mirror of
https://github.com/WordPress/WordPress.git
synced 2024-12-23 01:27:36 +01:00
Posts, Post Types: Prevent users from being able to delete a protected meta field from a post.
Previously a user could remove a protected meta field by using their browser developer tools to alter the form field properties in the Custom Fields meta box, given that they know the ID of the protected meta field. This change prevents this by preventing any change to a protected meta field, including changing its key. Props ajoah, johnbillion, peterwilsoncc Fixes #38293 Built from https://develop.svn.wordpress.org/trunk@39062 git-svn-id: http://core.svn.wordpress.org/trunk@39004 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
6ee8f33660
commit
babd79fb36
@ -288,6 +288,8 @@ function edit_post( $post_data = null ) {
|
||||
continue;
|
||||
if ( $meta->post_id != $post_ID )
|
||||
continue;
|
||||
if ( is_protected_meta( $meta->meta_key, 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $meta->meta_key ) )
|
||||
continue;
|
||||
if ( is_protected_meta( $value['key'], 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $value['key'] ) )
|
||||
continue;
|
||||
update_meta( $key, $value['key'], $value['value'] );
|
||||
|
@ -4,7 +4,7 @@
|
||||
*
|
||||
* @global string $wp_version
|
||||
*/
|
||||
$wp_version = '4.7-beta1-39061';
|
||||
$wp_version = '4.7-beta1-39062';
|
||||
|
||||
/**
|
||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||
|
Loading…
Reference in New Issue
Block a user