[wp-trac] [WordPress Trac] #25786: Using custom_fields with wp.newPost does not add meta on clean WordPress installs.

WordPress Trac noreply at wordpress.org
Thu Oct 31 08:48:41 UTC 2013


#25786: Using custom_fields with wp.newPost does not add meta on clean WordPress
installs.
--------------------------+----------------------
 Reporter:  timgws        |       Owner:
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  XML-RPC       |     Version:  3.7.1
 Severity:  major         |  Resolution:  invalid
 Keywords:  dev-feedback  |
--------------------------+----------------------
Changes (by nacin):

 * status:  new => closed
 * resolution:   => invalid
 * milestone:  Awaiting Review =>


Comment:

 add_post_meta is not a capability that should be assigned to a user or
 role. That's very bad, you don't want that, and can lead to security
 issues. I've seen that suggested once or twice before, and we should
 probably disable meta capabilities from being assigned to users.

 If your custom field starts with an underscore, then it is "protected" and
 cannot be edited by a user free-form. That includes not just the Custom
 Fields meta box but also XML-RPC. Otherwise XML-RPC would be an easy
 workaround to update private metadata, which is privilege escalation and
 could possibly cause other security issues.

 If you are using an underscore simply to keep it out of Custom Fields but
 still want it editable by XML-RPC, try register_meta() on for size. It
 doesn't do much yet (it specifically only does this), but you can pass it
 an authorization callback that receives six arguments (as seen in
 map_meta_cap) and you either return true (yes, user can edit) or false
 (no, user can't).

 register_meta() could use some tutorials. It's one of those APIs we didn't
 really announce because we wanted to see how people might use it. It also
 doesn't do much now, as I said — though in the future it may form the
 backbone of a new meta box API (#18179). You'll note how it also handles
 sanitization callbacks, just like register_setting() does, so when you
 call update_post_meta(), your callback would be called automatically. You
 can see the potential here.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/25786#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list