Changeset 18445

Timestamp:

07/20/2011 10:04:35 PM (14 years ago)

Author:

ryan

Message:

Introduce register_meta(), get_metadata_by_mid(), and *_post_meta capabilities. fixes #17850

Location:

trunk

Files:

• wp-admin/admin-ajax.php (modified) (3 diffs)
• wp-admin/includes/meta-boxes.php (modified) (1 diff)
• wp-admin/includes/post.php (modified) (6 diffs)
• wp-admin/includes/template.php (modified) (2 diffs)
• wp-includes/capabilities.php (modified) (1 diff)
• wp-includes/class-wp-xmlrpc-server.php (modified) (2 diffs)
• wp-includes/meta.php (modified) (9 diffs)
• wp-includes/post-template.php (modified) (1 diff)

trunk/wp-admin/admin-ajax.php

@@ -394 +394 @@
 case 'delete-meta' :
     check_ajax_referer( "delete-meta_$id" );
-    if ( !$meta = get_post_meta_by_id( $id ) )
+    if ( !$meta = get_metadata_by_mid( 'post', $id ) )
         die('1');
 
-    if ( !current_user_can( 'edit_post', $meta->post_id ) || is_protected_meta( $meta->meta_key ) )
+    if ( is_protected_meta( $meta->meta_key, 'post' ) || ! current_user_can( 'delete_post_meta',  $meta->post_id, $meta->meta_key ) )
         die('-1');
     if ( delete_meta( $meta->meta_id ) )
@@ -850 +850 @@
         }
 
-        $meta = get_post_meta_by_id( $mid );
+        $meta = get_metadata_by_mid( 'post', $mid );
         $pid = (int) $meta->post_id;
         $meta = get_object_vars( $meta );
@@ -870 +870 @@
         if ( !$meta = get_post_meta_by_id( $mid ) )
             die('0'); // if meta doesn't exist
-        if ( !current_user_can( 'edit_post', $meta->post_id ) )
-            die('-1');
-        if ( is_protected_meta( $meta->meta_key ) )
+        if ( is_protected_meta( $meta->meta_key, 'post' ) || !current_user_can( 'edit_post_meta', $meta->post_id, $meta->meta_key ) )
             die('-1');
         if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {

trunk/wp-admin/includes/meta-boxes.php

@@ -426 +426 @@
 <?php
 $metadata = has_meta($post->ID);
-list_meta($metadata);
+foreach ( $metadata as $key => $value ) {
+    if ( is_protected_meta( $metadata[ $key ][ 'meta_key' ], 'post' ) || ! current_user_can( 'edit_post_meta', $post->ID, $metadata[ $key ][ 'meta_key' ] ) )
+        unset( $metadata[ $key ] );
+}
+list_meta( $metadata );
 meta_form(); ?>
 </div>

trunk/wp-admin/includes/post.php

@@ -211 +211 @@
             if ( $meta->post_id != $post_ID )
                 continue;
-            if ( is_protected_meta( $value['key'] ) )
+            if ( is_protected_meta( $value['key'], 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $value['key'] ) )
                 continue;
             update_meta( $key, $value['key'], $value['value'] );
@@ -223 +223 @@
             if ( $meta->post_id != $post_ID )
                 continue;
-            if ( is_protected_meta( $meta->meta_key ) )
+            if ( is_protected_meta( $meta->meta_key, 'post' ) || ! current_user_can( 'delete_post_meta', $post_ID, $meta->meta_key ) )
                 continue;
             delete_meta( $key );
@@ -672 +672 @@
         $metavalue = trim( $metavalue );
 
-    if ( ('0' === $metavalue || !empty ( $metavalue ) ) && ((('#NONE#' != $metakeyselect) && !empty ( $metakeyselect) ) || !empty ( $metakeyinput) ) ) {
+    if ( ('0' === $metavalue || ! empty ( $metavalue ) ) && ((('#NONE#' != $metakeyselect) && !empty ( $metakeyselect) ) || !empty ( $metakeyinput) ) ) {
         // We have a key/value pair. If both the select and the
         // input for the key have data, the input takes precedence:
@@ -682 +682 @@
             $metakey = $metakeyinput; // default
 
-        if ( is_protected_meta( $metakey ) )
+        if ( is_protected_meta( $metakey, 'post' ) || ! current_user_can( 'add_post_meta', $post_ID, $metakey ) )
             return false;
 
