WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/31/2016 07:29:07 PM (5 years ago)
Author:
johnbillion
Message:

Posts, Post Types: Prevent users from being able to delete a protected meta field from a post.

Previously a user could remove a protected meta field by using their browser developer tools to alter the form field properties in the Custom Fields meta box, given that they know the ID of the protected meta field. This change prevents this by preventing any change to a protected meta field, including changing its key.

Props ajoah, johnbillion, peterwilsoncc
Fixes #38293

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/admin/includesPost.php

    r38572 r39062  
    246246
    247247    /**
     248     * @ticket 38293
     249     */
     250    public function test_user_cant_delete_protected_meta() {
     251        $protected_meta_key = '_test_meta_data_that_is_protected';
     252
     253        // Add some protected meta data.
     254        $post_id = self::$post_id;
     255        $meta_id = add_post_meta( $post_id, $protected_meta_key, 'protected' );
     256
     257        // User editing the post should not effect outcome.
     258        $expected = get_post_meta( $post_id, $protected_meta_key );
     259
     260        // Attempt to edit the post.
     261        wp_set_current_user( self::$admin_id );
     262
     263        $post_data = array(
     264            'post_ID' => $post_id,
     265            'meta'    => array(
     266                $meta_id => array(
     267                    'key'   => 'unprotected_meta_key',
     268                    'value' => 'protected',
     269                ),
     270            ),
     271        );
     272        edit_post( $post_data );
     273
     274        $actual = get_post_meta( $post_id, $protected_meta_key );
     275        $this->assertSame( $expected, $actual );
     276
     277        // Tidy up.
     278        delete_metadata_by_mid( 'post', $meta_id );
     279    }
     280
     281    /**
    248282     * @ticket 30910
    249283     */
     
    599633        $this->assertSame( $p, post_exists( $title, $content, $date ) );
    600634    }
     635
    601636}
Note: See TracChangeset for help on using the changeset viewer.