mirror of
https://github.com/WordPress/WordPress.git
synced 2024-11-04 18:01:42 +01:00
Check caps for both old and new meta keys when changing the key for a mid. Properly handle slashes when checking meta caps. Props xknown. see #17850
git-svn-id: http://svn.automattic.com/wordpress/trunk@18449 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
62f427a096
commit
4e538ea9c8
@ -869,7 +869,9 @@ case 'add-meta' :
|
|||||||
die(__('Please provide a custom field value.'));
|
die(__('Please provide a custom field value.'));
|
||||||
if ( !$meta = get_post_meta_by_id( $mid ) )
|
if ( !$meta = get_post_meta_by_id( $mid ) )
|
||||||
die('0'); // if meta doesn't exist
|
die('0'); // if meta doesn't exist
|
||||||
if ( is_protected_meta( $meta->meta_key, 'post' ) || !current_user_can( 'edit_post_meta', $meta->post_id, $meta->meta_key ) )
|
if ( is_protected_meta( $meta->meta_key, 'post' ) || is_protected_meta( $key, 'post' ) ||
|
||||||
|
! current_user_can( 'edit_post_meta', $meta->post_id, $meta->meta_key ) ||
|
||||||
|
! current_user_can( 'edit_post_meta', $meta->post_id, $key ) )
|
||||||
die('-1');
|
die('-1');
|
||||||
if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
|
if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
|
||||||
if ( !$u = update_meta( $mid, $key, $value ) )
|
if ( !$u = update_meta( $mid, $key, $value ) )
|
||||||
|
@ -667,24 +667,26 @@ function add_meta( $post_ID ) {
|
|||||||
|
|
||||||
$metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
|
$metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
|
||||||
$metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
|
$metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
|
||||||
$metavalue = isset($_POST['metavalue']) ? maybe_serialize( stripslashes_deep( $_POST['metavalue'] ) ) : '';
|
$metavalue = isset($_POST['metavalue']) ? $_POST['metavalue'] : '';
|
||||||
if ( is_string($metavalue) )
|
if ( is_string( $metavalue ) )
|
||||||
$metavalue = trim( $metavalue );
|
$metavalue = trim( $metavalue );
|
||||||
|
|
||||||
if ( ('0' === $metavalue || ! empty ( $metavalue ) ) && ((('#NONE#' != $metakeyselect) && !empty ( $metakeyselect) ) || !empty ( $metakeyinput) ) ) {
|
if ( ('0' === $metavalue || ! empty ( $metavalue ) ) && ( ( ( '#NONE#' != $metakeyselect ) && !empty ( $metakeyselect) ) || !empty ( $metakeyinput ) ) ) {
|
||||||
// We have a key/value pair. If both the select and the
|
// We have a key/value pair. If both the select and the
|
||||||
// input for the key have data, the input takes precedence:
|
// input for the key have data, the input takes precedence:
|
||||||
|
|
||||||
if ('#NONE#' != $metakeyselect)
|
if ( '#NONE#' != $metakeyselect )
|
||||||
$metakey = $metakeyselect;
|
$metakey = $metakeyselect;
|
||||||
|
|
||||||
if ( $metakeyinput)
|
if ( $metakeyinput )
|
||||||
$metakey = $metakeyinput; // default
|
$metakey = $metakeyinput; // default
|
||||||
|
|
||||||
if ( is_protected_meta( $metakey, 'post' ) || ! current_user_can( 'add_post_meta', $post_ID, $metakey ) )
|
if ( is_protected_meta( $metakey, 'post' ) || ! current_user_can( 'add_post_meta', $post_ID, $metakey ) )
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
return add_post_meta($post_ID, $metakey, $metavalue);
|
$metakey = esc_sql( $metakey );
|
||||||
|
|
||||||
|
return add_post_meta( $post_ID, $metakey, $metavalue );
|
||||||
}
|
}
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
|
Loading…
Reference in New Issue
Block a user