Ignore unauthorized meta keys in meta_form(). fixes #18786.

Built from https://develop.svn.wordpress.org/trunk@25591


git-svn-id: http://core.svn.wordpress.org/trunk@25508 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/includes/meta-boxes.php

@@ -506,7 +506,7 @@ foreach ( $metadata as $key => $value ) {
 		unset( $metadata[ $key ] );
 }
 list_meta( $metadata );
-meta_form(); ?>
+meta_form( $post ); ?>
 </div>
 <p><?php _e('Custom fields can be used to add extra metadata to a post that you can <a href="http://codex.wordpress.org/Using_Custom_Fields" target="_blank">use in your theme</a>.'); ?></p>
 <?php

wp-admin/includes/template.php

@@ -500,12 +500,15 @@ function _list_meta_row( $entry, &$count ) {
 }
 
 /**
- * {@internal Missing Short Description}}
+ * Prints the form in the Custom Fields meta box.
  *
  * @since 1.2.0
+ *
+ * @param WP_Post $post Optional. The post being edited.
  */
-function meta_form() {
+function meta_form( $post = null ) {
 	global $wpdb;
+	$post = get_post( $post );
 	$limit = (int) apply_filters( 'postmeta_form_limit', 30 );
 	$keys = $wpdb->get_col( "
 		SELECT meta_key
@@ -535,7 +538,7 @@ function meta_form() {
 <?php
 
 	foreach ( $keys as $key ) {
-		if ( is_protected_meta( $key, 'post' ) )
+		if ( is_protected_meta( $key, 'post' ) || ! current_user_can( 'add_post_meta', $post->ID, $key ) )
 			continue;
 		echo "\n<option value='" . esc_attr($key) . "'>" . esc_html($key) . "</option>";
 	}