Changeset 39062 for trunk/src/wp-admin/includes/post.php

Timestamp:

10/31/2016 07:29:07 PM (8 years ago)

Author:

johnbillion

Message:

Posts, Post Types: Prevent users from being able to delete a protected meta field from a post.

Previously a user could remove a protected meta field by using their browser developer tools to alter the form field properties in the Custom Fields meta box, given that they know the ID of the protected meta field. This change prevents this by preventing any change to a protected meta field, including changing its key.

Props ajoah, johnbillion, peterwilsoncc
Fixes #38293

File:

• trunk/src/wp-admin/includes/post.php (modified) (1 diff)

trunk/src/wp-admin/includes/post.php

@@ -288 +288 @@
                 continue;
             if ( $meta->post_id != $post_ID )
+                continue;
+            if ( is_protected_meta( $meta->meta_key, 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $meta->meta_key ) )
                 continue;
             if ( is_protected_meta( $value['key'], 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $value['key'] ) )