vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2026-04-05 05:04:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Posts, Post Types: Prevent users from being able to delete a protected meta field from a post.

Browse Source 
Previously a user could remove a protected meta field by using their browser developer tools to alter the form field properties in the Custom Fields meta box, given that they know the ID of the protected meta field. This change prevents this by preventing any change to a protected meta field, including changing its key.

Props ajoah, johnbillion, peterwilsoncc
Fixes #38293


git-svn-id: https://develop.svn.wordpress.org/trunk@39062 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
John Blackbourn
2016-10-31 19:29:07 +00:00
parent 0e609fa717
commit d1707d6542
2 changed files with 37 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/wp-admin/includes/post.php
View File

@@ -288,6 +288,8 @@ function edit_post( $post_data = null ) {
continue;
if ( $meta->post_id != $post_ID )
continue;
if ( is_protected_meta( $meta->meta_key, 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $meta->meta_key ) )
continue;
if ( is_protected_meta( $value['key'], 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $value['key'] ) )
continue;
update_meta( $key, $value['key'], $value['value'] );