Make WordPress Core

Changeset 31313


Ignore:
Timestamp:
01/31/2015 07:37:12 PM (10 years ago)
Author:
boonebgorges
Message:

Prevent terms in a show_in_quick_edit=false taxonomy from being updated by a faked AJAX request.

The UI for these taxonomies was hidden in [31308], but it remained possible to
send a direct POST request to the inline-edit endpoint to bypass the
restriction. The current changeset fixes this.

Props meloniq.
Fixes #26948.

Location:
trunk
Files:
1 added
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/ajax-actions.php

    r31201 r31313  
    15511551        $data['ping_status'] = 'closed';
    15521552
     1553    // Exclude terms from taxonomies that are not supposed to appear in Quick Edit.
     1554    if ( ! empty( $data['tax_input'] ) ) {
     1555        foreach ( $data['tax_input'] as $taxonomy => $terms ) {
     1556            $tax_object = get_taxonomy( $taxonomy );
     1557            /** This filter is documented in wp-admin/includes/class-wp-posts-list-table.php */
     1558            if ( ! apply_filters( 'quick_edit_show_taxonomy', $tax_object->show_in_quick_edit, $taxonomy, $post['post_type'] ) ) {
     1559                unset( $data['tax_input'][ $taxonomy ] );
     1560            }
     1561        }
     1562    }
     1563
    15531564    // Hack: wp_unique_post_slug() doesn't work for drafts, so we will fake that our post is published.
    15541565    if ( ! empty( $data['post_name'] ) && in_array( $post['post_status'], array( 'draft', 'pending' ) ) ) {
Note: See TracChangeset for help on using the changeset viewer.