diff --git src/wp-admin/includes/ajax-actions.php src/wp-admin/includes/ajax-actions.php
index 5ad5eac8a6..2fc811d3f4 100644
|
|
|
function wp_ajax_add_meta() { |
| 1497 | 1497 | ); |
| 1498 | 1498 | $x->send(); |
| 1499 | 1499 | } |
| 1500 | | |
| 1501 | | $mid = add_meta( $pid ); |
| 1502 | | if ( ! $mid ) { |
| 1503 | | wp_die( __( 'Please provide a custom field value.' ) ); |
| 1504 | | } |
| 1505 | 1500 | } else { |
| 1506 | 1501 | wp_die( 0 ); |
| 1507 | 1502 | } |
| 1508 | | } else { |
| 1509 | | $mid = add_meta( $pid ); |
| 1510 | | if ( ! $mid ) { |
| 1511 | | wp_die( __( 'Please provide a custom field value.' ) ); |
| 1512 | | } |
| | 1503 | } |
| | 1504 | |
| | 1505 | $mid = add_meta( $pid ); |
| | 1506 | if ( is_wp_error( $mid ) ) { |
| | 1507 | wp_die( $mid->get_error_message() ); |
| | 1508 | } elseif ( ! $mid ) { |
| | 1509 | wp_die( __( 'Please provide a custom field value.' ) ); |
| 1513 | 1510 | } |
| 1514 | 1511 | |
| 1515 | 1512 | $meta = get_metadata_by_mid( 'post', $mid ); |
| … |
… |
function wp_ajax_add_meta() { |
| 1538 | 1535 | if ( is_protected_meta( $meta->meta_key, 'post' ) || is_protected_meta( $key, 'post' ) || |
| 1539 | 1536 | ! current_user_can( 'edit_post_meta', $meta->post_id, $meta->meta_key ) || |
| 1540 | 1537 | ! current_user_can( 'edit_post_meta', $meta->post_id, $key ) ) { |
| 1541 | | wp_die( -1 ); |
| | 1538 | wp_die( __( 'Sorry, you are not allowed to edit this custom field.' ) ); |
| 1542 | 1539 | } |
| 1543 | 1540 | if ( $meta->meta_value != $value || $meta->meta_key != $key ) { |
| 1544 | 1541 | $u = update_metadata_by_mid( 'post', $mid, $value, $key ); |
diff --git src/wp-admin/includes/post.php src/wp-admin/includes/post.php
index ec083c569f..a0198ecb16 100644
|
|
|
function write_post() { |
| 889 | 889 | * Add post meta data defined in $_POST superglobal for post with given ID. |
| 890 | 890 | * |
| 891 | 891 | * @since 1.2.0 |
| | 892 | * @since 5.3.0 Return `WP_Error` if the meta is protected or if the user doesn't have capability. |
| 892 | 893 | * |
| 893 | 894 | * @param int $post_ID |
| 894 | | * @return int|bool |
| | 895 | * @return int|bool|WP_Error |
| 895 | 896 | */ |
| 896 | 897 | function add_meta( $post_ID ) { |
| 897 | 898 | $post_ID = (int) $post_ID; |
| … |
… |
function add_meta( $post_ID ) { |
| 917 | 918 | } |
| 918 | 919 | |
| 919 | 920 | if ( is_protected_meta( $metakey, 'post' ) || ! current_user_can( 'add_post_meta', $post_ID, $metakey ) ) { |
| 920 | | return false; |
| | 921 | return new WP_Error( 'edit_post_metas', __( 'Sorry, you are not allowed to edit this custom field.' ) );; |
| 921 | 922 | } |
| 922 | 923 | |
| 923 | 924 | $metakey = wp_slash( $metakey ); |
diff --git tests/phpunit/tests/admin/includesPost.php tests/phpunit/tests/admin/includesPost.php
index cad9742f8d..12cce2718a 100644
|
|
|
class Tests_Admin_Includes_Post extends WP_UnitTestCase { |
| 856 | 856 | $this->assertEquals( '', get_post_meta( $p, 'testkey', true ) ); |
| 857 | 857 | } |
| 858 | 858 | |
| | 859 | /** |
| | 860 | * @ticket 32565 |
| | 861 | */ |
| | 862 | public function test_post_add_meta_should_return_wp_error_if_protected_meta() { |
| | 863 | $post_id = self::factory()->post->create(); |
| | 864 | |
| | 865 | $_POST = array( |
| | 866 | 'metakeyinput' => '_testkey', |
| | 867 | 'metavalue' => 'test_value', |
| | 868 | ); |
| | 869 | |
| | 870 | wp_set_current_user( self::$admin_id ); |
| | 871 | |
| | 872 | $this->assertWPError( add_meta( $post_id ) ); |
| | 873 | } |
| | 874 | |
| 859 | 875 | /** |
| 860 | 876 | * Test the post type support in post_exists(). |
| 861 | 877 | * |