Ticket #44238: 44238.2.diff
File 44238.2.diff, 9.2 KB (added by , 6 years ago) |
---|
-
src/wp-admin/includes/ajax-actions.php
707 707 wp_die( 1 ); 708 708 } 709 709 710 if ( is_protected_meta( $meta->meta_key, 'post' ) || ! current_user_can( 'delete_post_meta', $meta->post_id, $meta->meta_key ) ) { 710 $object_subtype = get_object_subtype( 'post', $meta->post_id ); 711 if ( is_protected_meta( $meta->meta_key, 'post', $object_subtype ) || ! current_user_can( 'delete_post_meta', $meta->post_id, $meta->meta_key ) ) { 711 712 wp_die( -1 ); 712 713 } 713 714 if ( delete_meta( $meta->meta_id ) ) { … … 1439 1440 if ( ! $meta = get_metadata_by_mid( 'post', $mid ) ) { 1440 1441 wp_die( 0 ); // if meta doesn't exist 1441 1442 } 1442 if ( is_protected_meta( $meta->meta_key, 'post' ) || is_protected_meta( $key, 'post' ) || 1443 1444 $object_subtype = get_object_subtype( 'post', $meta->post_id ); 1445 if ( is_protected_meta( $meta->meta_key, 'post', $object_subtype ) || is_protected_meta( $key, 'post', $object_subtype ) || 1443 1446 ! current_user_can( 'edit_post_meta', $meta->post_id, $meta->meta_key ) || 1444 1447 ! current_user_can( 'edit_post_meta', $meta->post_id, $key ) ) { 1445 1448 wp_die( -1 ); -
src/wp-admin/includes/meta-boxes.php
724 724 <div id="ajax-response"></div> 725 725 <?php 726 726 $metadata = has_meta( $post->ID ); 727 $object_subtype = get_object_subtype( 'post', $post->ID ); 727 728 foreach ( $metadata as $key => $value ) { 728 if ( is_protected_meta( $metadata[ $key ]['meta_key'], 'post' ) || ! current_user_can( 'edit_post_meta', $post->ID, $metadata[ $key ]['meta_key'] ) ) {729 if ( is_protected_meta( $metadata[ $key ]['meta_key'], 'post', $object_subtype ) || ! current_user_can( 'edit_post_meta', $post->ID, $metadata[ $key ]['meta_key'] ) ) { 729 730 unset( $metadata[ $key ] ); 730 731 } 731 732 } -
src/wp-admin/includes/post.php
313 313 wp_update_attachment_metadata( $post_ID, $id3data ); 314 314 } 315 315 316 $object_subtype = get_object_subtype( 'post', $post_ID ); 316 317 // Meta Stuff 317 318 if ( isset( $post_data['meta'] ) && $post_data['meta'] ) { 318 319 foreach ( $post_data['meta'] as $key => $value ) { … … 322 323 if ( $meta->post_id != $post_ID ) { 323 324 continue; 324 325 } 325 if ( is_protected_meta( $meta->meta_key, 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $meta->meta_key ) ) {326 if ( is_protected_meta( $meta->meta_key, 'post', $object_subtype ) || ! current_user_can( 'edit_post_meta', $post_ID, $meta->meta_key ) ) { 326 327 continue; 327 328 } 328 if ( is_protected_meta( $value['key'], 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $value['key'] ) ) {329 if ( is_protected_meta( $value['key'], 'post', $object_subtype ) || ! current_user_can( 'edit_post_meta', $post_ID, $value['key'] ) ) { 329 330 continue; 330 331 } 331 332 update_meta( $key, $value['key'], $value['value'] ); … … 340 341 if ( $meta->post_id != $post_ID ) { 341 342 continue; 342 343 } 343 if ( is_protected_meta( $meta->meta_key, 'post' ) || ! current_user_can( 'delete_post_meta', $post_ID, $meta->meta_key ) ) {344 if ( is_protected_meta( $meta->meta_key, 'post', $object_subtype ) || ! current_user_can( 'delete_post_meta', $post_ID, $meta->meta_key ) ) { 344 345 continue; 345 346 } 346 347 delete_meta( $key ); … … 878 879 if ( $metakeyinput ) { 879 880 $metakey = $metakeyinput; // default 880 881 } 881 882 if ( is_protected_meta( $metakey, 'post' ) || ! current_user_can( 'add_post_meta', $post_ID, $metakey ) ) {882 $object_subtype = get_object_subtype( 'post', $post_ID ); 883 if ( is_protected_meta( $metakey, 'post', $object_subtype ) || ! current_user_can( 'add_post_meta', $post_ID, $metakey ) ) { 883 884 return false; 884 885 } 885 886 -
src/wp-admin/includes/template.php
582 582 function _list_meta_row( $entry, &$count ) { 583 583 static $update_nonce = ''; 584 584 585 if ( is_protected_meta( $entry['meta_key'], 'post' ) ) { 585 $object_subtype = get_object_subtype( 'post', $entry['post_id'] ); 586 if ( is_protected_meta( $entry['meta_key'], 'post', $object_subtype ) ) { 586 587 return ''; 587 588 } 588 589 -
src/wp-includes/capabilities.php
375 375 if ( ! $allowed ) { 376 376 $caps[] = $cap; 377 377 } 378 } elseif ( $meta_key && is_protected_meta( $meta_key, $object_type ) ) {378 } elseif ( $meta_key && is_protected_meta( $meta_key, $object_type, $object_subtype ) ) { 379 379 $caps[] = $cap; 380 380 } 381 381 break; -
