Ticket #38412: 38412.5.diff
File 38412.5.diff, 5.2 KB (added by , 8 years ago) |
---|
-
src/wp-includes/capabilities.php
297 297 break; 298 298 } 299 299 300 $caps = map_meta_cap( "edit_{$object_type}", $user_id, $object_id );301 302 300 $meta_key = isset( $args[1] ) ? $args[1] : false; 303 301 304 302 $has_filter = has_filter( "auth_{$object_type}_meta_{$meta_key}" ) || has_filter( "auth_{$object_type}_{$sub_type}_meta_{$meta_key}" ); … … 314 312 } 315 313 } elseif ( $meta_key && is_protected_meta( $meta_key, $object_type ) ) { 316 314 $caps[] = $cap; 315 } else { 316 $caps = map_meta_cap( "edit_{$object_type}", $user_id, $object_id ); 317 317 } 318 318 break; 319 319 case 'edit_comment': -
src/wp-includes/meta.php
1034 1034 $args = apply_filters( 'register_meta_args', $args, $defaults, $object_type, $meta_key ); 1035 1035 $args = wp_parse_args( $args, $defaults ); 1036 1036 1037 // If `auth_callback` is not provided, fall back to `is_protected_meta()`.1038 if ( empty( $args['auth_callback'] ) ) {1039 if ( is_protected_meta( $meta_key, $object_type ) ) {1040 $args['auth_callback'] = '__return_false';1041 } else {1042 $args['auth_callback'] = '__return_true';1043 }1044 }1045 1046 1037 // Back-compat: old sanitize and auth callbacks are applied to all of an object type. 1047 1038 if ( is_callable( $args['sanitize_callback'] ) ) { 1048 1039 add_filter( "sanitize_{$object_type}_meta_{$meta_key}", $args['sanitize_callback'], 10, 3 ); -
tests/phpunit/tests/meta/registerMeta.php
4 4 */ 5 5 class Tests_Meta_Register_Meta extends WP_UnitTestCase { 6 6 protected static $post_id; 7 protected static $users; 7 8 8 9 public static function wpSetUpBeforeClass( $factory ) { 9 10 self::$post_id = $factory->post->create(); 11 self::$users = array( 12 'administrator' => $factory->user->create_and_get( array( 'role' => 'administrator' ) ), 13 'subscriber' => $factory->user->create_and_get( array( 'role' => 'subscriber' ) ), 14 ); 10 15 } 11 16 12 17 public function _old_sanitize_meta_cb( $meta_value, $meta_key, $meta_type ) { … … 74 79 'description' => '', 75 80 'single' => false, 76 81 'sanitize_callback' => null, 77 'auth_callback' => '__return_true',82 'auth_callback' => null, 78 83 'show_in_rest' => false, 79 84 ), 80 85 ), … … 96 101 'description' => '', 97 102 'single' => false, 98 103 'sanitize_callback' => null, 99 'auth_callback' => '__return_true',104 'auth_callback' => null, 100 105 'show_in_rest' => false, 101 106 ), 102 107 ), … … 148 153 'description' => '', 149 154 'single' => false, 150 155 'sanitize_callback' => array( $this, '_new_sanitize_meta_cb' ), 151 'auth_callback' => '__return_true',156 'auth_callback' => null, 152 157 'show_in_rest' => false, 153 158 ), 154 159 ), … … 172 177 $this->assertEquals( 'new_sanitized_key new sanitized', $meta ); 173 178 } 174 179 180 public function test_register_meta_with_new_auth_callback_parameter() { 181 182 wp_set_current_user( self::$users['subscriber']->ID ); 183 184 register_meta( 'post', 'no_auth_cb_1', array() ); 185 $subscriber_can_update = false; 186 if( current_user_can( 'edit_post_meta', self::$post_id, 'no_auth_cb_1' ) ){ 187 $subscriber_can_update = update_post_meta( self::$post_id, 'no_auth_cb_1', 'bar1' ); 188 } 189 unregister_meta_key( 'post', 'no_auth_cb_1' ); 190 $this->assertFalse( $subscriber_can_update ); 191 192 register_meta( 'post', 'auth_cb_true', array( 'auth_callback' => '__return_true' ) ); 193 $subscriber_can_update = false; 194 if( current_user_can( 'edit_post_meta', self::$post_id, 'auth_cb_true' ) ){ 195 $subscriber_can_update = update_post_meta( self::$post_id, 'auth_cb_true', 'bar1' ); 196 } 197 unregister_meta_key( 'post', 'auth_cb_true' ); 198 $this->assertNotEmpty( $subscriber_can_update ); 199 200 wp_set_current_user( self::$users['administrator']->ID ); 201 202 register_meta( 'post', 'no_auth_cb_2', array() ); 203 $admin_can_update = false; 204 if( current_user_can( 'edit_post_meta', self::$post_id, 'no_auth_cb_2' ) ){ 205 $admin_can_update = update_post_meta( self::$post_id, 'no_auth_cb_2', 'bar2' ); 206 } 207 unregister_meta_key( 'post', 'no_auth_cb_2' ); 208 $this->assertNotEmpty( $admin_can_update ); 209 210 register_meta( 'post', 'auth_cb_false', array( 'auth_callback' => '__return_false' ) ); 211 $admin_can_update = false; 212 if( current_user_can( 'edit_post_meta', self::$post_id, 'auth_cb_false' ) ){ 213 $admin_can_update = update_post_meta( self::$post_id, 'auth_cb_false', 'bar2' ); 214 } 215 unregister_meta_key( 'post', 'auth_cb_false' ); 216 $this->assertFalse( $admin_can_update ); 217 } 218 175 219 public function test_register_meta_unregistered_meta_key_removes_sanitize_filter() { 176 220 register_meta( 'post', 'new_sanitized_key', array( 'sanitize_callback' => array( $this, '_new_sanitize_meta_cb' ) ) ); 177 221 unregister_meta_key( 'post', 'new_sanitized_key' );