== null &&
+            // If there's a token but it expired, they're looking at the live site
+            (!$this->getHadToken() || $this->getToken() !== null)
+        );
     }
 
     /**