Ticket #38412: 38412.2.diff
| File 38412.2.diff, 8.4 KB (added by , 9 years ago) |
|---|
-
src/wp-includes/capabilities.php
242 242 case 'edit_post_meta': 243 243 case 'delete_post_meta': 244 244 case 'add_post_meta': 245 $post = get_post( $args[0] ); 246 if ( ! $post ) { 245 case 'edit_comment_meta': 246 case 'delete_comment_meta': 247 case 'add_comment_meta': 248 case 'edit_term_meta': 249 case 'delete_term_meta': 250 case 'add_term_meta': 251 case 'edit_user_meta': 252 case 'delete_user_meta': 253 case 'add_user_meta': 254 list( $_, $object_type, $_ ) = explode( '_', $cap ); 255 $object_id = (int) $args[0]; 256 257 switch ( $object_type ) { 258 case 'post': 259 $post = get_post( $object_id ); 260 if ( ! $post ) { 261 break; 262 } 263 264 $sub_type = get_post_type( $post ); 265 break; 266 267 case 'comment': 268 $comment = get_comment( $object_id ); 269 if ( ! $comment ) { 270 break; 271 } 272 273 $sub_type = empty( $comment->comment_type ) ? 'comment' : $comment->comment_type; 274 break; 275 276 case 'term': 277 $term = get_term( $object_id ); 278 if ( ! $term ) { 279 break; 280 } 281 282 $sub_type = $term->taxonomy; 283 break; 284 285 case 'user': 286 $user = get_user_by( 'id', $object_id ); 287 if ( ! $user ) { 288 break; 289 } 290 291 $sub_type = 'user'; 292 break; 293 } 294 if ( empty( $sub_type ) ) { 247 295 $caps[] = 'do_not_allow'; 248 296 break; 249 297 } 250 298 251 $ post_type = get_post_type( $post);299 $caps = map_meta_cap( "edit_{$object_type}", $user_id, $object_id ); 252 300 253 $caps = map_meta_cap( 'edit_post', $user_id, $post->ID );254 255 301 $meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false; 256 302 257 if ( $meta_key && ( has_filter( "auth_post_meta_{$meta_key}" ) || has_filter( "auth_post_{$post_type}_meta_{$meta_key}" ) ) ) { 303 $has_filter = has_filter( "auth_{$object_type}_meta_{$meta_key}" ) || has_filter( "auth_{$object_type}_{$sub_type}_meta_{$meta_key}" ); 304 if ( $meta_key && $has_filter ) { 258 305 /** 259 * Filters whether the user is allowed to add post meta to a post.306 * Filters whether the user is allowed to add meta to an object. 260 307 * 261 * The dynamic portion of the hook name, `$meta_key`, refers to the 262 * meta key passed to map_meta_cap(). 308 * The dynamic portions of the hook name `$object_type`, and `$meta_key`, refer 309 * to the object type (post, comment, term, user) and meta key passed to 310 * map_meta_cap(), respectively. 263 311 * 264 312 * @since 3.3.0 265 313 * 266 * @param bool $allowed Whether the user can add the postmeta. Default false.267 * @param string $meta_key The meta key.268 * @param int $ post_id Post ID.269 * @param int $user_id User ID.270 * @param string $cap Capability name.271 * @param array $caps User capabilities.314 * @param bool $allowed Whether the user can add the meta. Default false. 315 * @param string $meta_key The meta key. 316 * @param int $object_id Object ID. 317 * @param int $user_id User ID. 318 * @param string $cap Capability name. 319 * @param array $caps User capabilities. 272 320 */ 273 $allowed = apply_filters( "auth_ post_meta_{$meta_key}", false, $meta_key, $post->ID, $user_id, $cap, $caps );321 $allowed = apply_filters( "auth_{$object_type}_meta_{$meta_key}", false, $meta_key, $object_id, $user_id, $cap, $caps ); 274 322 275 323 /** 276 324 * Filters whether the user is allowed to add post meta to a post of a given type. 277 325 * 278 * The dynamic portions of the hook name, `$meta_key` and `$post_type`, 279 * refer to the meta key passed to map_meta_cap() and the post type, respectively. 326 * The dynamic portions of the hook name, `$meta_key`, `$object_type`, 327 * `$sub_type`, refer to the meta key passed to map_meta_cap(), the object type 328 * (post, comment, term, user) and the sub-type (post type, comment type, 329 * taxonomy), respectively. 280 330 * 281 331 * @since 4.6.0 282 332 * 283 * @param bool $allowed Whether the user can add the post meta. Default false.284 * @param string $meta_key The meta key.285 * @param int $ post_id Post ID.286 * @param int $user_id User ID.287 * @param string $cap Capability name.288 * @param array $caps User capabilities.333 * @param bool $allowed Whether the user can add the post meta. Default false. 