Introduce register_meta(), get_metadata_by_mid(), and *_post_meta capabilities. fixes #17850
git-svn-id: https://develop.svn.wordpress.org/trunk@18445 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
parent
14853ed87e
commit
6b5d8397b0
@ -393,10 +393,10 @@ case 'delete-link' :
|
||||
break;
|
||||
case 'delete-meta' :
|
||||
check_ajax_referer( "delete-meta_$id" );
|
||||
if ( !$meta = get_post_meta_by_id( $id ) )
|
||||
if ( !$meta = get_metadata_by_mid( 'post', $id ) )
|
||||
die('1');
|
||||
|
||||
if ( !current_user_can( 'edit_post', $meta->post_id ) || is_protected_meta( $meta->meta_key ) )
|
||||
if ( is_protected_meta( $meta->meta_key, 'post' ) || ! current_user_can( 'delete_post_meta', $meta->post_id, $meta->meta_key ) )
|
||||
die('-1');
|
||||
if ( delete_meta( $meta->meta_id ) )
|
||||
die('1');
|
||||
@ -849,7 +849,7 @@ case 'add-meta' :
|
||||
die(__('Please provide a custom field value.'));
|
||||
}
|
||||
|
||||
$meta = get_post_meta_by_id( $mid );
|
||||
$meta = get_metadata_by_mid( 'post', $mid );
|
||||
$pid = (int) $meta->post_id;
|
||||
$meta = get_object_vars( $meta );
|
||||
$x = new WP_Ajax_Response( array(
|
||||
@ -869,9 +869,7 @@ case 'add-meta' :
|
||||
die(__('Please provide a custom field value.'));
|
||||
if ( !$meta = get_post_meta_by_id( $mid ) )
|
||||
die('0'); // if meta doesn't exist
|
||||
if ( !current_user_can( 'edit_post', $meta->post_id ) )
|
||||
die('-1');
|
||||
if ( is_protected_meta( $meta->meta_key ) )
|
||||
if ( is_protected_meta( $meta->meta_key, 'post' ) || !current_user_can( 'edit_post_meta', $meta->post_id, $meta->meta_key ) )
|
||||
die('-1');
|
||||
if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
|
||||
if ( !$u = update_meta( $mid, $key, $value ) )
|
||||
|
@ -425,7 +425,11 @@ function post_custom_meta_box($post) {
|
||||
<div id="ajax-response"></div>
|
||||
<?php
|
||||
$metadata = has_meta($post->ID);
|
||||
list_meta($metadata);
|
||||
foreach ( $metadata as $key => $value ) {
|
||||
if ( is_protected_meta( $metadata[ $key ][ 'meta_key' ], 'post' ) || ! current_user_can( 'edit_post_meta', $post->ID, $metadata[ $key ][ 'meta_key' ] ) )
|
||||
unset( $metadata[ $key ] );
|
||||
}
|
||||
list_meta( $metadata );
|
||||
meta_form(); ?>
|
||||
</div>
|
||||
<p><?php _e('Custom fields can be used to add extra metadata to a post that you can <a href="http://codex.wordpress.org/Using_Custom_Fields" target="_blank">use in your theme</a>.'); ?></p>
|
||||
|
@ -210,7 +210,7 @@ function edit_post( $post_data = null ) {
|
||||
continue;
|
||||
if ( $meta->post_id != $post_ID )
|
||||
continue;
|
||||
if ( is_protected_meta( $value['key'] ) )
|
||||
if ( is_protected_meta( $value['key'], 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $value['key'] ) )
|
||||
continue;
|
||||
update_meta( $key, $value['key'], $value['value'] );
|
||||
}
|
||||
@ -222,7 +222,7 @@ function edit_post( $post_data = null ) {
|
||||
continue;
|
||||
if ( $meta->post_id != $post_ID )
|
||||
continue;
|
||||
if ( is_protected_meta( $meta->meta_key ) )
|
||||
if ( is_protected_meta( $meta->meta_key, 'post' ) || ! current_user_can( 'delete_post_meta', $post_ID, $meta->meta_key ) )
|
||||
continue;
|
||||
delete_meta( $key );
|
||||
}
|
||||
@ -671,7 +671,7 @@ function add_meta( $post_ID ) {
|
||||
if ( is_string($metavalue) )
|
||||
$metavalue = trim( $metavalue );
|
||||
|
||||
if ( ('0' === $metavalue || !empty ( $metavalue ) ) && ((('#NONE#' != $metakeyselect) && !empty ( $metakeyselect) ) || !empty ( $metakeyinput) ) ) {
