WordPress.org

Make WordPress Core

Changeset 18445


Ignore:
Timestamp:
07/20/2011 10:04:35 PM (7 years ago)
Author:
ryan
Message:

Introduce register_meta(), get_metadata_by_mid(), and *_post_meta capabilities. fixes #17850

Location:
trunk
Files:
8 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/admin-ajax.php

    r18435 r18445  
    394394case 'delete-meta' :
    395395    check_ajax_referer( "delete-meta_$id" );
    396     if ( !$meta = get_post_meta_by_id( $id ) )
     396    if ( !$meta = get_metadata_by_mid( 'post', $id ) )
    397397        die('1');
    398398
    399     if ( !current_user_can( 'edit_post', $meta->post_id ) || is_protected_meta( $meta->meta_key ) )
     399    if ( is_protected_meta( $meta->meta_key, 'post' ) || ! current_user_can( 'delete_post_meta',  $meta->post_id, $meta->meta_key ) )
    400400        die('-1');
    401401    if ( delete_meta( $meta->meta_id ) )
     
    850850        }
    851851
    852         $meta = get_post_meta_by_id( $mid );
     852        $meta = get_metadata_by_mid( 'post', $mid );
    853853        $pid = (int) $meta->post_id;
    854854        $meta = get_object_vars( $meta );
     
    870870        if ( !$meta = get_post_meta_by_id( $mid ) )
    871871            die('0'); // if meta doesn't exist
    872         if ( !current_user_can( 'edit_post', $meta->post_id ) )
    873             die('-1');
    874         if ( is_protected_meta( $meta->meta_key ) )
     872        if ( is_protected_meta( $meta->meta_key, 'post' ) || !current_user_can( 'edit_post_meta', $meta->post_id, $meta->meta_key ) )
    875873            die('-1');
    876874        if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
  • trunk/wp-admin/includes/meta-boxes.php

    r18106 r18445  
    426426<?php
    427427$metadata = has_meta($post->ID);
    428 list_meta($metadata);
     428foreach ( $metadata as $key => $value ) {
     429    if ( is_protected_meta( $metadata[ $key ][ 'meta_key' ], 'post' ) || ! current_user_can( 'edit_post_meta', $post->ID, $metadata[ $key ][ 'meta_key' ] ) )
     430        unset( $metadata[ $key ] );
     431}
     432list_meta( $metadata );
    429433meta_form(); ?>
    430434</div>
  • trunk/wp-admin/includes/post.php

    r18386 r18445  
    211211            if ( $meta->post_id != $post_ID )
    212212                continue;
    213             if ( is_protected_meta( $value['key'] ) )
     213            if ( is_protected_meta( $value['key'], 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $value['key'] ) )
    214214                continue;
    215215            update_meta( $key, $value['key'], $value['value'] );
     
    223223            if ( $meta->post_id != $post_ID )
    224224                continue;
    225             if ( is_protected_meta( $meta->meta_key ) )
     225            if ( is_protected_meta( $meta->meta_key, 'post' ) || ! current_user_can( 'delete_post_meta', $post_ID, $meta->meta_key ) )
    226226                continue;
    227227            delete_meta( $key );
     
    672672        $metavalue = trim( $metavalue );
    673673
    674     if ( ('0' === $metavalue || !empty ( $metavalue ) ) && ((('#NONE#' != $metakeyselect) && !empty ( $metakeyselect) ) || !empty ( $metakeyinput) ) ) {
     674    if ( ('0' === $metavalue || ! empty ( $metavalue ) ) && ((('#NONE#' != $metakeyselect) && !empty ( $metakeyselect) ) || !empty ( $metakeyinput) ) ) {
    675675        // We have a key/value pair. If both the select and the
    676676        // input for the key have data, the input takes precedence:
     
    682682            $metakey = $metakeyinput; // default
    683683
    684         if ( is_protected_meta( $metakey ) )
     684        if ( is_protected_meta( $metakey, 'post' ) || ! current_user_can( 'add_post_meta', $post_ID, $metakey ) )
    685685            return false;
    686686
    687         wp_cache_delete($post_ID, 'post_meta');
    688         $wpdb->insert( $wpdb->postmeta, array( 'post_id' => $post_ID, 'meta_key' => $metakey, 'meta_value' => $metavalue ) );
    689         $meta_id = $wpdb->insert_id;
    690         do_action( 'added_postmeta', $meta_id, $post_ID, $metakey, $metavalue );
    691 
    692         return $meta_id;
    693     }
     687        return add_post_meta($post_ID, $metakey, $metavalue);
     688    }
     689
    694690    return false;
    695691} // add_meta
     
