From d1707d6542e5ff3488a6fa0d797b8839249bece9 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 31 Oct 2016 19:29:07 +0000 Subject: [PATCH] Posts, Post Types: Prevent users from being able to delete a protected meta field from a post. Previously a user could remove a protected meta field by using their browser developer tools to alter the form field properties in the Custom Fields meta box, given that they know the ID of the protected meta field. This change prevents this by preventing any change to a protected meta field, including changing its key. Props ajoah, johnbillion, peterwilsoncc Fixes #38293 git-svn-id: https://develop.svn.wordpress.org/trunk@39062 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-admin/includes/post.php | 2 ++ tests/phpunit/tests/admin/includesPost.php | 35 ++++++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/src/wp-admin/includes/post.php b/src/wp-admin/includes/post.php index c352cbc91f..d614450ed6 100644 --- a/src/wp-admin/includes/post.php +++ b/src/wp-admin/includes/post.php @@ -288,6 +288,8 @@ function edit_post( $post_data = null ) { continue; if ( $meta->post_id != $post_ID ) continue; + if ( is_protected_meta( $meta->meta_key, 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $meta->meta_key ) ) + continue; if ( is_protected_meta( $value['key'], 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $value['key'] ) ) continue; update_meta( $key, $value['key'], $value['value'] ); diff --git a/tests/phpunit/tests/admin/includesPost.php b/tests/phpunit/tests/admin/includesPost.php index 60efbb2e34..4dcd59b64a 100644 --- a/tests/phpunit/tests/admin/includesPost.php +++ b/tests/phpunit/tests/admin/includesPost.php @@ -244,6 +244,40 @@ class Tests_Admin_Includes_Post extends WP_UnitTestCase { $this->assertEquals( 'closed', $post->ping_status ); } + /** + * @ticket 38293 + */ + public function test_user_cant_delete_protected_meta() { + $protected_meta_key = '_test_meta_data_that_is_protected'; + + // Add some protected meta data. + $post_id = self::$post_id; + $meta_id = add_post_meta( $post_id, $protected_meta_key, 'protected' ); + + // User editing the post should not effect outcome. + $expected = get_post_meta( $post_id, $protected_meta_key ); + + // Attempt to edit the post. + wp_set_current_user( self::$admin_id ); + + $post_data = array( + 'post_ID' => $post_id, + 'meta' => array( + $meta_id => array( + 'key' => 'unprotected_meta_key', + 'value' => 'protected', + ), + ), + ); + edit_post( $post_data ); + + $actual = get_post_meta( $post_id, $protected_meta_key ); + $this->assertSame( $expected, $actual ); + + // Tidy up. + delete_metadata_by_mid( 'post', $meta_id ); + } + /** * @ticket 30910 */ @@ -598,4 +632,5 @@ class Tests_Admin_Includes_Post extends WP_UnitTestCase { $this->assertSame( $p, post_exists( $title, $content, $date ) ); } + }