From babd79fb36617771966734dd8a48b0d0ebcdc5e2 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 31 Oct 2016 19:30:32 +0000 Subject: [PATCH] Posts, Post Types: Prevent users from being able to delete a protected meta field from a post. Previously a user could remove a protected meta field by using their browser developer tools to alter the form field properties in the Custom Fields meta box, given that they know the ID of the protected meta field. This change prevents this by preventing any change to a protected meta field, including changing its key. Props ajoah, johnbillion, peterwilsoncc Fixes #38293 Built from https://develop.svn.wordpress.org/trunk@39062 git-svn-id: http://core.svn.wordpress.org/trunk@39004 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/includes/post.php | 2 ++ wp-includes/version.php | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/wp-admin/includes/post.php b/wp-admin/includes/post.php index c352cbc91f..d614450ed6 100644 --- a/wp-admin/includes/post.php +++ b/wp-admin/includes/post.php @@ -288,6 +288,8 @@ function edit_post( $post_data = null ) { continue; if ( $meta->post_id != $post_ID ) continue; + if ( is_protected_meta( $meta->meta_key, 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $meta->meta_key ) ) + continue; if ( is_protected_meta( $value['key'], 'post' ) || ! current_user_can( 'edit_post_meta', $post_ID, $value['key'] ) ) continue; update_meta( $key, $value['key'], $value['value'] ); diff --git a/wp-includes/version.php b/wp-includes/version.php index a725fc9d98..63c8be6d5e 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.7-beta1-39061'; +$wp_version = '4.7-beta1-39062'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.