    772768            FROM $wpdb->postmeta WHERE post_id = %d
    773769            ORDER BY meta_key,meta_id", $postid), ARRAY_A );
    774 
    775770}
    776771
     
    789784
    790785    $meta_key = stripslashes($meta_key);
    791 
    792     if ( is_protected_meta( $meta_key ) )
    793         return false;
    794786
    795787    if ( '' === trim( $meta_value ) )
  • trunk/wp-admin/includes/template.php

    r18432 r18445  
    467467    static $update_nonce = false;
    468468
    469     if ( is_protected_meta( $entry['meta_key'] ) )
     469    if ( is_protected_meta( $entry['meta_key'], 'post' ) )
    470470        return;
    471471
     
    479479    else
    480480        $style = '';
    481     if ('_' == $entry['meta_key'] { 0 } )
    482         $style .= ' hidden';
    483481
    484482    if ( is_serialized( $entry['meta_value'] ) ) {
  • trunk/wp-includes/capabilities.php

    r18200 r18445  
    952952            $caps[] = $post_type->cap->read_private_posts;
    953953        break;
     954    case 'edit_post_meta':
     955    case 'delete_post_meta':
     956    case 'add_post_meta':
     957        $post = get_post( $args[0] );
     958        $post_type_object = get_post_type_object( $post->post_type );
     959        $caps = map_meta_cap( $post_type_object->cap->edit_post, $user_id, $post->ID );
     960
     961        $meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false;
     962           
     963        if ( $meta_key && has_filter( "auth_post_meta_{$meta_key}" ) ) {
     964            $allowed = apply_filters( "auth_post_meta_{$meta_key}", false, $meta_key, $post->ID, $user_id, $cap, $caps );
     965            if ( ! $allowed )
     966                $caps[] = $cap;
     967        } elseif ( $meta_key && is_protected_meta( $meta_key, 'post' ) ) {
     968            $caps[] = $cap;
     969        }
     970        break;
    954971    case 'edit_comment':
    955972        $comment = get_comment( $args[0] );
  • trunk/wp-includes/class-wp-xmlrpc-server.php

    r18254 r18445  
    235235        foreach ( (array) has_meta($post_id) as $meta ) {
    236236            // Don't expose protected fields.
    237             if ( strpos($meta['meta_key'], '_wp_') === 0 ) {
     237            if ( ! current_user_can( 'edit_post_meta', $post_id , $meta['meta_key'] ) )
    238238                continue;
    239             }
    240239
    241240            $custom_fields[] = array(
     
    263262            if ( isset($meta['id']) ) {
    264263                $meta['id'] = (int) $meta['id'];
    265 
     264                $pmeta = get_metadata_by_mid( 'post', $meta['id'] );
    266265                if ( isset($meta['key']) ) {
    267                     update_meta($meta['id'], $meta['key'], $meta['value']);
     266                    if ( $meta['key'] != $pmeta->meta_key )
     267                        continue;
     268                    if ( current_user_can( 'edit_post_meta', $post_id, $meta['key'] ) )
     269                        update_meta( $meta['id'], $meta['key'], $meta['value'] );
     270                } elseif ( current_user_can( 'delete_post_meta', $post_id, $pmeta->meta_key ) ) {
     271                        delete_meta( $meta['id'] );
    268272                }
    269                 else {
    270                     delete_meta($meta['id']);
    271                 }
    272             }
    273             else {
    274                 $_POST['metakeyinput'] = $meta['key'];
    275                 $_POST['metavalue'] = $meta['value'];
    276                 add_meta($post_id);
     273            } elseif ( current_user_can( 'add_post_meta', $post_id, $meta['key'] ) ) {
     274                    add_post_meta( $post_id, $meta['key'], $meta['value'] );
    277275            }
    278276        }
  • trunk/wp-includes/meta.php

    r18268 r18445  
    2727 *      unique for the object.  If true, and the object already has a value for the specified
    2828 *      metadata key, no change will be made
    29  * @return bool True on successful update, false on failure.
     29 * @return bool The meta ID on successful update, false on failure.
    3030 */
    3131function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique = false) {
     
    5050    $check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
    5151    if ( null !== $check )
    52         return (bool) $check;
     52        return $check;
    5353
    5454    if ( $unique && $wpdb->get_var( $wpdb->prepare(
     
    6262    do_action( "add_{$meta_type}_meta", $object_id, $meta_key, $_meta_value );
    6363
    64     $wpdb->insert( $table, array(
     64    $result = $wpdb->insert( $table, array(
    6565        $column => $object_id,
    6666        'meta_key' => $meta_key,
     
    6868    ) );
    6969
     70    if ( ! $result )
     71        return false;
     72
     73    $mid = (int) $wpdb->insert_id;
     74
    7075    wp_cache_delete($object_id, $meta_type . '_meta');
    7176    // users cache stores usermeta that must be cleared.
     