-        wp_cache_delete($post_ID, 'post_meta');
-        $wpdb->insert( $wpdb->postmeta, array( 'post_id' => $post_ID, 'meta_key' => $metakey, 'meta_value' => $metavalue ) );
-        $meta_id = $wpdb->insert_id;
-        do_action( 'added_postmeta', $meta_id, $post_ID, $metakey, $metavalue );
-
-        return $meta_id;
-    }
+        return add_post_meta($post_ID, $metakey, $metavalue);
+    }
+
     return false;
 } // add_meta
@@ -772 +768 @@
             FROM $wpdb->postmeta WHERE post_id = %d
             ORDER BY meta_key,meta_id", $postid), ARRAY_A );
-
 }
 
@@ -789 +784 @@
 
     $meta_key = stripslashes($meta_key);
-
-    if ( is_protected_meta( $meta_key ) )
-        return false;
 
     if ( '' === trim( $meta_value ) )

trunk/wp-admin/includes/template.php

@@ -467 +467 @@
     static $update_nonce = false;
 
-    if ( is_protected_meta( $entry['meta_key'] ) )
+    if ( is_protected_meta( $entry['meta_key'], 'post' ) )
         return;
 
@@ -479 +479 @@
     else
         $style = '';
-    if ('_' == $entry['meta_key'] { 0 } )
-        $style .= ' hidden';
 
     if ( is_serialized( $entry['meta_value'] ) ) {

trunk/wp-includes/capabilities.php

@@ -952 +952 @@
             $caps[] = $post_type->cap->read_private_posts;
         break;
+    case 'edit_post_meta':
+    case 'delete_post_meta':
+    case 'add_post_meta':
+        $post = get_post( $args[0] );
+        $post_type_object = get_post_type_object( $post->post_type );
+        $caps = map_meta_cap( $post_type_object->cap->edit_post, $user_id, $post->ID ); 
+
+        $meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false; 
+            
+        if ( $meta_key && has_filter( "auth_post_meta_{$meta_key}" ) ) {
+            $allowed = apply_filters( "auth_post_meta_{$meta_key}", false, $meta_key, $post->ID, $user_id, $cap, $caps );
+            if ( ! $allowed )
+                $caps[] = $cap;
+        } elseif ( $meta_key && is_protected_meta( $meta_key, 'post' ) ) {
+            $caps[] = $cap;
+        }
+        break;
     case 'edit_comment':
         $comment = get_comment( $args[0] );

trunk/wp-includes/class-wp-xmlrpc-server.php

@@ -235 +235 @@
         foreach ( (array) has_meta($post_id) as $meta ) {
             // Don't expose protected fields.
-            if ( strpos($meta['meta_key'], '_wp_') === 0 ) {
+            if ( ! current_user_can( 'edit_post_meta', $post_id , $meta['meta_key'] ) )
                 continue;
-            }
 
             $custom_fields[] = array(
@@ -263 +262 @@
             if ( isset($meta['id']) ) {
                 $meta['id'] = (int) $meta['id'];
-
+                $pmeta = get_metadata_by_mid( 'post', $meta['id'] );
                 if ( isset($meta['key']) ) {
-                    update_meta($meta['id'], $meta['key'], $meta['value']);
+                    if ( $meta['key'] != $pmeta->meta_key )
+                        continue;
+                    if ( current_user_can( 'edit_post_meta', $post_id, $meta['key'] ) )
+                        update_meta( $meta['id'], $meta['key'], $meta['value'] );
+                } elseif ( current_user_can( 'delete_post_meta', $post_id, $pmeta->meta_key ) ) {
+                        delete_meta( $meta['id'] );
                 }
-                else {
-                    delete_meta($meta['id']);
-                }
-            }
-            else {
-                $_POST['metakeyinput'] = $meta['key'];
-                $_POST['metavalue'] = $meta['value'];
-                add_meta($post_id);
+            } elseif ( current_user_can( 'add_post_meta', $post_id, $meta['key'] ) ) {
+                    add_post_meta( $post_id, $meta['key'], $meta['value'] );
             }
         }

trunk/wp-includes/meta.php

@@ -27 +27 @@
  *      unique for the object.  If true, and the object already has a value for the specified
  *      metadata key, no change will be made
- * @return bool True on successful update, false on failure.
+ * @return bool The meta ID on successful update, false on failure.
  */
 function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique = false) {
@@ -50 +50 @@
     $check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
     if ( null !== $check )
-        return (bool) $check;
+        return $check;
 
     if ( $unique && $wpdb->get_var( $wpdb->prepare(
@@ -62 +62 @@
     do_action( "add_{$meta_type}_meta", $object_id, $meta_key, $_meta_value );
 