334 * @param string $meta_key The meta key. 335 * @param int $object_id Object ID. 336 * @param int $user_id User ID. 337 * @param string $cap Capability name. 338 * @param array $caps User capabilities. 289 339 */ 290 $allowed = apply_filters( "auth_ post_{$post_type}_meta_{$meta_key}", $allowed, $meta_key, $post->ID, $user_id, $cap, $caps );340 $allowed = apply_filters( "auth_{$object_type}_{$sub_type}_meta_{$meta_key}", $allowed, $meta_key, $object_id, $user_id, $cap, $caps ); 291 341 292 342 if ( ! $allowed ) 293 343 $caps[] = $cap; 294 } elseif ( $meta_key && is_protected_meta( $meta_key, 'post') ) {344 } elseif ( $meta_key && is_protected_meta( $meta_key, $object_type ) ) { 295 345 $caps[] = $cap; 296 346 } 297 347 break; -
src/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php
122 122 */ 123 123 public function update_value( $request, $object_id ) { 124 124 $fields = $this->get_registered_fields(); 125 126 125 foreach ( $fields as $name => $args ) { 127 126 if ( ! array_key_exists( $name, $request ) ) { 128 127 continue; … … 159 158 * @return bool|WP_Error True if meta field is deleted, WP_Error otherwise. 160 159 */ 161 160 protected function delete_meta_value( $object_id, $name ) { 162 if ( ! current_user_can( 'delete_post_meta', $object_id, $name ) ) { 161 $meta_type = $this->get_meta_type(); 162 if ( ! current_user_can( "delete_{$meta_type}_meta", $object_id, $name ) ) { 163 163 return new WP_Error( 164 164 'rest_cannot_delete', 165 165 sprintf( __( 'You do not have permission to edit the %s custom field.' ), $name ), … … 167 167 ); 168 168 } 169 169 170 if ( ! delete_metadata( $ this->get_meta_type(), $object_id, wp_slash( $name ) ) ) {170 if ( ! delete_metadata( $meta_type, $object_id, wp_slash( $name ) ) ) { 171 171 return new WP_Error( 172 172 'rest_meta_database_error', 173 173 __( 'Could not delete meta value from database.' ), … … 192 192 * @return bool|WP_Error True if meta fields are updated, WP_Error otherwise. 193 193 */ 194 194 protected function update_multi_meta_value( $object_id, $name, $values ) { 195 if ( ! current_user_can( 'edit_post_meta', $object_id, $name ) ) { 195 $meta_type = $this->get_meta_type(); 196 if ( ! current_user_can( "edit_{$meta_type}_meta", $object_id, $name ) ) { 196 197 return new WP_Error( 197 198 'rest_cannot_update', 198 199 sprintf( __( 'You do not have permission to edit the %s custom field.' ), $name ), … … 200 201 ); 201 202 } 202 203 203 $current = get_metadata( $ this->get_meta_type(), $object_id, $name, false );204 $current = get_metadata( $meta_type, $object_id, $name, false ); 204 205 205 206 $to_remove = $current; 206 207 $to_add = $values; … … 227 228 $to_remove = array_unique( $to_remove ); 228 229 229 230 foreach ( $to_remove as $value ) { 230 if ( ! delete_metadata( $ this->get_meta_type(), $object_id, wp_slash( $name ), wp_slash( $value ) ) ) {231 if ( ! delete_metadata( $meta_type, $object_id, wp_slash( $name ), wp_slash( $value ) ) ) { 231 232 return new WP_Error( 232 233 'rest_meta_database_error', 233 234 __( 'Could not update meta value in database.' ), … … 237 238 } 238 239 239 240 foreach ( $to_add as $value ) { 240 if ( ! add_metadata( $ this->get_meta_type(), $object_id, wp_slash( $name ), wp_slash( $value ) ) ) {241 if ( ! add_metadata( $meta_type, $object_id, wp_slash( $name ), wp_slash( $value ) ) ) { 241 242 return new WP_Error( 242 243 'rest_meta_database_error', 243 244 __( 'Could not update meta value in database.' ), … … 261 262 * @return bool|WP_Error True if the meta field was updated, WP_Error otherwise. 262 263 */ 263 264 protected function update_meta_value( $object_id, $name, $value ) { 264 if ( ! current_user_can( 'edit_post_meta', $object_id, $name ) ) { 265 $meta_type = $this->get_meta_type(); 266 if ( ! current_user_can( "edit_{$meta_type}_meta", $object_id, $name ) ) { 265 267 return new WP_Error( 266 268 'rest_cannot_update', 267 269 sprintf( __( 'You do not have permission to edit the %s custom field.' ), $name ), … … 269 271 ); 270 272 } 271 273 272 $meta_type = $this->get_meta_type();273 274 $meta_key = wp_slash( $name ); 274 275 $meta_value = wp_slash( $value ); 275 276