diff --git src/wp-admin/includes/post.php src/wp-admin/includes/post.php
index c352cbc..d614450 100644
|
|
function edit_post( $post_data = null ) { |
288 | 288 | continue; |
289 | 289 | if ( $meta->post_id != $post_ID ) |
290 | 290 | continue; |
| 291 | if ( is_protected_meta( $meta->meta_key, 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $meta->meta_key ) ) |
| 292 | continue; |
291 | 293 | if ( is_protected_meta( $value['key'], 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $value['key'] ) ) |
292 | 294 | continue; |
293 | 295 | update_meta( $key, $value['key'], $value['value'] ); |
diff --git tests/phpunit/tests/post/meta.php tests/phpunit/tests/post/meta.php
index 82c5c12..15d6eab 100644
|
|
class Tests_Post_Meta extends WP_UnitTestCase { |
9 | 9 | parent::setUp(); |
10 | 10 | |
11 | 11 | $this->author = new WP_User( self::factory()->user->create( array( 'role' => 'editor' ) ) ); |
| 12 | $this->another_author = new WP_User( self::factory()->user->create( array( 'role' => 'editor' ) ) ); |
12 | 13 | |
13 | 14 | $post = array( |
14 | 15 | 'post_author' => $this->author->ID, |
… |
… |
class Tests_Post_Meta extends WP_UnitTestCase { |
237 | 238 | $this->assertEquals($funky_meta, get_post_meta($this->post_id, 'test_funky_post_meta', true)); |
238 | 239 | |
239 | 240 | } |
| 241 | |
| 242 | /** |
| 243 | * @ticket 38293 |
| 244 | */ |
| 245 | public function test_user_cant_delete_another_users_protected_meta() { |
| 246 | require_once( ABSPATH . '/wp-admin/includes/post.php' ); |
| 247 | |
| 248 | $protected_meta_key = '_test_meta_data_that_is_protected_and_another_user_is_trying_to_delete'; |
| 249 | |
| 250 | // Add protected some meta data. |
| 251 | $post_id = $this->post_id; |
| 252 | $meta_id = add_post_meta( $post_id, $protected_meta_key, 'protected' ); |
| 253 | |
| 254 | // Other user editing the post should not effect outcome. |
| 255 | $expected = get_post_meta( $post_id, $protected_meta_key ); |
| 256 | |
| 257 | // Attempt to edit the post as another user. |
| 258 | wp_set_current_user( $this->another_author->ID ); |
| 259 | $post_data = array( |
| 260 | 'post_ID' => $post_id, |
| 261 | 'meta' => array( |
| 262 | "{$meta_id}" => array( |
| 263 | 'key' => 'unprotected_meta_key', |
| 264 | 'value' => 'protected', |
| 265 | ), |
| 266 | ), |
| 267 | ); |
| 268 | edit_post( $post_data ); |
| 269 | // Revert current user. |
| 270 | wp_set_current_user( 0 ); |
| 271 | |
| 272 | $actual = get_post_meta( $post_id, $protected_meta_key ); |
| 273 | $this->assertSame( $expected, $actual ); |
| 274 | |
| 275 | // Tidy up. |
| 276 | delete_metadata_by_mid( 'post', $meta_id ); |
| 277 | } |
| 278 | |
240 | 279 | } |