|
||||
if ( ('0' === $metavalue || ! empty ( $metavalue ) ) && ((('#NONE#' != $metakeyselect) && !empty ( $metakeyselect) ) || !empty ( $metakeyinput) ) ) {
|
||||
// We have a key/value pair. If both the select and the
|
||||
// input for the key have data, the input takes precedence:
|
||||
|
||||
@ -681,16 +681,12 @@ function add_meta( $post_ID ) {
|
||||
if ( $metakeyinput)
|
||||
$metakey = $metakeyinput; // default
|
||||
|
||||
if ( is_protected_meta( $metakey ) )
|
||||
if ( is_protected_meta( $metakey, 'post' ) || ! current_user_can( 'add_post_meta', $post_ID, $metakey ) )
|
||||
return false;
|
||||
|
||||
wp_cache_delete($post_ID, 'post_meta');
|
||||
$wpdb->insert( $wpdb->postmeta, array( 'post_id' => $post_ID, 'meta_key' => $metakey, 'meta_value' => $metavalue ) );
|
||||
$meta_id = $wpdb->insert_id;
|
||||
do_action( 'added_postmeta', $meta_id, $post_ID, $metakey, $metavalue );
|
||||
|
||||
return $meta_id;
|
||||
return add_post_meta($post_ID, $metakey, $metavalue);
|
||||
}
|
||||
|
||||
return false;
|
||||
} // add_meta
|
||||
|
||||
@ -771,7 +767,6 @@ function has_meta( $postid ) {
|
||||
return $wpdb->get_results( $wpdb->prepare("SELECT meta_key, meta_value, meta_id, post_id
|
||||
FROM $wpdb->postmeta WHERE post_id = %d
|
||||
ORDER BY meta_key,meta_id", $postid), ARRAY_A );
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
@ -789,9 +784,6 @@ function update_meta( $meta_id, $meta_key, $meta_value ) {
|
||||
|
||||
$meta_key = stripslashes($meta_key);
|
||||
|
||||
if ( is_protected_meta( $meta_key ) )
|
||||
return false;
|
||||
|
||||
if ( '' === trim( $meta_value ) )
|
||||
return false;
|
||||
|
||||
|
@ -466,7 +466,7 @@ function list_meta( $meta ) {
|
||||
function _list_meta_row( $entry, &$count ) {
|
||||
static $update_nonce = false;
|
||||
|
||||
if ( is_protected_meta( $entry['meta_key'] ) )
|
||||
if ( is_protected_meta( $entry['meta_key'], 'post' ) )
|
||||
return;
|
||||
|
||||
if ( !$update_nonce )
|
||||
@ -478,8 +478,6 @@ function _list_meta_row( $entry, &$count ) {
|
||||
$style = 'alternate';
|
||||
else
|
||||
$style = '';
|
||||
if ('_' == $entry['meta_key'] { 0 } )
|
||||
$style .= ' hidden';
|
||||
|
||||
if ( is_serialized( $entry['meta_value'] ) ) {
|
||||
if ( is_serialized_string( $entry['meta_value'] ) ) {
|
||||
|
@ -951,6 +951,23 @@ function map_meta_cap( $cap, $user_id ) {
|
||||
else
|
||||
$caps[] = $post_type->cap->read_private_posts;
|
||||
break;
|
||||
case 'edit_post_meta':
|
||||
case 'delete_post_meta':
|
||||
case 'add_post_meta':
|
||||
$post = get_post( $args[0] );
|
||||
$post_type_object = get_post_type_object( $post->post_type );
|
||||
$caps = map_meta_cap( $post_type_object->cap->edit_post, $user_id, $post->ID );
|
||||
|
||||
$meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false;
|
||||
|
||||
if ( $meta_key && has_filter( "auth_post_meta_{$meta_key}" ) ) {
|
||||
$allowed = apply_filters( "auth_post_meta_{$meta_key}", false, $meta_key, $post->ID, $user_id, $cap, $caps );
|
||||
if ( ! $allowed )
|
||||
$caps[] = $cap;
|
||||
} elseif ( $meta_key && is_protected_meta( $meta_key, 'post' ) ) {
|
||||
$caps[] = $cap;
|
||||
}
|
||||
break;
|
||||
case 'edit_comment':
|
||||
$comment = get_comment( $args[0] );
|
||||
$post = get_post( $comment->comment_post_ID );
|
||||
|
@ -234,9 +234,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||
|
||||
foreach ( (array) has_meta($post_id) as $meta ) {
|
||||
// Don't expose protected fields.
