Make WordPress Core


Ignore:
Timestamp:
06/27/2023 05:24:44 PM (13 months ago)
Author:
kadamwhite
Message:

REST API: Check post meta update authorization only when value is changed.

Resolves a bug where a post save will be reported as failed if the post includes any meta keys the current user does not have authorization to update, even when those meta values are unchanged.
Write authorization is now checked for a meta key only when the value of that key has changed, so that passing a REST response back unchanged will not cause failures.
Authorization is only needed when data will be updated.

Props ckoerner, TimothyBlynJacobs, spacedmonkey

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php

    r54133 r56075  
    369369        $meta_type = $this->get_meta_type();
    370370
     371        // Do the exact same check for a duplicate value as in update_metadata() to avoid update_metadata() returning false.
     372        $old_value = get_metadata( $meta_type, $object_id, $meta_key );
     373        $subtype   = get_object_subtype( $meta_type, $object_id );
     374
     375        if ( is_array( $old_value ) && 1 === count( $old_value )
     376            && $this->is_meta_value_same_as_stored_value( $meta_key, $subtype, $old_value[0], $value )
     377        ) {
     378            return true;
     379        }
     380
    371381        if ( ! current_user_can( "edit_{$meta_type}_meta", $object_id, $meta_key ) ) {
    372382            return new WP_Error(
     
    379389                )
    380390            );
    381         }
    382 
    383         // Do the exact same check for a duplicate value as in update_metadata() to avoid update_metadata() returning false.
    384         $old_value = get_metadata( $meta_type, $object_id, $meta_key );
    385         $subtype   = get_object_subtype( $meta_type, $object_id );
    386 
    387         if ( is_array( $old_value ) && 1 === count( $old_value )
    388             && $this->is_meta_value_same_as_stored_value( $meta_key, $subtype, $old_value[0], $value )
    389         ) {
    390             return true;
    391391        }
    392392
Note: See TracChangeset for help on using the changeset viewer.