-    $wpdb->insert( $table, array(
+    $result = $wpdb->insert( $table, array(
         $column => $object_id,
         'meta_key' => $meta_key,
@@ -68 +68 @@
     ) );
 
+    if ( ! $result )
+        return false;
+
+    $mid = (int) $wpdb->insert_id;
+
     wp_cache_delete($object_id, $meta_type . '_meta');
     // users cache stores usermeta that must be cleared.
@@ -73 +78 @@
         clean_user_cache($object_id);
 
-    do_action( "added_{$meta_type}_meta", $wpdb->insert_id, $object_id, $meta_key, $_meta_value );
-
-    return true;
+    do_action( "added_{$meta_type}_meta", $mid, $object_id, $meta_key, $_meta_value );
+
+    return $mid;
 }
 
@@ -147 +152 @@
 
     $wpdb->update( $table, $data, $where );
+
     wp_cache_delete($object_id, $meta_type . '_meta');
     // users cache stores usermeta that must be cleared.
@@ -280 +286 @@
     else
         return array();
+}
+
+/**
+ * Get meta data by meta ID
+ *
+ * @since 3.3.0
+ *
+ * @param string $meta_type Type of object metadata is for (e.g., comment, post, or user)
+ * @param int $meta_id ID for a specific meta row
+ * @return object Meta object or false.
+ */
+function get_metadata_by_mid( $meta_type, $meta_id ) {
+    global $wpdb;
+
+    if ( ! $meta_type )
+        return false;
+
+    if ( !$meta_id = absint( $meta_id ) )
+        return false;
+
+    if ( ! $table = _get_meta_table($meta_type) )
+        return false;
+
+    $id_column = ( 'user' == $meta_type ) ? 'umeta_id' : 'meta_id';
+
+    $meta = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $table WHERE $id_column = %d", $meta_id ) );
+
+    if ( empty( $meta ) )
+        return false;
+
+    if ( isset( $meta->meta_value ) )
+        $meta->meta_value = maybe_unserialize( $meta->meta_value );
+
+    return $meta;
 }
 
@@ -589 +629 @@
  */
 function is_protected_meta( $meta_key, $meta_type = null ) {
-    $protected = (  '_' == $meta_key[0] );
+    $protected = ( '_' == $meta_key[0] );
 
     return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type );
@@ -604 +644 @@
  * @return mixed Sanitized $meta_value
  */
-function sanitize_meta( $meta_key, $meta_value, $meta_type = null ) {
-    return apply_filters( 'sanitize_meta', $meta_value, $meta_key, $meta_type );
+function sanitize_meta( $meta_key, $meta_value, $meta_type ) {
+    return apply_filters( "sanitize_{$meta_type}_meta_{$meta_key}", $meta_value, $meta_key, $meta_type );
+}
+
+/**
+ * Register meta key
+ * 
+ * @since 3.3.0
+ *
+ * @param string $meta_type Type of meta
+ * @param string $meta_key Meta key
+ * @param string|array $sanitize_callback A function or method to call when sanitizing the value of $meta_key.
+ * @param string|array $auth_callback Optional. A function or method to call when performing edit_post_meta, add_post_meta, and delete_post_meta capability checks.
+ * @param array $args Arguments
+ */
+function register_meta( $meta_type, $meta_key, $sanitize_callback, $auth_callback = null ) {
+    if ( is_callable( $sanitize_callback ) )
+        add_filter( "sanitize_{$meta_type}_meta_{$meta_key}", $sanitize_callback, 10, 3 );
+
+    if ( empty( $auth_callback ) ) {
+        if ( is_protected_meta( $meta_key, $meta_type ) )
+            $auth_callback = '__return_false';
+        else
+            $auth_callback = '__return_true';
+    }
+
+    if ( is_callable( $auth_callback ) )
+        add_filter( "auth_{$meta_type}_meta_{$meta_key}", $auth_callback, 10, 6 );
 }
 

trunk/wp-includes/post-template.php

@@ -738 +738 @@
         foreach ( (array) $keys as $key ) {
             $keyt = trim($key);
-            if ( '_' == $keyt[0] )
+            if ( is_protected_meta( $keyt, 'post' ) )
                 continue;
             $values = array_map('trim', get_post_custom_values($key));