|
||||
if ( strpos($meta['meta_key'], '_wp_') === 0 ) {
|
||||
if ( ! current_user_can( 'edit_post_meta', $post_id , $meta['meta_key'] ) )
|
||||
continue;
|
||||
}
|
||||
|
||||
$custom_fields[] = array(
|
||||
"id" => $meta['meta_id'],
|
||||
@ -262,18 +261,17 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||
foreach ( (array) $fields as $meta ) {
|
||||
if ( isset($meta['id']) ) {
|
||||
$meta['id'] = (int) $meta['id'];
|
||||
|
||||
$pmeta = get_metadata_by_mid( 'post', $meta['id'] );
|
||||
if ( isset($meta['key']) ) {
|
||||
update_meta($meta['id'], $meta['key'], $meta['value']);
|
||||
if ( $meta['key'] != $pmeta->meta_key )
|
||||
continue;
|
||||
if ( current_user_can( 'edit_post_meta', $post_id, $meta['key'] ) )
|
||||
update_meta( $meta['id'], $meta['key'], $meta['value'] );
|
||||
} elseif ( current_user_can( 'delete_post_meta', $post_id, $pmeta->meta_key ) ) {
|
||||
delete_meta( $meta['id'] );
|
||||
}
|
||||
else {
|
||||
delete_meta($meta['id']);
|
||||
}
|
||||
}
|
||||
else {
|
||||
$_POST['metakeyinput'] = $meta['key'];
|
||||
$_POST['metavalue'] = $meta['value'];
|
||||
add_meta($post_id);
|
||||
} elseif ( current_user_can( 'add_post_meta', $post_id, $meta['key'] ) ) {
|
||||
add_post_meta( $post_id, $meta['key'], $meta['value'] );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -26,7 +26,7 @@
|
||||
* @param bool $unique Optional, default is false. Whether the specified metadata key should be
|
||||
* unique for the object. If true, and the object already has a value for the specified
|
||||
* metadata key, no change will be made
|
||||
* @return bool True on successful update, false on failure.
|
||||
* @return bool The meta ID on successful update, false on failure.
|
||||
*/
|
||||
function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique = false) {
|
||||
if ( !$meta_type || !$meta_key )
|
||||
@ -49,7 +49,7 @@ function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique =
|
||||
|
||||
$check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
|
||||
if ( null !== $check )
|
||||
return (bool) $check;
|
||||
return $check;
|
||||
|
||||
if ( $unique && $wpdb->get_var( $wpdb->prepare(
|
||||
"SELECT COUNT(*) FROM $table WHERE meta_key = %s AND $column = %d",
|
||||
@ -61,20 +61,25 @@ function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique =
|
||||
|
||||
do_action( "add_{$meta_type}_meta", $object_id, $meta_key, $_meta_value );
|
||||
|
||||
$wpdb->insert( $table, array(
|
||||
$result = $wpdb->insert( $table, array(
|
||||
$column => $object_id,
|
||||
'meta_key' => $meta_key,
|
||||
'meta_value' => $meta_value
|
||||
) );
|
||||
|
||||
if ( ! $result )
|
||||
return false;
|
||||
|
||||
$mid = (int) $wpdb->insert_id;
|
||||
|
||||
wp_cache_delete($object_id, $meta_type . '_meta');
|
||||
// users cache stores usermeta that must be cleared.
|
||||
if ( 'user' == $meta_type )
|
||||
clean_user_cache($object_id);
|
||||
|
||||
do_action( "added_{$meta_type}_meta", $wpdb->insert_id, $object_id, $meta_key, $_meta_value );
|
||||
do_action( "added_{$meta_type}_meta", $mid, $object_id, $meta_key, $_meta_value );
|
||||
|
||||
return true;
|
||||
return $mid;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -146,6 +151,7 @@ function update_metadata($meta_type, $object_id, $meta_key, $meta_value, $prev_v
|
||||
do_action( "update_{$meta_type}_meta", $meta_id, $object_id, $meta_key, $_meta_value );
|
||||
|
||||
$wpdb->update( $table, $data, $where );
|
||||
|
||||
wp_cache_delete($object_id, $meta_type . '_meta');
|
||||
// users cache stores usermeta that must be cleared.
