Ticket #17850: 17850.15.diff
| File 17850.15.diff, 13.1 KB (added by , 14 years ago) |
|---|
-
wp-includes/post-template.php
737 737 echo "<ul class='post-meta'>\n"; 738 738 foreach ( (array) $keys as $key ) { 739 739 $keyt = trim($key); 740 if ( '_' == $keyt[0])740 if ( is_protected_meta( $keyt, 'post' ) ) 741 741 continue; 742 742 $values = array_map('trim', get_post_custom_values($key)); 743 743 $value = implode($values,', '); -
wp-includes/class-wp-xmlrpc-server.php
234 234 235 235 foreach ( (array) has_meta($post_id) as $meta ) { 236 236 // Don't expose protected fields. 237 if ( strpos($meta['meta_key'], '_wp_') === 0 ) {237 if ( ! current_user_can( 'edit_post_meta', $post_id , $meta['meta_key'] ) ) 238 238 continue; 239 }240 239 241 240 $custom_fields[] = array( 242 241 "id" => $meta['meta_id'], … … 262 261 foreach ( (array) $fields as $meta ) { 263 262 if ( isset($meta['id']) ) { 264 263 $meta['id'] = (int) $meta['id']; 265 264 $pmeta = get_metadata_by_mid( 'post', $meta['id'] ); 266 265 if ( isset($meta['key']) ) { 267 update_meta($meta['id'], $meta['key'], $meta['value']); 266 if ( $meta['key'] != $pmeta->meta_key ) 267 continue; 268 if ( current_user_can( 'edit_post_meta', $post_id, $meta['key'] ) ) 269 update_meta( $meta['id'], $meta['key'], $meta['value'] ); 270 } elseif ( current_user_can( 'delete_post_meta', $post_id, $pmeta->meta_key ) ) { 271 delete_meta( $meta['id'] ); 268 272 } 269 else { 270 delete_meta($meta['id']); 271 } 273 } elseif ( current_user_can( 'add_post_meta', $post_id, $meta['key'] ) ) { 274 add_post_meta( $post_id, $meta['key'], $meta['value'] ); 272 275 } 273 else {274 $_POST['metakeyinput'] = $meta['key'];275 $_POST['metavalue'] = $meta['value'];276 add_meta($post_id);277 }278 276 } 279 277 } 280 278 -
wp-includes/capabilities.php
951 951 else 952 952 $caps[] = $post_type->cap->read_private_posts; 953 953 break; 954 case 'edit_post_meta': 955 case 'delete_post_meta': 956 case 'add_post_meta': 957 $post = get_post( $args[0] ); 958 $post_type_object = get_post_type_object( $post->post_type ); 959 $caps = map_meta_cap( $post_type_object->cap->edit_post, $user_id, $post->ID ); 960 961 $meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false; 962 963 if ( $meta_key && has_filter( "auth_post_meta_{$meta_key}" ) ) { 964 $allowed = apply_filters( "auth_post_meta_{$meta_key}", false, $meta_key, $post->ID, $user_id, $cap, $caps ); 965 if ( ! $allowed ) 966 $caps[] = $cap; 967 } elseif ( $meta_key && is_protected_meta( $meta_key, 'post' ) ) { 968 $caps[] = $cap; 969 } 970 break; 954 971 case 'edit_comment': 955 972 $comment = get_comment( $args[0] ); 956 973 $post = get_post( $comment->comment_post_ID ); -
wp-includes/meta.php
26 26 * @param bool $unique Optional, default is false. Whether the specified metadata key should be 27 27 * unique for the object. If true, and the object already has a value for the specified 28 28 * metadata key, no change will be made 29 * @return bool T rueon successful update, false on failure.29 * @return bool The meta ID on successful update, false on failure. 30 30 */ 31 31 function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique = false) { 32 32 if ( !$meta_type || !$meta_key ) … … 49 49 50 50 $check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique ); 51 51 if ( null !== $check ) 52 return (bool)$check;52 return $check; 53 53 54 54 if ( $unique && $wpdb->get_var( $wpdb->prepare( 55 55 "SELECT COUNT(*) FROM $table WHERE meta_key = %s AND $column = %d", … … 61 61 62 62 do_action( "add_{$meta_type}_meta", $object_id, $meta_key, $_meta_value ); 63 63 64 $ wpdb->insert( $table, array(64 $result = $wpdb->insert( $table, array( 65 65 $column => $object_id, 66 66 'meta_key' => $meta_key, 67 67 'meta_value' => $meta_value 68 68 ) ); 69 69 70 if ( ! $result ) 71 return false; 72 73 $mid = (int) $wpdb->insert_id; 74 70 75 wp_cache_delete($object_id, $meta_type . '_meta'); 71 76 // users cache stores usermeta that must be cleared. 