src/wp-includes/meta.php
944 944 * Determines whether a meta key is considered protected. 945 945 * 946 946 * @since 3.1.3 947 * @since x.x.x Add $object_sub_type 947 948 * 948 949 * @param string $meta_key Meta key. 949 950 * @param string|null $meta_type Optional. Type of object metadata is for (e.g., comment, post, or user). 951 * @param string $object_subtype Optional. Object sub type is for (e.g., post or page). 950 952 * @return bool Whether the meta key is considered protected. 951 953 */ 952 function is_protected_meta( $meta_key, $meta_type = null ) {954 function is_protected_meta( $meta_key, $meta_type = null, $object_subtype = '' ) { 953 955 $protected = ( '_' == $meta_key[0] ); 954 956 957 if ( ! empty( $meta_type ) ) { 958 /** 959 * Filters whether a meta key is considered protected. 960 * 961 * @since x.x.x 962 * 963 * @param bool $protected Whether the key is considered protected. 964 * @param string $meta_key Meta key. 965 * @param string|null $meta_type Type of object metadata is for (e.g., comment, post, or user). 966 * @param string $object_subtype Optional. Object sub type is for (e.g., post or page). 967 */ 968 $protected = apply_filters( "protected_{$meta_type}_meta_{$meta_key}", $protected, $meta_key, $meta_type, $object_subtype ); 969 if ( ! empty( $object_subtype ) ) { 970 /** 971 * Filters whether a meta key is considered protected. 972 * 973 * @since x.x.x 974 * 975 * @param bool $protected Whether the key is considered protected. 976 * @param string $meta_key Meta key. 977 * @param string|null $meta_type Type of object metadata is for (e.g., comment, post, or user). 978 * @param string $object_subtype Optional. Object sub type is for (e.g., post or page). 979 */ 980 $protected = apply_filters( "protected_{$meta_type}_meta_{$meta_key}_for_{$object_subtype}", $protected, $meta_key, $meta_type, $object_subtype ); 981 } 982 } 983 955 984 /** 956 985 * Filters whether a meta key is considered protected. 957 986 * … … 961 990 * @param string $meta_key Meta key. 962 991 * @param string|null $meta_type Type of object metadata is for (e.g., comment, post, or user). 963 992 */ 964 return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type );993 return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type, $object_subtype ); 965 994 } 966 995 967 996 /** … … 1026 1055 $wp_meta_keys = array(); 1027 1056 } 1028 1057 1058 $protected = ( '_' == $meta_key[0] ); 1029 1059 $defaults = array( 1030 1060 'type' => 'string', 1031 1061 'description' => '', 1032 1062 'single' => false, 1063 'protected' => $protected, 1033 1064 'sanitize_callback' => null, 1034 1065 'auth_callback' => null, 1035 1066 'show_in_rest' => false, … … 1067 1098 $args = apply_filters( 'register_meta_args', $args, $defaults, $object_type, $meta_key ); 1068 1099 $args = wp_parse_args( $args, $defaults ); 1069 1100 1101 if ( empty( $args['protected'] ) ) { 1102 $protected_callback = '__return_false'; 1103 } else { 1104 $protected_callback = '__return_true'; 1105 } 1106 1107 if ( ! empty( $object_subtype ) ) { 1108 add_filter( "protected_{$meta_type}_meta_{$meta_key}_for_{$object_subtype}", $protected_callback, 10, 1 ); 1109 } else { 1110 add_filter( "protected_{$meta_type}_meta_{$meta_key}", $protected_callback, 10, 1 ); 1111 } 1112 1070 1113 // If `auth_callback` is not provided, fall back to `is_protected_meta()`. 1071 1114 if ( empty( $args['auth_callback'] ) ) { 1072 if ( is_protected_meta( $meta_key, $object_type ) ) {1115 if ( is_protected_meta( $meta_key, $object_type, $object_subtype ) ) { 1073 1116 $args['auth_callback'] = '__return_false'; 1074 1117 } else { 1075 1118 $args['auth_callback'] = '__return_true'; -
src/wp-includes/post-template.php
1065 1065 function the_meta() { 1066 1066 if ( $keys = get_post_custom_keys() ) { 1067 1067 $li_html = ''; 1068 $post_id = get_the_ID(); 1069 $object_subtype = get_object_subtype( 'post', $post_id ); 1068 1070 foreach ( (array) $keys as $key ) { 1069 1071 $keyt = trim( $key ); 1070 if ( is_protected_meta( $keyt, 'post' ) ) {1072 if ( is_protected_meta( $keyt, 'post', $object_subtype ) ) { 1071 1073 continue; 1072 1074 } 1073 1075