Make WordPress Core

Opened 13 years ago

Closed 11 years ago

#18786 closed enhancement (fixed)

meta_form() should place some restrictions on meta keys

Reported by: nacin's profile nacin Owned by: nacin's profile nacin
Milestone: 3.7 Priority: normal
Severity: normal Version:
Component: Administration Keywords: 2nd-opinion 3.7-early
Focuses: Cc:

Description

meta_form() echoes out all meta keys into a dropdown for the custom fields box, unless they start with an underscore (as bound by the query).

We should consider is_protected_meta( $key, 'post' ) and/or current_user_can( 'add_post_meta', $post->ID, $key ). This isn't a security thing, just an opportunity to hide some things from the user they don't need to see.

On the other hand, it's definitely a number of extra calculations. is_protected_meta() is light as long as there's no filter on things (and if there is, we probably want to know). current_user_can() might be a bit more weight than necessary here.

Change History (10)

#1 @mdawaffe
13 years ago

+1 for either. We shouldn't show is_protected_meta keys.

#2 @macbrink
12 years ago

+1 for at least is_protected_meta

If a filtered protected meta appears in the dropdown list, and a user selects and adds this field, he will see a very confusing message:

An unidentified error has occurred

#3 @nacin
12 years ago

  • Milestone changed from Awaiting Review to 3.6

#4 @nacin
12 years ago

In 23534:

Ignore protected meta keys in meta_form(). see #18786.

#5 @georgestephanis
12 years ago

Are we good to close this? The only thing I can think of in this would be whether it would eventually need to take custom post types into account for protected meta keys, but that's not an immediate concern if at all.

#6 @nacin
12 years ago

  • Keywords 3.7-early added
  • Milestone changed from 3.6 to Future Release

I'm still wondering if we should also use the current_user_can() checks. I haven't had time to profile this. Going to punt this to 3.7.

#7 @wonderboymusic
11 years ago

  • Milestone changed from Future Release to 3.7

these are all marked 3.7-early

#8 @nacin
11 years ago

#25189 was marked as a duplicate.

#9 @nacin
11 years ago

I never noticed that meta_form() actually has a LIMIT (of 30 by default) for the number of keys it queries. So that should mean we're not calling current_user_can() too much.

#10 @nacin
11 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 25591:

Ignore unauthorized meta keys in meta_form(). fixes #18786.

Note: See TracTickets for help on using tickets.