72 77 if ( 'user' == $meta_type ) 73 78 clean_user_cache($object_id); 74 79 75 do_action( "added_{$meta_type}_meta", $ wpdb->insert_id, $object_id, $meta_key, $_meta_value );80 do_action( "added_{$meta_type}_meta", $mid, $object_id, $meta_key, $_meta_value ); 76 81 77 return true;82 return $mid; 78 83 } 79 84 80 85 /** … … 146 151 do_action( "update_{$meta_type}_meta", $meta_id, $object_id, $meta_key, $_meta_value ); 147 152 148 153 $wpdb->update( $table, $data, $where ); 154 149 155 wp_cache_delete($object_id, $meta_type . '_meta'); 150 156 // users cache stores usermeta that must be cleared. 151 157 if ( 'user' == $meta_type ) … … 282 288 } 283 289 284 290 /** 291 * Get meta data by meta ID 292 * 293 * @since 3.3.0 294 * 295 * @param string $meta_type Type of object metadata is for (e.g., comment, post, or user) 296 * @param int $meta_id ID for a specific meta row 297 * @return object Meta object or false. 298 */ 299 function get_metadata_by_mid( $meta_type, $meta_id ) { 300 global $wpdb; 301 302 if ( ! $meta_type ) 303 return false; 304 305 if ( !$meta_id = absint( $meta_id ) ) 306 return false; 307 308 if ( ! $table = _get_meta_table($meta_type) ) 309 return false; 310 311 $id_column = ( 'user' == $meta_type ) ? 'umeta_id' : 'meta_id'; 312 313 $meta = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $table WHERE $id_column = %d", $meta_id ) ); 314 315 if ( empty( $meta ) ) 316 return false; 317 318 if ( isset( $meta->meta_value ) ) 319 $meta->meta_value = maybe_unserialize( $meta->meta_value ); 320 321 return $meta; 322 } 323 324 /** 285 325 * Update the metadata cache for the specified objects. 286 326 * 287 327 * @since 2.9.0 … … 588 628 * @return bool True if the key is protected, false otherwise. 589 629 */ 590 630 function is_protected_meta( $meta_key, $meta_type = null ) { 591 $protected = ( 631 $protected = ( '_' == $meta_key[0] ); 592 632 593 633 return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type ); 594 634 } … … 603 643 * @param string $meta_type Type of meta 604 644 * @return mixed Sanitized $meta_value 605 645 */ 606 function sanitize_meta( $meta_key, $meta_value, $meta_type = null) {607 return apply_filters( 'sanitize_meta', $meta_value, $meta_key, $meta_type );646 function sanitize_meta( $meta_key, $meta_value, $meta_type ) { 647 return apply_filters( "sanitize_{$meta_type}_meta_{$meta_key}", $meta_value, $meta_key, $meta_type ); 608 648 } 609 649 650 /** 651 * Register meta key 652 * 653 * @since 3.3.0 654 * 655 * @param string $meta_key Meta key 656 * @param string $meta_type Type of meta 657 * @param string|array $sanitize_callback A function or method to call when sanitizing the value of $meta_key. 658 * @param string|array $auth_callback Optional. A function or method to call when performing edit_post_meta, add_post_meta, and delete_post_meta capability checks. 659 * @param array $args Arguments 660 */ 661 function register_meta( $meta_key, $meta_type, $sanitize_callback, $auth_callback = null ) { 662 global $_wp_meta; 663 664 if ( is_callable( $sanitize_callback ) ) 665 add_filter( "sanitize_{$meta_type}_meta_{$meta_key}", $sanitize_callback, 10, 3 ); 666 667 if ( empty( $auth_callback ) ) { 668 if ( is_protected_meta( $meta_key, $meta_type ) ) 669 $auth_callback = '__return_false'; 670 else 671 $auth_callback = '__return_true'; 672 } 673 674 if ( is_callable( $auth_callback ) ) 675 add_filter( "auth_{$meta_type}_meta_{$meta_key}", $auth_callback, 10, 6 ); 676 } 677 610 678 ?> -
wp-admin/admin-ajax.php
393 393 break; 394 394 case 'delete-meta' : 395 395 check_ajax_referer( "delete-meta_$id" ); 396 if ( !$meta = get_ post_meta_by_id($id ) )396 if ( !$meta = get_metadata_by_mid( 'post', $id ) ) 397 397 die('1'); 398 398 399 if ( !current_user_can( 'edit_post', $meta->post_id ) || is_protected_meta($meta->meta_key ) )399 if ( is_protected_meta( $meta->meta_key, 'post' ) || ! current_user_can( 'delete_post_meta', $meta->post_id, $meta->meta_key ) ) 400 400 die('-1'); 401 401 if ( delete_meta( $meta->meta_id ) ) 402 402 die('1'); … … 849 849 die(__('Please provide a custom field value.')); 850 850 } 851 851 852 $meta = get_ post_meta_by_id($mid );852 $meta = get_metadata_by_mid( 'post', $mid ); 853 853 $pid = (int) $meta->post_id; 854 854 $meta = get_object_vars( $meta ); 855 855 $x = new WP_Ajax_Response( array( … … 869 869 die(__('Please provide a custom field value.')); 870 870 if ( !