|
||||
if ( 'user' == $meta_type )
|
||||
@ -281,6 +287,40 @@ function get_metadata($meta_type, $object_id, $meta_key = '', $single = false) {
|
||||
return array();
|
||||
}
|
||||
|
||||
/**
|
||||
* Get meta data by meta ID
|
||||
*
|
||||
* @since 3.3.0
|
||||
*
|
||||
* @param string $meta_type Type of object metadata is for (e.g., comment, post, or user)
|
||||
* @param int $meta_id ID for a specific meta row
|
||||
* @return object Meta object or false.
|
||||
*/
|
||||
function get_metadata_by_mid( $meta_type, $meta_id ) {
|
||||
global $wpdb;
|
||||
|
||||
if ( ! $meta_type )
|
||||
return false;
|
||||
|
||||
if ( !$meta_id = absint( $meta_id ) )
|
||||
return false;
|
||||
|
||||
if ( ! $table = _get_meta_table($meta_type) )
|
||||
return false;
|
||||
|
||||
$id_column = ( 'user' == $meta_type ) ? 'umeta_id' : 'meta_id';
|
||||
|
||||
$meta = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $table WHERE $id_column = %d", $meta_id ) );
|
||||
|
||||
if ( empty( $meta ) )
|
||||
return false;
|
||||
|
||||
if ( isset( $meta->meta_value ) )
|
||||
$meta->meta_value = maybe_unserialize( $meta->meta_value );
|
||||
|
||||
return $meta;
|
||||
}
|
||||
|
||||
/**
|
||||
* Update the metadata cache for the specified objects.
|
||||
*
|
||||
@ -588,7 +628,7 @@ function _get_meta_table($type) {
|
||||
* @return bool True if the key is protected, false otherwise.
|
||||
*/
|
||||
function is_protected_meta( $meta_key, $meta_type = null ) {
|
||||
$protected = ( '_' == $meta_key[0] );
|
||||
$protected = ( '_' == $meta_key[0] );
|
||||
|
||||
return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type );
|
||||
}
|
||||
@ -603,8 +643,34 @@ function is_protected_meta( $meta_key, $meta_type = null ) {
|
||||
* @param string $meta_type Type of meta
|
||||
* @return mixed Sanitized $meta_value
|
||||
*/
|
||||
function sanitize_meta( $meta_key, $meta_value, $meta_type = null ) {
|
||||
return apply_filters( 'sanitize_meta', $meta_value, $meta_key, $meta_type );
|
||||
function sanitize_meta( $meta_key, $meta_value, $meta_type ) {
|
||||
return apply_filters( "sanitize_{$meta_type}_meta_{$meta_key}", $meta_value, $meta_key, $meta_type );
|
||||
}
|
||||
|
||||
/**
|
||||
* Register meta key
|
||||
*
|
||||
* @since 3.3.0
|
||||
*
|
||||
* @param string $meta_type Type of meta
|
||||
* @param string $meta_key Meta key
|
||||
* @param string|array $sanitize_callback A function or method to call when sanitizing the value of $meta_key.
|
||||
* @param string|array $auth_callback Optional. A function or method to call when performing edit_post_meta, add_post_meta, and delete_post_meta capability checks.
|
||||
* @param array $args Arguments
|
||||
*/
|
||||
function register_meta( $meta_type, $meta_key, $sanitize_callback, $auth_callback = null ) {
|
||||
if ( is_callable( $sanitize_callback ) )
|
||||
add_filter( "sanitize_{$meta_type}_meta_{$meta_key}", $sanitize_callback, 10, 3 );
|
||||
|
||||
if ( empty( $auth_callback ) ) {
|
||||
if ( is_protected_meta( $meta_key, $meta_type ) )
|
||||
$auth_callback = '__return_false';
|
||||
else
|
||||
$auth_callback = '__return_true';
|
||||
}
|
||||
|
||||
if ( is_callable( $auth_callback ) )
|
||||
add_filter( "auth_{$meta_type}_meta_{$meta_key}", $auth_callback, 10, 6 );
|
||||
}
|
||||
|
||||
?>
|
||||
|
@ -737,7 +737,7 @@ function the_meta() {
|
||||
echo "<ul class='post-meta'>\n";
|
||||
foreach ( (array) $keys as $key ) {
|
||||
$keyt = trim($key);
|
||||
if ( '_' == $keyt[0] )
|
||||
if ( is_protected_meta( $keyt, 'post' ) )
|
||||
continue;
|
||||
$values = array_map('trim', get_post_custom_values($key));
|
||||
$value = implode($values,', ');
|
||||
|
Loading…
Reference in New Issue
Block a user