[wp-trac] [WordPress Trac] #38412: cannot update or delete user, term or comment meta via REST API

WordPress Trac noreply at wordpress.org
Wed Nov 9 00:14:08 UTC 2016


#38412: cannot update or delete user, term or comment meta via REST API
--------------------------+------------------------
 Reporter:  tharsheblows  |       Owner:  rmccue
     Type:  defect (bug)  |      Status:  reviewing
 Priority:  normal        |   Milestone:  4.7
Component:  REST API      |     Version:  trunk
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:
--------------------------+------------------------

Comment (by tharsheblows):

 @jeremyfelt yes, pretty much! I've just looked back at it -  I'm sorry I
 didn't realise this earlier and whilst I think it's an issue, it might not
 be.

 It's my understanding that the `auth_{$object_type}_meta_{$meta_key}`
 filter is, if set, what determines whether a user can update a meta key.
 If it isn't set, then there's a check to see if it's a protected meta key
 and then, if it's not a protected meta key, then you can update the meta
 key if you can update the object type.

 (The `auth_callback` in `register_meta` is one thing that adds this
 filter.)

 So the check should be:
  1. is there a filter on `auth_{$object_type}_meta_{$meta_key}`)?
   *  Yes -> do whatever it says
   *  No -> proceed
  2. is the meta key protected?
   * Yes -> set the capability to `edit_{$object_type}_meta`
   * No -> set the capability to `edit_{$object_type}`

 It currently doesn't work like this, the filter is applied after the
 `edit_{$object_type}` capability is set so you can't allow a user who
 doesn't have that capability to update meta even if you'd like to do so.

 The change would affect this edge case: if someone is using
 `current_user_can( 'edit_post_meta' )` with a filter on
 `auth_{$object_type}_meta_{$meta_key}` that returns true but they really
 don't want the person to update the post meta so are relying on the fact
 that they don't have the edit_post capability, then that will change and
 that person will be able to update the post meta. It will only affect
 post_meta because that's the only filter in there currently.

 It's a straightforward fix and I have tests for the auth_callback filter
 that I can add to the capabilities tests but thought I'd ask about it now
 before cluttering up with another patch. One thing it does require is
 setting the `auth_callback` default to `null` rather than `__return_true`
 in `register_meta`. I don't think that would be an issue but want to
 mention.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38412#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list