    7378        clean_user_cache($object_id);
    7479
    75     do_action( "added_{$meta_type}_meta", $wpdb->insert_id, $object_id, $meta_key, $_meta_value );
    76 
    77     return true;
     80    do_action( "added_{$meta_type}_meta", $mid, $object_id, $meta_key, $_meta_value );
     81
     82    return $mid;
    7883}
    7984
     
    147152
    148153    $wpdb->update( $table, $data, $where );
     154
    149155    wp_cache_delete($object_id, $meta_type . '_meta');
    150156    // users cache stores usermeta that must be cleared.
     
    280286    else
    281287        return array();
     288}
     289
     290/**
     291 * Get meta data by meta ID
     292 *
     293 * @since 3.3.0
     294 *
     295 * @param string $meta_type Type of object metadata is for (e.g., comment, post, or user)
     296 * @param int $meta_id ID for a specific meta row
     297 * @return object Meta object or false.
     298 */
     299function get_metadata_by_mid( $meta_type, $meta_id ) {
     300    global $wpdb;
     301
     302    if ( ! $meta_type )
     303        return false;
     304
     305    if ( !$meta_id = absint( $meta_id ) )
     306        return false;
     307
     308    if ( ! $table = _get_meta_table($meta_type) )
     309        return false;
     310
     311    $id_column = ( 'user' == $meta_type ) ? 'umeta_id' : 'meta_id';
     312
     313    $meta = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $table WHERE $id_column = %d", $meta_id ) );
     314
     315    if ( empty( $meta ) )
     316        return false;
     317
     318    if ( isset( $meta->meta_value ) )
     319        $meta->meta_value = maybe_unserialize( $meta->meta_value );
     320
     321    return $meta;
    282322}
    283323
     
    589629 */
    590630function is_protected_meta( $meta_key, $meta_type = null ) {
    591     $protected = (  '_' == $meta_key[0] );
     631    $protected = ( '_' == $meta_key[0] );
    592632
    593633    return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type );
     
    604644 * @return mixed Sanitized $meta_value
    605645 */
    606 function sanitize_meta( $meta_key, $meta_value, $meta_type = null ) {
    607     return apply_filters( 'sanitize_meta', $meta_value, $meta_key, $meta_type );
     646function sanitize_meta( $meta_key, $meta_value, $meta_type ) {
     647    return apply_filters( "sanitize_{$meta_type}_meta_{$meta_key}", $meta_value, $meta_key, $meta_type );
     648}
     649
     650/**
     651 * Register meta key
     652 *
     653 * @since 3.3.0
     654 *
     655 * @param string $meta_type Type of meta
     656 * @param string $meta_key Meta key
     657 * @param string|array $sanitize_callback A function or method to call when sanitizing the value of $meta_key.
     658 * @param string|array $auth_callback Optional. A function or method to call when performing edit_post_meta, add_post_meta, and delete_post_meta capability checks.
     659 * @param array $args Arguments
     660 */
     661function register_meta( $meta_type, $meta_key, $sanitize_callback, $auth_callback = null ) {
     662    if ( is_callable( $sanitize_callback ) )
     663        add_filter( "sanitize_{$meta_type}_meta_{$meta_key}", $sanitize_callback, 10, 3 );
     664
     665    if ( empty( $auth_callback ) ) {
     666        if ( is_protected_meta( $meta_key, $meta_type ) )
     667            $auth_callback = '__return_false';
     668        else
     669            $auth_callback = '__return_true';
     670    }
     671
     672    if ( is_callable( $auth_callback ) )
     673        add_filter( "auth_{$meta_type}_meta_{$meta_key}", $auth_callback, 10, 6 );
    608674}
    609675
  • trunk/wp-includes/post-template.php

    r18414 r18445  
    738738        foreach ( (array) $keys as $key ) {
    739739            $keyt = trim($key);
    740             if ( '_' == $keyt[0] )
     740            if ( is_protected_meta( $keyt, 'post' ) )
    741741                continue;
    742742            $values = array_map('trim', get_post_custom_values($key));
Note: See TracChangeset for help on using the changeset viewer.