diff --git a/src/wp-admin/includes/post.php b/src/wp-admin/includes/post.php index c352cbc91f..d614450ed6 100644 --- a/src/wp-admin/includes/post.php +++ b/src/wp-admin/includes/post.php @@ -288,6 +288,8 @@ function edit_post( $post_data = null ) { continue; if ( $meta->post_id != $post_ID ) continue; + if ( is_protected_meta( $meta->meta_key, 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $meta->meta_key ) ) + continue; if ( is_protected_meta( $value['key'], 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $value['key'] ) ) continue; update_meta( $key, $value['key'], $value['value'] ); diff --git a/tests/phpunit/tests/admin/includesPost.php b/tests/phpunit/tests/admin/includesPost.php index 60efbb2e34..4dcd59b64a 100644 --- a/tests/phpunit/tests/admin/includesPost.php +++ b/tests/phpunit/tests/admin/includesPost.php @@ -244,6 +244,40 @@ class Tests_Admin_Includes_Post extends WP_UnitTestCase { $this->assertEquals( 'closed', $post->ping_status ); } + /** + * @ticket 38293 + */ + public function test_user_cant_delete_protected_meta() { + $protected_meta_key = '_test_meta_data_that_is_protected'; + + // Add some protected meta data. + $post_id = self::$post_id; + $meta_id = add_post_meta( $post_id, $protected_meta_key, 'protected' ); + + // User editing the post should not effect outcome. + $expected = get_post_meta( $post_id, $protected_meta_key ); + + // Attempt to edit the post. + wp_set_current_user( self::$admin_id ); + + $post_data = array( + 'post_ID' => $post_id, + 'meta' => array( + $meta_id => array( + 'key' => 'unprotected_meta_key', + 'value' => 'protected', + ), + ), + ); + edit_post( $post_data ); + + $actual = get_post_meta( $post_id, $protected_meta_key ); + $this->assertSame( $expected, $actual ); + + // Tidy up. + delete_metadata_by_mid( 'post', $meta_id ); + } + /** * @ticket 30910 */ @@ -598,4 +632,5 @@ class Tests_Admin_Includes_Post extends WP_UnitTestCase { $this->assertSame( $p, post_exists( $title, $content, $date ) ); } + }