Opened 13 years ago
Closed 11 years ago
#18786 closed enhancement (fixed)
meta_form() should place some restrictions on meta keys
Reported by: | nacin | Owned by: | nacin |
---|---|---|---|
Milestone: | 3.7 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Administration | Keywords: | 2nd-opinion 3.7-early |
Focuses: | Cc: |
Description
meta_form() echoes out all meta keys into a dropdown for the custom fields box, unless they start with an underscore (as bound by the query).
We should consider is_protected_meta( $key, 'post' ) and/or current_user_can( 'add_post_meta', $post->ID, $key ). This isn't a security thing, just an opportunity to hide some things from the user they don't need to see.
On the other hand, it's definitely a number of extra calculations. is_protected_meta() is light as long as there's no filter on things (and if there is, we probably want to know). current_user_can() might be a bit more weight than necessary here.
Change History (10)
#2
@
12 years ago
+1 for at least is_protected_meta
If a filtered protected meta appears in the dropdown list, and a user selects and adds this field, he will see a very confusing message:
An unidentified error has occurred
#5
@
12 years ago
Are we good to close this? The only thing I can think of in this would be whether it would eventually need to take custom post types into account for protected meta keys, but that's not an immediate concern if at all.
#6
@
12 years ago
- Keywords 3.7-early added
- Milestone changed from 3.6 to Future Release
I'm still wondering if we should also use the current_user_can() checks. I haven't had time to profile this. Going to punt this to 3.7.
+1 for either. We shouldn't show is_protected_meta keys.