$meta = get_post_meta_by_id( $mid ) ) 871 871 die('0'); // if meta doesn't exist 872 if ( !current_user_can( 'edit_post', $meta->post_id) )872 if ( is_protected_meta( $meta->meta_key, 'post' ) || !current_user_can( 'edit_post_meta', $meta->post_id, $meta->meta_key ) ) 873 873 die('-1'); 874 if ( is_protected_meta( $meta->meta_key ) )875 die('-1');876 874 if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) { 877 875 if ( !$u = update_meta( $mid, $key, $value ) ) 878 876 die('0'); // We know meta exists; we also know it's unchanged (or DB error, in which case there are bigger problems). -
wp-admin/includes/post.php
210 210 continue; 211 211 if ( $meta->post_id != $post_ID ) 212 212 continue; 213 if ( is_protected_meta( $value['key'] ) )213 if ( is_protected_meta( $value['key'], 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $value['key'] ) ) 214 214 continue; 215 215 update_meta( $key, $value['key'], $value['value'] ); 216 216 } … … 222 222 continue; 223 223 if ( $meta->post_id != $post_ID ) 224 224 continue; 225 if ( is_protected_meta( $meta->meta_key ) )225 if ( is_protected_meta( $meta->meta_key, 'post' ) || ! current_user_can( 'delete_post_meta', $post_ID, $meta->meta_key ) ) 226 226 continue; 227 227 delete_meta( $key ); 228 228 } … … 671 671 if ( is_string($metavalue) ) 672 672 $metavalue = trim( $metavalue ); 673 673 674 if ( ('0' === $metavalue || ! empty ( $metavalue ) ) && ((('#NONE#' != $metakeyselect) && !empty ( $metakeyselect) ) || !empty ( $metakeyinput) ) ) {674 if ( ('0' === $metavalue || ! empty ( $metavalue ) ) && ((('#NONE#' != $metakeyselect) && !empty ( $metakeyselect) ) || !empty ( $metakeyinput) ) ) { 675 675 // We have a key/value pair. If both the select and the 676 676 // input for the key have data, the input takes precedence: 677 677 … … 681 681 if ( $metakeyinput) 682 682 $metakey = $metakeyinput; // default 683 683 684 if ( is_protected_meta( $metakey ) )684 if ( is_protected_meta( $metakey, 'post' ) || ! current_user_can( 'add_post_meta', $post_ID, $metakey ) ) 685 685 return false; 686 686 687 wp_cache_delete($post_ID, 'post_meta'); 688 $wpdb->insert( $wpdb->postmeta, array( 'post_id' => $post_ID, 'meta_key' => $metakey, 'meta_value' => $metavalue ) ); 689 $meta_id = $wpdb->insert_id; 690 do_action( 'added_postmeta', $meta_id, $post_ID, $metakey, $metavalue ); 691 692 return $meta_id; 687 return add_post_meta($post_ID, $metakey, $metavalue); 693 688 } 689 694 690 return false; 695 691 } // add_meta 696 692 … … 771 767 return $wpdb->get_results( $wpdb->prepare("SELECT meta_key, meta_value, meta_id, post_id 772 768 FROM $wpdb->postmeta WHERE post_id = %d 773 769 ORDER BY meta_key,meta_id", $postid), ARRAY_A ); 774 775 770 } 776 771 777 772 /** … … 789 784 790 785 $meta_key = stripslashes($meta_key); 791 786 792 if ( is_protected_meta( $meta_key ) )793 return false;794 795 787 if ( '' === trim( $meta_value ) ) 796 788 return false; 797 789 -
wp-admin/includes/meta-boxes.php
425 425 <div id="ajax-response"></div> 426 426 <?php 427 427 $metadata = has_meta($post->ID); 428 list_meta($metadata); 428 foreach ( $metadata as $key => $value ) { 429 if ( is_protected_meta( $metadata[ $key ][ 'meta_key' ], 'post' ) || ! current_user_can( 'edit_post_meta', $post->ID, $metadata[ $key ][ 'meta_key' ] ) ) 430 unset( $metadata[ $key ] ); 431 } 432 list_meta( $metadata ); 429 433 meta_form(); ?> 430 434 </div> 431 435 <p><?php _e('Custom fields can be used to add extra metadata to a post that you can <a href="http://codex.wordpress.org/Using_Custom_Fields" target="_blank">use in your theme</a>.'); ?></p> -
wp-admin/includes/template.php
466 466 function _list_meta_row( $entry, &$count ) { 467 467 static $update_nonce = false; 468 468 469 if ( is_protected_meta( $entry['meta_key'] ) )469 if ( is_protected_meta( $entry['meta_key'], 'post' ) ) 470 470 return; 471 471 472 472 if ( !$update_nonce ) … … 478 478 $style = 'alternate'; 479 479 else 480 480 $style = ''; 481 if ('_' == $entry['meta_key'] { 0 } )482 $style .= ' hidden';483 481 484 482 if ( is_serialized( $entry['meta_value'] ) ) { 485 483 if ( is_serialized_string( $entry['meta_value'] ) ) {