diff --git src/wp-admin/includes/ajax-actions.php src/wp-admin/includes/ajax-actions.php
index 5ad5eac8a6..2fc811d3f4 100644
|
|
function wp_ajax_add_meta() { |
1497 | 1497 | ); |
1498 | 1498 | $x->send(); |
1499 | 1499 | } |
1500 | | |
1501 | | $mid = add_meta( $pid ); |
1502 | | if ( ! $mid ) { |
1503 | | wp_die( __( 'Please provide a custom field value.' ) ); |
1504 | | } |
1505 | 1500 | } else { |
1506 | 1501 | wp_die( 0 ); |
1507 | 1502 | } |
1508 | | } else { |
1509 | | $mid = add_meta( $pid ); |
1510 | | if ( ! $mid ) { |
1511 | | wp_die( __( 'Please provide a custom field value.' ) ); |
1512 | | } |
| 1503 | } |
| 1504 | |
| 1505 | $mid = add_meta( $pid ); |
| 1506 | if ( is_wp_error( $mid ) ) { |
| 1507 | wp_die( $mid->get_error_message() ); |
| 1508 | } elseif ( ! $mid ) { |
| 1509 | wp_die( __( 'Please provide a custom field value.' ) ); |
1513 | 1510 | } |
1514 | 1511 | |
1515 | 1512 | $meta = get_metadata_by_mid( 'post', $mid ); |
… |
… |
function wp_ajax_add_meta() { |
1538 | 1535 | if ( is_protected_meta( $meta->meta_key, 'post' ) || is_protected_meta( $key, 'post' ) || |
1539 | 1536 | ! current_user_can( 'edit_post_meta', $meta->post_id, $meta->meta_key ) || |
1540 | 1537 | ! current_user_can( 'edit_post_meta', $meta->post_id, $key ) ) { |
1541 | | wp_die( -1 ); |
| 1538 | wp_die( __( 'Sorry, you are not allowed to edit this custom field.' ) ); |
1542 | 1539 | } |
1543 | 1540 | if ( $meta->meta_value != $value || $meta->meta_key != $key ) { |
1544 | 1541 | $u = update_metadata_by_mid( 'post', $mid, $value, $key ); |
diff --git src/wp-admin/includes/post.php src/wp-admin/includes/post.php
index ec083c569f..a0198ecb16 100644
|
|
function write_post() { |
889 | 889 | * Add post meta data defined in $_POST superglobal for post with given ID. |
890 | 890 | * |
891 | 891 | * @since 1.2.0 |
| 892 | * @since 5.3.0 Return `WP_Error` if the meta is protected or if the user doesn't have capability. |
892 | 893 | * |
893 | 894 | * @param int $post_ID |
894 | | * @return int|bool |
| 895 | * @return int|bool|WP_Error |
895 | 896 | */ |
896 | 897 | function add_meta( $post_ID ) { |
897 | 898 | $post_ID = (int) $post_ID; |
… |
… |
function add_meta( $post_ID ) { |
917 | 918 | } |
918 | 919 | |
919 | 920 | if ( is_protected_meta( $metakey, 'post' ) || ! current_user_can( 'add_post_meta', $post_ID, $metakey ) ) { |
920 | | return false; |
| 921 | return new WP_Error( 'edit_post_metas', __( 'Sorry, you are not allowed to edit this custom field.' ) );; |
921 | 922 | } |
922 | 923 | |
923 | 924 | $metakey = wp_slash( $metakey ); |
diff --git tests/phpunit/tests/admin/includesPost.php tests/phpunit/tests/admin/includesPost.php
index cad9742f8d..12cce2718a 100644
|
|
class Tests_Admin_Includes_Post extends WP_UnitTestCase { |
856 | 856 | $this->assertEquals( '', get_post_meta( $p, 'testkey', true ) ); |
857 | 857 | } |
858 | 858 | |
| 859 | /** |
| 860 | * @ticket 32565 |
| 861 | */ |
| 862 | public function test_post_add_meta_should_return_wp_error_if_protected_meta() { |
| 863 | $post_id = self::factory()->post->create(); |
| 864 | |
| 865 | $_POST = array( |
| 866 | 'metakeyinput' => '_testkey', |
| 867 | 'metavalue' => 'test_value', |
| 868 | ); |
| 869 | |
| 870 | wp_set_current_user( self::$admin_id ); |
| 871 | |
| 872 | $this->assertWPError( add_meta( $post_id ) ); |
| 873 | } |
| 874 | |
859 | 875 | /** |
860 | 876 | * Test the post type support in post_exists(). |
861 | 877 | * |